external-secrets icon indicating copy to clipboard operation
external-secrets copied to clipboard

Published 20 hours ago • verified publisher icon external-secrets

Add example of how to handle secretKey values with 'illegal' names in golang templates.

Open TonyLovesDevOps opened this issue 2 years ago • 4 comments

Definitely the hardest part of my migration from kubernetes-external-secrets to ESO was changing all of my secret keys to pass golang template validation. The other aspect was the lack of isBinary: true for handling base64 encoded secret values.

This example would have helped me a lot! Hopefully it can help others.

TonyLovesDevOps avatar Aug 12 '22 21:08 TonyLovesDevOps

👇 Click on the image for a new way to code review

  • Make big changes easier — review code in small groups of related files

  • Know where to start — see the whole change at a glance

  • Take a code tour — explore the change with an interactive tour

  • Make comments and review — all fully sync’ed with github

    Try it now!

Review these changes using an interactive CodeSee Map

Legend

CodeSee Map Legend

ghost avatar Aug 12 '22 21:08 ghost

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

sonarqubecloud[bot] avatar Aug 12 '22 22:08 sonarqubecloud[bot]

Hey @TonyLovesDevOps and thanks for this addition! I'm wondering: from v0.5.8 (I think), we now support decoding strategies to external-secrets. They can be achieved by specifying:

spec:
  data:
  secretKey: foo
  remoteRef:
      key: my-secret
      decodingStrategy: Base64

Docs to it are here: https://external-secrets.io/v0.5.9/guides-decoding-strategy/ Would that have helped you with your migration to KES?

If so, maybe we could create a page to help people migrating from KES to ESO? 😄 It could go under "guides" session

gusfcarvalho avatar Aug 13 '22 10:08 gusfcarvalho

Hey @TonyLovesDevOps and thanks for this addition! I'm wondering: from v0.5.8 (I think), we now support decoding strategies to external-secrets. They can be achieved by specifying:

spec:
  data:
  secretKey: foo
  remoteRef:
      key: my-secret
      decodingStrategy: Base64

Docs to it are here: https://external-secrets.io/v0.5.9/guides-decoding-strategy/ Would that have helped you with your migration to KES?

If so, maybe we could create a page to help people migrating from KES to ESO? 😄 It could go under "guides" session

Knowing about decodingStrategy definitely would have helped me! However, knowing how to work around handling - and . characters in templates would have saved me much more time; almost all of my secret keys are filenames so that was a big pain.

I did find the Upgrading from KES to ESO note in the FAQ but it wasn't so helpful; the binary only runs on linux and can't handle templates (understandably, given their complexity).

Do you think a standalone guide is the best way forward? One idea for how to proceed:

  1. Remove base64-specific stuff from this example so it focuses only on working around the "illegal" keys thing;
  2. Create a new guide for migrating from KES to ESO and
    1. Move the Upgrading from KES to ESO section to the new guide
    2. Add a link to this example for how to handle "illegal" keys
    3. Add a link to the decoding strategy page

TonyLovesDevOps avatar Aug 15 '22 15:08 TonyLovesDevOps

This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Nov 14 '22 02:11 github-actions[bot]

@gusfcarvalho ping on my previous comment -- can you give some advice on how to proceed? I'd love to save others from the rigmarole that I went through handling filename-style secret keys.

TonyLovesDevOps avatar Nov 14 '22 12:11 TonyLovesDevOps

Hey, sorry for the delay, i'm gonna take a look at it later!

moolen avatar Nov 19 '22 09:11 moolen

Remove base64-specific stuff from this example so it focuses only on working around the "illegal" keys thing;

Agree, that makes it more concise! It's really great that the error message is in the comments, that way users should be able to easily find it :+1: :100:

Create a new guide for migrating from KES to ESO

For this other part i'd like to suggest to split it up and make a separate PR with that guide.

Looks all good, i'd be happy to merge this without the base64-related stuff and follow up with an extra PR with the guide :)

moolen avatar Nov 19 '22 18:11 moolen

@moolen thanks for the clarification. When I get some spare time (haha) I will update this PR as discussed.

TonyLovesDevOps avatar Nov 29 '22 14:11 TonyLovesDevOps

This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Feb 28 '23 02:02 github-actions[bot]