feat: Added support for templates in external secrets (#5874)

* feat: Added support for templates in external secrets

* renamed dataFrom to esoDataFrom

* deployment history data fixed

* deployment history data diff view fixed

* added validations and const

* renamed EsoData to ESOData

* chore: updated []json.RawMessage to json.RawMessage

* feat: updated validations

Author: Ash-exp

api/appbean/AppDetail.go

@@ -179,9 +179,10 @@ type Secret struct {
 }
 
 type ConfigMapSecretDataVolumeUsageConfig struct {
-	MountPath      string `json:"mountPath"`
-	SubPath        bool   `json:"subPath"`
-	FilePermission string `json:"filePermission"`
+	MountPath      string   `json:"mountPath"`
+	SubPath        bool     `json:"subPath"`
+	FilePermission string   `json:"filePermission"`
+	ESOSubPath     []string `json:"esoSubPath"`
 }
 
 type ExternalSecret struct {

api/bean/ConfigMapAndSecret.go

@@ -54,6 +54,7 @@ type ConfigSecretMap struct {
 	RoleARN        string          `json:"roleARN"`
 	SecretData     json.RawMessage `json:"secretData,omitempty"`
 	SubPath        bool            `json:"subPath"`
+	ESOSubPath     []string        `json:"esoSubPath"`
 	FilePermission string          `json:"filePermission"`
 }
 
@@ -70,7 +71,7 @@ func (configSecretJson *ConfigSecretJson) SetReferencedSecrets(secrets []ConfigS
 	configSecretJson.Secrets = util.GetReferencedArray(secrets)
 }
 
-func (ConfigSecretRootJson) GetTransformedDataForSecretData(data string, mode util.SecretTransformMode) (string, error) {
+func GetTransformedDataForSecretData(data string, mode util.SecretTransformMode) (string, error) {
 	secretsJson := ConfigSecretRootJson{}
 	err := json.Unmarshal([]byte(data), &secretsJson)
 	if err != nil {

api/restHandler/CoreAppRestHandler.go

@@ -891,7 +891,7 @@ func (handler CoreAppRestHandlerImpl) buildAppConfigMaps(appId int, envId int, c
 			}
 			var dataObj map[string]interface{}
 			if data != nil {
-				err := json.Unmarshal([]byte(data), &dataObj)
+				err := json.Unmarshal(data, &dataObj)
 				if err != nil {
 					handler.logger.Errorw("service err, un-marshaling of data fail in config map", "err", err, "appId", appId)
 					return nil, err, http.StatusInternalServerError
@@ -1041,6 +1041,7 @@ func (handler CoreAppRestHandlerImpl) buildAppSecrets(appId int, envId int, secr
 				globalSecret.DataVolumeUsageConfig = &appBean.ConfigMapSecretDataVolumeUsageConfig{
 					SubPath:        secret.SubPath,
 					FilePermission: secret.FilePermission,
+					ESOSubPath:     secret.ESOSubPath,
 				}
 				considerGlobalDefaultData := envId > 0 && secret.Data == nil
 				if considerGlobalDefaultData {
@@ -1486,6 +1487,7 @@ func (handler CoreAppRestHandlerImpl) createGlobalSecrets(appId int, userId int3
 			secretData.MountPath = dataVolumeUsageConfig.MountPath
 			secretData.SubPath = dataVolumeUsageConfig.SubPath
 			secretData.FilePermission = dataVolumeUsageConfig.FilePermission
+			secretData.ESOSubPath = dataVolumeUsageConfig.ESOSubPath
 		}
 
 		if secret.IsExternal {
@@ -1989,6 +1991,7 @@ func (handler CoreAppRestHandlerImpl) createEnvSecret(appId int, userId int32, e
 			secretData.MountPath = secretOverrideDataVolumeUsageConfig.MountPath
 			secretData.SubPath = secretOverrideDataVolumeUsageConfig.SubPath
 			secretData.FilePermission = secretOverrideDataVolumeUsageConfig.FilePermission
+			secretData.ESOSubPath = secretOverrideDataVolumeUsageConfig.ESOSubPath
 		}
 		var secretDataRequest []*bean2.ConfigData
 		secretDataRequest = append(secretDataRequest, secretData)

pkg/appClone/AppCloneService.go

@@ -556,6 +556,7 @@ func (impl *AppCloneServiceImpl) configDataClone(cfData []*bean3.ConfigData) []*
 			ExternalSecretType: refdata.ExternalSecretType,
 			FilePermission:     refdata.FilePermission,
 			SubPath:            refdata.SubPath,
+			ESOSubPath:         refdata.ESOSubPath,
 		}
 		copiedData = append(copiedData, data)
 	}

pkg/bean/configSecretData.go

@@ -19,6 +19,7 @@ package bean
 import (
 	"encoding/json"
 	"github.com/devtron-labs/devtron/util"
+	"strings"
 )
 
 type ConfigList struct {
@@ -29,6 +30,7 @@ type SecretList struct {
 	ConfigData []*ConfigData `json:"secrets"`
 }
 
