lack of decodingStrategy field for ESO

[Woitekku]

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.5.4
Kubernetes provider version: 2.23
Kubernetes version: 1.25 

Affected Resource(s)

kuberneres_manifest

Terraform Configuration Files

Debug Output

Panic Output

Steps to Reproduce

Expected Behavior

External Secret should be created with specific decoding strategy. Secret values in secret store can be already base64 encoded.
Doing secret via eso result in double encoding.

This works well with plain yaml manifest.

Actual Behavior

The dataFrom block is missing decodingStrategy.
https://external-secrets.io/v0.5.8/guides-decoding-strategy/
"The decodingStrategy field allows the user to set the following Decoding Strategies based on their needs. decodingStrategy can be placed under spec.data.remoteRef, spec.dataFrom.extract or spec.dataFrom.find."

The proper configuration is present in manifest but is missing in object.

resource "kubernetes_manifest" "external_secret_secret" {
    manifest = {
        apiVersion = "external-secrets.io/v1alpha1"
        kind       = "ExternalSecret"
        metadata   = {
            name      = "mysecret"
            namespace = "mynamespace"
        }
        spec       = {
            dataFrom        = [
                {
                    decodingStrategy = "Base64" <<<<< HERE IT IS PRESENT
                    key              = "aws-mysecret"
                },
            ]
            refreshInterval = "1h0m0s"
            secretStoreRef  = {
                kind = "ClusterSecretStore"
                name = "awssecretsmanager"
            }
            target          = {
                creationPolicy = "Owner"
                name           = "mysecret"
            }
        }
    }
    object   = {
        apiVersion = "external-secrets.io/v1alpha1"
        kind       = "ExternalSecret"
        metadata   = {
            annotations                = null
            creationTimestamp          = null
            deletionGracePeriodSeconds = null
            deletionTimestamp          = null
            finalizers                 = null
            generateName               = null
            generation                 = null
            labels                     = null
            managedFields              = null
            name                       = "mysecret"
            namespace                  = "mynamespace"
            ownerReferences            = null
            resourceVersion            = null
            selfLink                   = null
            uid                        = null
        }
        spec       = {
            data            = null
            dataFrom        = [ <<< HERE IT IS MISSING
                {
                    conversionStrategy = null
                    key                = "aws-mysecret"
                    property           = null
                    version            = null
                },
            ]
            refreshInterval = "1h0m0s"
            secretStoreRef  = {
                kind = "ClusterSecretStore"
                name = "awssecretsmanager"
            }
            target          = {
                creationPolicy = "Owner"
                immutable      = null
                name           = "mysecret
                template       = {
                    data          = null
                    engineVersion = null
                    metadata      = {
                        annotations = null
                        labels      = null
                    }
                    templateFrom  = null
                    type          = null
                }
            }
        }
    }
}

Important Factoids

References

• Missing secretNamespace on azure_file of persistent_volume_source #1234

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[arybolovlev]

Hi @Woitekku,

Here are a few things that I have learned while reproducing this issue.

1. In the documentation you refer to it says decodingStrategy can be placed under spec.data.remoteRef, spec.dataFrom.extract or spec.dataFrom.find. In the provided config, you placed decodingStrategy under spec.dataFrom. If you apply this config, the controller will accept it but decodingStrategy will be ignored. Move it under spec.dataFrom.extract, for example:

...
    spec = {
      dataFrom = [
        {
          "extract" = {
            "decodingStrategy" = "Base64"
            "key"              = "remote-key-in-the-provider"
          }
        },
      ]
...

2. Once you move decodingStrategy to the right place, Terraform will fail to apply this since external-secrets.io/v1alpha1 seem to be deprecated and you need to use external-secrets.io/v1beta1 instead, for example:

resource "kubernetes_manifest" "this" {
  manifest = {
    apiVersion = "external-secrets.io/v1beta1"

I hope this helps.

Thanks.

[Woitekku]

Hello @arybolovlev,

I did not expect that spec.dataFrom differs from spec.dataFrom.extract but you are right!
Setting manifest according to your notes solved the problem!

Many thanks, let's close this issue.