Allow Retrieval of PlainText ExternalSecret (no key value) In Container Spec

[lwooden]

Hey EX-Secrets Team,

I am currently trying to integrate AWS Secrets into our EKS Implementation.

I have a secret in AWS Secrets Manager that IS NOT a key/value pair. It is simply the plain-text representation of a private-key.

Secret Name
gmail-credentials-private-key

Secret Value (Plain-Text)
---BEGIN PRIVATE KEY----
ABC1234sksdjfdsjflkdjfkldjsf
---END PRIVATE KEY----

There is no key/value pair.

My External Secrets YML looks like this

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
name: gmail-pk-secret
spec:
backendType: secretsManager
dataFrom:
- arn:aws:secretsmanager:㊙️gmail-credentials-private-key

I am able to resolve the secret successfully based on this output:

k get es gmail-pk-secret
NAME LAST SYNC STATUS AGE
gmail-pk-secret 4s SUCCESS 35m

But when its time to grab this secret and inject into the pod I get this error. The config is expecting a "key" value. But I don't have one to give it:

Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(Deployment.spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef): missing required field "key" in io.k8s.api.core.v1.SecretKeySelector

Here is my. container spec (helm chart):

spec:
  serviceAccountName: a-service-account
  containers:
    {{- if eq .Release.Namespace "default"}}
    - name: service-internal
    {{ else }}
    - name: "service-internal-container-{{.Release.Namespace}}"
    {{- end }}
      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
      envFrom:
        - configMapRef:
            name: service-internal-env
      env:
        - name: GMAIL_CLIENT_PRIVATE_KEY
          valueFrom:
            secretKeyRef:
              name: gmail-pk-secret

[Flydiverny]

I'm not really following what exactly you are expecting?
secretKeyRef requires a key, this is k8s specification and outside of KES.
Did you inspect the generated secret to see if it results in what you you expected?
Don't use dataFrom like this, it is for generating secrets from an object, a plain string value would yield an empty secret.
If you use data you would specify the key, as required by KES spec and you would know what key to specify in your container spec.
It you check your KES pod logs you will probably see log warnings stating that your private key is not an json object or something.

[lwooden]

Thank you for taking the time to respond. Most of our values are stored in Secrets Manager as key/value pairs. From reading docs and testing this package handles this really well.

For example:

Secret Name: Some_DB_Stuff
'{
"Username": Foo,
"Password": Bar
}'

When creating the ExternalSecret for a JSON object, based on the docs, it would look something like this:

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
  name: db_stuff
spec:
  backendType: secretsManager
  data:
    - key: some_db_stuff
      name: username 
    - key: some_db_stuff
      name: password 

But I have one secret that is stored in Secrets Manager that is not a key/value pair. It's just the name of the secret and the plain-text of a private key.
So it's not a JSON object with properties to pick from. That's why I tried using the dataFrom property because I don't have a key or name to grab from. So I'm saying "give me everything in this secret" which is just the plaintext.

I am trying to get that private key plaintext value out of Secrets Manager and use it as env in pod spec. But there is no key. Does that mean I can't get it using this package?

Maybe I'm doing something wrong but I tested a ton of different scenarios and read the docs front to back.

The docs say:

kubernetes-external-secrets supports both JSON objects ("Secret key/value" in the AWS console) or strings ("Plaintext" in the AWS console).

I'm trying to leverage the plaintext functionality but I'm not having success.

[Flydiverny]

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
  name: db_stuff
spec:
  backendType: secretsManager
  data:
    - key: some_db_stuff
      name: username 
    - key: some_db_stuff
      name: password 

Will not extract username or password from some_db_stuff it will create a secret where the values are both set to the entire json payload of some_db_stuff.
What you are referring to requires you to specify the property value as well which will extract a given property from the secret value if its a JSON object (else fail).
So for any secret value that is not a JSON you do not specify any property field.

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
 name: db_stuff
spec:
 backendType: secretsManager
 data:
   - key: some_db_stuff
     name: entire_json
   - key: some_db_stuff
     name: just_the_password
     property: password 
   - key: /path/to/your/private/key
     name: key_name_in_resulting_secret

->

kind: secret
metadata:
  name: db_stuff
data:
  entire_json: <{ "Username": Foo, "Password": Bar }>
  just_the_password: <Bar>
  key_name_in_resulting_secret: <Plain string value>

[Flydiverny]

Looks like one section confused the property and name fields in the docs I made a PR to update that #574
The naming of these fields isn't the best but its what we have 😄