+// TODO refactoring: duplicate struct of ConfigData in ConfigMapBean.go
 type ConfigData struct {
 	Name                  string           `json:"name"`
 	Type                  string           `json:"type"`
@@ -45,9 +47,14 @@ type ConfigData struct {
 	DefaultESOSecretData  ESOSecretData    `json:"defaultESOSecretData,omitempty"`
 	RoleARN               string           `json:"roleARN"`
 	SubPath               bool             `json:"subPath"`
+	ESOSubPath            []string         `json:"esoSubPath"`
 	FilePermission        string           `json:"filePermission"`
 }
 
+func (c *ConfigData) IsESOExternalSecretType() bool {
+	return strings.HasPrefix(c.ExternalSecretType, "ESO")
+}
+
 type ExternalSecret struct {
 	Key      string `json:"key"`
 	Name     string `json:"name"`
@@ -58,8 +65,10 @@ type ExternalSecret struct {
 type ESOSecretData struct {
 	SecretStore     json.RawMessage `json:"secretStore,omitempty"`
 	SecretStoreRef  json.RawMessage `json:"secretStoreRef,omitempty"`
-	EsoData         []ESOData       `json:"esoData"`
+	ESOData         []ESOData       `json:"esoData"`
 	RefreshInterval string          `json:"refreshInterval,omitempty"`
+	ESODataFrom     json.RawMessage `json:"esoDataFrom,omitempty"`
+	Template        json.RawMessage `json:"template,omitempty"`
 }
 
 type ESOData struct {
@@ -68,7 +77,7 @@ type ESOData struct {
 	Property  string `json:"property,omitempty"`
 }
 
-func (ConfigData) GetTransformedDataForSecretData(data string, mode util.SecretTransformMode) (string, error) {
+func GetTransformedDataForSecretData(data string, mode util.SecretTransformMode) (string, error) {
 	secretDataMap := make(map[string]*ConfigData)
 	err := json.Unmarshal([]byte(data), &secretDataMap)
 	if err != nil {

