elastic · jen-huang · Mar 11, 2025 · Mar 12, 2025 · Mar 12, 2025 · Mar 12, 2025
diff --git a/...gin/fleet/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/fleet/30_secrets_post.yml b/...gin/fleet/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/fleet/30_secrets_post.yml
@@ -7,6 +7,16 @@
       fleet.delete_secret:
         id: $id
 
+---
+"Create Fleet Secret with multiple values":
+  - do:
+      fleet.post_secret:
+        body: '{"value": ["test secret 1", "test secret 2"]}'
+  - set:  { id: id }
+  - do:
+      fleet.delete_secret:
+        id: $id
+
 ---
 "Create secret fails for unprivileged user":
   - skip:

diff --git a/...ugin/fleet/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/fleet/40_secrets_get.yml b/...ugin/fleet/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/fleet/40_secrets_get.yml
@@ -18,6 +18,27 @@
       fleet.delete_secret:
         id: $id
 
+---
+"Get Fleet Secret with multiple values":
+  - do:
+      fleet.post_secret:
+        body: '{"value": ["test secret 1", "test secret 2"]}'
+  - set:  { id: id }
+  # search node needs to be available for fleet.get_secret to work in stateless.
+  # The `.fleet-secrets` index is created on demand, and its search replica starts out unassigned,
+  # so wait_for_no_uninitialized_shards can miss it.
+  - do:
+      cluster.health:
+        wait_for_active_shards: all
+  - do:
+      fleet.get_secret:
+        id: $id
+  - match: { id: $id }
+  - match: { value: ["test secret 1", "test secret 2"] }
+  - do:
+      fleet.delete_secret:
+        id: $id
+
 ---
 "Get non existent Fleet Secret":
   - do:

@@ -20,15 +20,15 @@
 public class GetSecretResponse extends ActionResponse implements ToXContentObject {
 
     private final String id;
-    private final String value;
+    private final Object value;
 
     public GetSecretResponse(StreamInput in) throws IOException {
         super(in);
-        id = in.readString();
-        value = in.readString();
+        this.id = in.readString();
+        this.value = in.readString();
-        this.value = in.readString();
+        if (in.readBoolean()) {
+            this.value = in.readString();
+        } else {
+            this.value = in.readStringArray();
+        }
-        this.value = in.readString();
+        if (in.readBoolean()) {
+            this.value = in.readString();
+        } else {
+            this.value = in.readStringArray();
+        }
     }
 
-    public GetSecretResponse(String id, String value) {
+    public GetSecretResponse(String id, Object value) {
         this.id = id;
         this.value = value;
     }
@@ -40,15 +40,24 @@ public String id() {
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         out.writeString(id);
-        out.writeString(value);
+        if (value instanceof String) {
+            out.writeString((String) value);
+        } else if (value instanceof String[]) {
+            out.writeStringArray((String[]) value);
+        }
     }
 
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException {
         builder.startObject();
         builder.field("id", id);
-        builder.field("value", value);
-        return builder.endObject();
+        if (value instanceof String) {
+            builder.field("value", (String) value);
+        } else if (value instanceof String[]) {
+            builder.field("value", (String[]) value);
+        }
+        builder.endObject();
+        return builder;
     }
 
     @Override

@@ -16,6 +16,7 @@
 import org.elasticsearch.xcontent.ParseField;
 import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xcontent.XContentParser;
+import org.elasticsearch.xcontent.XContentParser.Token;
 
 import java.io.IOException;
 import java.util.Objects;
@@ -27,26 +28,30 @@ public class PostSecretRequest extends ActionRequest {
     public static final ConstructingObjectParser<PostSecretRequest, Void> PARSER = new ConstructingObjectParser<>(
         "post_secret_request",
         args -> {
-            return new PostSecretRequest((String) args[0]);
+            return new PostSecretRequest(args[0]);
         }
     );
 
     static {
-        PARSER.declareField(
-            ConstructingObjectParser.optionalConstructorArg(),
-            (p, c) -> p.text(),
-            VALUE_FIELD,
-            ObjectParser.ValueType.STRING
-        );
+        PARSER.declareField(ConstructingObjectParser.optionalConstructorArg(), (p, c) -> {
+            Token token = p.currentToken();
+            if (token == XContentParser.Token.VALUE_STRING) {
+                return p.text();
+            } else if (token == XContentParser.Token.START_ARRAY) {
+                return p.list().stream().map(s -> (String) s).toArray(String[]::new);
+            } else {
+                throw new IllegalArgumentException("Unexpected token: " + token);
+            }
+        }, VALUE_FIELD, ObjectParser.ValueType.STRING_ARRAY);
     }
 
     public static PostSecretRequest fromXContent(XContentParser parser) throws IOException {
         return PARSER.parse(parser, null);
     }
 
