Skip to content

fix: Support for Non-json secret fetched from Delinea SecretServer#4743

Merged
gusfcarvalho merged 23 commits intoexternal-secrets:mainfrom
DelineaSahilWankhede:main
May 20, 2025
Merged

fix: Support for Non-json secret fetched from Delinea SecretServer#4743
gusfcarvalho merged 23 commits intoexternal-secrets:mainfrom
DelineaSahilWankhede:main

Conversation

@DelineaSahilWankhede
Copy link
Copy Markdown
Contributor

@DelineaSahilWankhede DelineaSahilWankhede commented May 5, 2025
edited
Loading

Problem Statement

External Secrets Operator currently assumes secret template data is always in JSON format. This limitation prevents users from creating secrets with non-JSON templates such as plain text, shell scripts, or configuration formats (e.g., INI, YAML).
What is the problem you're trying to solve?

Proposed Changes

  • Added support for handling non-JSON secret templates in templating logic.
  • Introduced new behavior to detect whether the template is JSON, and fallback gracefully to plain string substitution if not.
  • This change enables more flexible use of templated secrets without requiring users to structure them strictly as JSON.
  • Ensured backward compatibility with existing JSON-based workflows.

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

@DelineaSahilWankhede
fix: Support for Non-json secret fetched from Delinea SecretServer
7086cdd 
This commit enhances the Delinea Secret Server provider to support secrets created using custom templates that contain only a single non-JSON field.

Previously, the provider assumed that `Items[0].ItemValue` always contained a JSON object. This caused failures when the value was plain text (as is common in single-field custom templates).

The updated logic introduces a hybrid strategy:
- If `Items[0].ItemValue` exists and is a valid JSON string, it uses GJSON to extract the desired property.
- If not, it falls back to a flattened map lookup using `fieldName` and `slug` to locate the value directly in the Fields array.

This ensures compatibility with both:
- Legacy structured secrets (nested JSON within `ItemValue`)
- Simpler templates where `ItemValue` is plain text (e.g. `"value": "abc123"`)

This fix improves interoperability with a wider range of Delinea secret templates without breaking compatibility with existing ones.

Tested with:
- Single-field plaintext custom templates
- Multi-field secrets with JSON-encoded values
- Empty or missing properties (returns full object)

Signed-off-by: DelineaSahilWankhede <161290557+DelineaSahilWankhede@users.noreply.github.com>
@DelineaSahilWankhede
Update client_test.go
82bc8c2 
Added test cases for Non-JSON secret and Malformed JSON secret

Signed-off-by: DelineaSahilWankhede <161290557+DelineaSahilWankhede@users.noreply.github.com>
@DelineaSahilWankhede
Merge pull request #1 from DelineaSahilWankhede/DelineaSahilWankhede-…
6224358 
…patch-1

fix: Support for Non-json secret fetched from Delinea SecretServer
@DelineaSahilWankhede
Merge branch 'external-secrets:main' into main
97b19bf
@DelineaSahilWankhede DelineaSahilWankhede requested a review from a team as a code owner May 5, 2025 14:09
@DelineaSahilWankhede
Merge branch 'main' into main
2e454c1
@DelineaSahilWankhede
Update secretserver.md
e9c400c 
Signed-off-by: DelineaSahilWankhede <161290557+DelineaSahilWankhede@users.noreply.github.com>
@DelineaSahilWankhede
Merge branch 'main' into main
3086249
@DelineaSahilWankhede
Remove test for malformed json secret
d93a103 
Signed-off-by: DelineaSahilWankhede <161290557+DelineaSahilWankhede@users.noreply.github.com>
@DelineaSahilWankhede
Update unit test cases in client_test.go
736d56b 
Signed-off-by: DelineaSahilWankhede <161290557+DelineaSahilWankhede@users.noreply.github.com>
@DelineaSahilWankhede
Merge branch 'main' into main
ab094a2
@DelineaSahilWankhede
Merge branch 'main' into main
c97eebe
@DelineaSahilWankhede
Update client_test.go
7adb01a 
Signed-off-by: DelineaSahilWankhede <161290557+DelineaSahilWankhede@users.noreply.github.com>
gusfcarvalho
gusfcarvalho reviewed May 8, 2025
View reviewed changes
@DelineaSahilWankhede
Updated comment in client.go
906f4ce 
Signed-off-by: DelineaSahilWankhede <161290557+DelineaSahilWankhede@users.noreply.github.com>
gusfcarvalho
gusfcarvalho reviewed May 12, 2025
View reviewed changes
@gusfcarvalho
Copy link
Copy Markdown
Member

gusfcarvalho commented May 12, 2025

hi @DelineaSahilWankhede . We also need to add a noSecretError test. This has no coverage as of yet.

@DelineaSahilWankhede
Update client_test.go
e7c91b2 
Signed-off-by: DelineaSahilWankhede <161290557+DelineaSahilWankhede@users.noreply.github.com>
@DelineaSahilWankhede
Merge branch 'main' into main
b354144
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented May 20, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@gusfcarvalho gusfcarvalho merged commit 8debc0e into external-secrets:main May 20, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gusfcarvalho gusfcarvalho gusfcarvalho approved these changes

@moolen moolen Awaiting requested review from moolen moolen was automatically assigned from external-secrets/maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DelineaSahilWankhede @gusfcarvalho