pkg/pipeline/ConfigMapService.go

@@ -487,8 +487,6 @@ func (impl ConfigMapServiceImpl) CMEnvironmentFetch(appId int, envId int) (*bean
 			item.DefaultMountPath = item.MountPath
 			item.Data = nil
 			item.MountPath = ""
-			item.SubPath = item.SubPath
-			item.FilePermission = item.FilePermission
 			configDataRequest.ConfigData = append(configDataRequest.ConfigData, item)
 		}
 	}
@@ -580,6 +578,7 @@ func (impl ConfigMapServiceImpl) CSGlobalAddUpdate(configMapRequest *bean.Config
 				item.ExternalSecret = configData.ExternalSecret
 				item.RoleARN = configData.RoleARN
 				item.SubPath = configData.SubPath
+				item.ESOSubPath = configData.ESOSubPath
 				item.FilePermission = configData.FilePermission
 			}
 			configs = append(configs, item)
@@ -736,6 +735,7 @@ func (impl ConfigMapServiceImpl) CSEnvironmentAddUpdate(configMapRequest *bean.C
 				item.ExternalSecret = configData.ExternalSecret
 				item.RoleARN = configData.RoleARN
 				item.SubPath = configData.SubPath
+				item.ESOSubPath = configData.ESOSubPath
 				item.FilePermission = configData.FilePermission
 				found = true
 			}
@@ -873,16 +873,16 @@ func (impl ConfigMapServiceImpl) CSEnvironmentFetch(appId int, envId int) (*bean
 				item.DefaultExternalSecret = item.ExternalSecret
 			}
 			item.DefaultESOSecretData = item.ESOSecretData
-			item.ESOSecretData.EsoData = nil
+			item.ESOSecretData.ESOData = nil
 			item.ESOSecretData.SecretStore = nil
+			item.ESOSecretData.ESODataFrom = nil
+			item.ESOSecretData.Template = nil
 			item.ESOSecretData.SecretStoreRef = nil
 			item.ESOSecretData.RefreshInterval = ""
 			item.DefaultMountPath = item.MountPath
 			item.Data = nil
 			item.ExternalSecret = nil
 			item.MountPath = ""
-			item.SubPath = item.SubPath
-			item.FilePermission = item.FilePermission
 			configDataRequest.ConfigData = append(configDataRequest.ConfigData, item)
 		}
 	}
@@ -1455,7 +1455,24 @@ func (impl ConfigMapServiceImpl) validateConfigDataForSecretsOnly(configData *be
 		if err != nil {
 			impl.logger.Errorw("error in decoding secret data", "error", err)
 			return false, util.NewApiError().WithHttpStatusCode(http.StatusUnprocessableEntity).WithCode(strconv.Itoa(http.StatusUnprocessableEntity)).
-				WithUserMessage("error in decoding data, make sure the secret data is encoded properly")
+				WithUserMessage("error in decoding data, make sure the secret data is encoded properly").
+				WithInternalMessage("error in decoding data, make sure the secret data is encoded properly")
+		}
+	}
+	if configData.IsESOExternalSecretType() {
+		if !configData.External {
+			return false, util.NewApiError().WithHttpStatusCode(http.StatusBadRequest).WithCode(strconv.Itoa(http.StatusBadRequest)).
+				WithUserMessage(fmt.Sprintf("external flag should be true for '%s' secret type", configData.ExternalSecretType)).
+				WithInternalMessage(fmt.Sprintf("external flag should be true for '%s' secret type", configData.ExternalSecretType))
+		}
+		if configData.ESOSecretData.ESODataFrom == nil && configData.ESOSecretData.ESOData == nil {
+			return false, util.NewApiError().WithHttpStatusCode(http.StatusBadRequest).WithCode(strconv.Itoa(http.StatusBadRequest)).
+				WithUserMessage("both esoSecretData.esoDataFrom and esoSecretData.esoData can't be empty").
+				WithInternalMessage("both esoSecretData.esoDataFrom and esoSecretData.esoData can't be empty")
+		} else if configData.ESOSecretData.SecretStore == nil && configData.ESOSecretData.SecretStoreRef == nil {
+			return false, util.NewApiError().WithHttpStatusCode(http.StatusBadRequest).WithCode(strconv.Itoa(http.StatusBadRequest)).
+				WithUserMessage("both esoSecretData.secretStore and esoSecretData.secretStoreRef can't be empty").
+				WithInternalMessage("both esoSecretData.secretStore and esoSecretData.secretStoreRef can't be empty")
 		}
 	}
 	return true, nil

pkg/pipeline/bean/ConfigMapBean.go

@@ -18,6 +18,7 @@ package bean
 
 import (
 	"encoding/json"
+	"strings"
 )
 
 type ConfigDataRequest struct {
@@ -31,8 +32,10 @@ type ConfigDataRequest struct {
 type ESOSecretData struct {
 	SecretStore     json.RawMessage `json:"secretStore,omitempty"`
 	SecretStoreRef  json.RawMessage `json:"secretStoreRef,omitempty"`
-	EsoData         []ESOData       `json:"esoData,omitempty"`
+	ESOData         []ESOData       `json:"esoData,omitempty"`
 	RefreshInterval string          `json:"refreshInterval,omitempty"`
+	ESODataFrom     json.RawMessage `json:"esoDataFrom,omitempty"`
+	Template        json.RawMessage `json:"template,omitempty"`
 }
 
 type ESOData struct {
@@ -57,9 +60,15 @@ type ConfigData struct {
 	DefaultExternalSecret []ExternalSecret `json:"defaultSecretData,omitempty"`
 	RoleARN               string           `json:"roleARN"`
 	SubPath               bool             `json:"subPath"`
+	ESOSubPath            []string         `json:"esoSubPath"`
 	FilePermission        string           `json:"filePermission"`
 	Overridden            bool             `json:"overridden"`
 }
+
+func (c *ConfigData) IsESOExternalSecretType() bool {
+	return strings.HasPrefix(c.ExternalSecretType, "ESO")
+}
+
 type ExternalSecret struct {
 	Key      string `json:"key"`
 	Name     string `json:"name"`

pkg/pipeline/history/ConfigMapHistoryService.go

@@ -20,7 +20,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
-	"strings"
+	globalUtil "github.com/devtron-labs/devtron/util"
 	"time"
 