-    private final String value;
+    private final Object value;
 
-    public PostSecretRequest(String value) {
+    public PostSecretRequest(Object value) {
         this.value = value;
     }
 
@@ -55,21 +60,29 @@ public PostSecretRequest(StreamInput in) throws IOException {
         this.value = in.readString();
     }
 
-    public String value() {
+    public Object value() {
         return value;
     }
 
     public XContentBuilder toXContent(XContentBuilder builder) throws IOException {
         builder.startObject();
-        builder.field(VALUE_FIELD.getPreferredName(), this.value);
+        if (value instanceof String) {
+            builder.field(VALUE_FIELD.getPreferredName(), (String) value);
+        } else if (value instanceof String[]) {
+            builder.field(VALUE_FIELD.getPreferredName(), (String[]) value);
+        }
         builder.endObject();
         return builder;
     }
 
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);
-        out.writeString(value);
+        if (value instanceof String) {
+            out.writeString((String) value);
+        } else if (value instanceof String[]) {
+            out.writeStringArray((String[]) value);
+        }
     }
 
     @Override
@@ -80,6 +93,12 @@ public ActionRequestValidationException validate() {
             return exception;
         }
 
+        if ((this.value instanceof String == false) && (this.value instanceof String[] == false)) {
+            ActionRequestValidationException exception = new ActionRequestValidationException();
+            exception.addValidationError("value must be a string or an array of strings");
+            return exception;
+        }
+
         return null;
     }
 

@@ -18,6 +18,8 @@
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.transport.TransportService;
 
+import java.util.List;
+
 import static org.elasticsearch.xpack.core.ClientHelper.FLEET_ORIGIN;
 import static org.elasticsearch.xpack.fleet.Fleet.FLEET_SECRETS_INDEX_NAME;
 
@@ -36,7 +38,19 @@ protected void doExecute(Task task, GetSecretRequest request, ActionListener<Get
                 delegate.onFailure(new ResourceNotFoundException("No secret with id [" + request.id() + "]"));
                 return;
             }
-            delegate.onResponse(new GetSecretResponse(getResponse.getId(), getResponse.getSource().get("value").toString()));
+            Object value = getResponse.getSource().get("value");
+            if (value instanceof String) {
+                delegate.onResponse(new GetSecretResponse(getResponse.getId(), value.toString()));
+            } else if (value instanceof List) {
+                List<?> valueList = (List<?>) value;
+                if (valueList.stream().allMatch(item -> item instanceof String)) {
+                    delegate.onResponse(new GetSecretResponse(getResponse.getId(), valueList.toArray(new String[0])));
+                } else {
+                    delegate.onFailure(new IllegalArgumentException("Unexpected value type in list for id [" + request.id() + "]"));
+                }
+            } else {
+                delegate.onFailure(new IllegalArgumentException("Unexpected value type for id [" + request.id() + "]"));
+            }
         }));
     }
 }
diff --git a/...ugin/fleet/src/test/java/org/elasticsearch/xpack/fleet/action/PostSecretRequestTests.java b/...ugin/fleet/src/test/java/org/elasticsearch/xpack/fleet/action/PostSecretRequestTests.java
@@ -37,11 +37,26 @@ public void testValidateRequest() {
         assertNull(e);
     }
 
+    public void testValidateRequestWithMultiValue() {
+        String[] secrets = { "secret1", "secret2" };
+        PostSecretRequest req = new PostSecretRequest(secrets);
+        ActionRequestValidationException e = req.validate();
+        assertNull(e);
+    }
+
     public void testValidateRequestWithoutValue() {
         PostSecretRequest req = new PostSecretRequest((String) null);
         ActionRequestValidationException e = req.validate();
         assertNotNull(e);
         assertThat(e.validationErrors().size(), equalTo(1));
         assertThat(e.validationErrors().get(0), containsString("value is missing"));
     }
+
+    public void testValidateRequestWithInvalidValue() {
+        PostSecretRequest req = new PostSecretRequest(123);
+        ActionRequestValidationException e = req.validate();
+        assertNotNull(e);
+        assertThat(e.validationErrors().size(), equalTo(1));
+        assertThat(e.validationErrors().get(0), containsString("value must be a string or an array of strings"));
+    }
 }