 	"github.com/devtron-labs/devtron/internal/sql/repository/chartConfig"
@@ -490,7 +490,7 @@ func (impl ConfigMapHistoryServiceImpl) GetHistoryForDeployedCMCSById(ctx contex
 		SubPath:        &config.SubPath,
 		FilePermission: config.FilePermission,
 		CodeEditorValue: &HistoryDetailConfig{
-			DisplayName:      "Data",
+			DisplayName:      DataDisplayName,
 			Value:            string(config.Data),
 			VariableSnapshot: variableSnapshotMap,
 			ResolvedValue:    resolvedTemplate,
@@ -521,13 +521,27 @@ func (impl ConfigMapHistoryServiceImpl) GetHistoryForDeployedCMCSById(ctx contex
 		}
 		historyDto.ExternalSecretType = config.ExternalSecretType
 		historyDto.RoleARN = config.RoleARN
+		historyDto.ESOSubPath = config.ESOSubPath
 		if config.External {
-			externalSecretData, err := json.Marshal(config.ExternalSecret)
-			if err != nil {
-				impl.logger.Errorw("error in marshaling external secret data", "err", err)
-			}
-			if len(externalSecretData) > 0 {
-				historyDto.CodeEditorValue.Value = string(externalSecretData)
+			if config.ExternalSecretType == globalUtil.KubernetesSecret {
+				externalSecretData, err := json.Marshal(config.ExternalSecret)
+				if err != nil {
+					impl.logger.Errorw("error in marshaling external secret data", "err", err)
+				}
+				if len(externalSecretData) > 0 {
+					historyDto.CodeEditorValue.DisplayName = ExternalSecretDisplayName
+					historyDto.CodeEditorValue.Value = string(externalSecretData)
+				}
+			} else if config.IsESOExternalSecretType() {
+				externalSecretDataBytes, jErr := json.Marshal(config.ESOSecretData)
+				if jErr != nil {
+					impl.logger.Errorw("error in marshaling eso secret data", "esoSecretData", config.ESOSecretData, "err", jErr)
+					return nil, jErr
+				}
+				if len(externalSecretDataBytes) > 0 {
+					historyDto.CodeEditorValue.DisplayName = ESOSecretDataDisplayName
+					historyDto.CodeEditorValue.Value = string(externalSecretDataBytes)
+				}
 			}
 		}
 	}
@@ -593,7 +607,7 @@ func (impl ConfigMapHistoryServiceImpl) ConvertConfigDataToComponentLevelDto(con
 		SubPath:        &config.SubPath,
 		FilePermission: config.FilePermission,
 		CodeEditorValue: &HistoryDetailConfig{
-			DisplayName: "Data",
+			DisplayName: DataDisplayName,
 			Value:       string(config.Data),
 		},
 	}
@@ -623,22 +637,27 @@ func (impl ConfigMapHistoryServiceImpl) ConvertConfigDataToComponentLevelDto(con
 		}
 		historyDto.ExternalSecretType = config.ExternalSecretType
 		historyDto.RoleARN = config.RoleARN
+		historyDto.ESOSubPath = config.ESOSubPath
 		if config.External {
 			var externalSecretData []byte
-			if strings.HasPrefix(config.ExternalSecretType, "ESO") {
+			displayName := historyDto.CodeEditorValue.DisplayName
+			if config.IsESOExternalSecretType() {
+				displayName = ESOSecretDataDisplayName
 				externalSecretData, err = json.Marshal(config.ESOSecretData)
 				if err != nil {
 					impl.logger.Errorw("error in marshaling external secret data", "err", err)
 					return nil, err
 				}
 			} else {
+				displayName = ExternalSecretDisplayName
 				externalSecretData, err = json.Marshal(config.ExternalSecret)
 				if err != nil {
 					impl.logger.Errorw("error in marshaling external secret data", "err", err)
 					return nil, err
 				}
 			}
 			if len(externalSecretData) > 0 {
+				historyDto.CodeEditorValue.DisplayName = displayName
 				historyDto.CodeEditorValue.Value = string(externalSecretData)
 			}
 		}

pkg/pipeline/history/bean.go

@@ -72,6 +72,7 @@ type HistoryDetailDto struct {
 	ExternalSecretType string               `json:"externalType,omitempty"`
 	RoleARN            string               `json:"roleARN,omitempty"`
 	SubPath            *bool                `json:"subPath,omitempty"`
+	ESOSubPath         []string             `json:"esoSubPath,omitempty"`
 	FilePermission     string               `json:"filePermission,omitempty"`
 	CodeEditorValue    *HistoryDetailConfig `json:"codeEditorValue"`
 	SecretViewAccess   bool                 `json:"secretViewAccess"` // this is being used to check whether a user can see obscured secret values or not.
@@ -84,6 +85,12 @@ type HistoryDetailConfig struct {
 	ResolvedValue    string            `json:"resolvedValue"`
 }
 
+const (
+	DataDisplayName           = "Data"
+	ESOSecretDataDisplayName  = "ESO Secret Data"
+	ExternalSecretDisplayName = "External Secret Data"
+)
+
 //history components(deployment template, configMaps, secrets, pipeline strategy) components below
 
 type ConfigMapAndSecretHistoryDto struct {