external-secrets/docs/guides/datafrom-rewrite.md

# Rewriting Keys in DataFrom

When calling out an ExternalSecret with `dataFrom.extract` or `dataFrom.find`, it is possible that you end up with a kubernetes secret that has conflicts in the key names, or that you simply want to remove a common path from the secret keys.

In order to do so, it is possible to define a set of rewrite operations using `dataFrom.rewrite`. These operations can be stacked, hence allowing complex manipulations of the secret keys.

Rewrite operations are all applied before `ConversionStrategy` is applied.

## Methods

### Regexp
This method implements rewriting through the use of regular expressions. It needs a `source` and a `target` field. The source field is where the definition of the matching regular expression goes, where the `target` field is where the replacing expression goes.

Some considerations about the implementation of Regexp Rewrite:

1. The input of a subsequent rewrite operation are the outputs of the previous rewrite.
2. If a given set of keys do not match any Rewrite operation, there will be no error. Rather, the original keys will be used.
3. If a `source` is not a compilable `regexp` expression, an error will be produced and the external secret goes into a error state.

## Examples
### Removing a common path from find operations
The following ExternalSecret:
```yaml
{% include 'datafrom-rewrite-remove-path.yaml' %}
```
Will get all the secrets matching `path/to/my/secrets/*` and then rewrite them by removing the common path away.

In this example, if we had the following secrets available in the provider:
```
path/to/my/secrets/username
path/to/my/secrets/password
```
the output kubernetes secret would be:
```yaml
apiVersion: v1
kind: Secret
type: Opaque
data:
    username: ...
    password: ...
```
### Avoiding key collisions
The following ExternalSecret:
```yaml
{% include 'datafrom-rewrite-conflict.yaml' %}

```
Will allow two secrets with the same JSON keys to be imported into a Kubernetes Secret without any conflict.
In this example, if we had the following secrets available in the provider:
```json
{
    "my-secrets-dev": {
        "password": "bar",
     },
    "my-secrets-prod": {
        "password": "safebar",
     }
}
```
the output kubernetes secret would be:
```yaml
apiVersion: v1
kind: Secret
type: Opaque
data:
    dev_password: YmFy #bar
    prod_password: c2FmZWJhcg== #safebar
```

### Remove invalid characters
The following ExternalSecret:
```yaml
{% include 'datafrom-rewrite-invalid-characters.yaml' %}

```
Will remove invalid characters from the secret key.
In this example, if we had the following secrets available in the provider:
```json
{
    "development": {
        "foo/bar": "1111",
        "foo$baz": "2222"
    }
}
```
the output kubernetes secret would be:
```yaml
apiVersion: v1
kind: Secret
type: Opaque
data:
    foo_bar: MTExMQ== #1111
    foo_baz: MjIyMg== #2222
```

## Limitations

Regexp Rewrite is based on golang `regexp`, which in turns implements `RE2` regexp language. There a a series of known limitations to this implementation, such as:

* Lack of ability to do lookaheads or lookbehinds;
* Lack of negation expressions;
* Lack of support for conditional branches;
* Lack of support for possessive repetitions.

A list of compatibility and known limitations considering other commonly used regexp frameworks (such as PCRE and PERL) are listed [here](https://github.com/google/re2/wiki/Syntax).
✨Implements dataFrom key rewrite (#1381) * Implements dataFrom key rewrite Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com> * docs: add example to remove invalid characters Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Co-authored-by: Moritz Johner <beller.moritz@googlemail.com> 2022-08-04 18:24:02 +00:00			`# Rewriting Keys in DataFrom`

			When calling out an ExternalSecret with `dataFrom.extract` or `dataFrom.find`, it is possible that you end up with a kubernetes secret that has conflicts in the key names, or that you simply want to remove a common path from the secret keys.

			In order to do so, it is possible to define a set of rewrite operations using `dataFrom.rewrite`. These operations can be stacked, hence allowing complex manipulations of the secret keys.

			Rewrite operations are all applied before `ConversionStrategy` is applied.

			`## Methods`

			`### Regexp`
			This method implements rewriting through the use of regular expressions. It needs a `source` and a `target` field. The source field is where the definition of the matching regular expression goes, where the `target` field is where the replacing expression goes.

✨gitlab: getAllSecrets (#1681) * gitlab: getAllSecrets Signed-off-by: Dominik Zeiger <dominik@zeiger.biz> * Update pkg/provider/gitlab/gitlab.go Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> Signed-off-by: Dominik Zeiger <domizei385@users.noreply.github.com> Signed-off-by: Dominik Zeiger <dominik@zeiger.biz> * gitlab: added some test coverage Signed-off-by: Dominik Zeiger <dominik@zeiger.biz> Signed-off-by: Dominik Zeiger <dominik@zeiger.biz> Signed-off-by: Dominik Zeiger <domizei385@users.noreply.github.com> Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> 2022-11-01 18:09:36 +00:00			`Some considerations about the implementation of Regexp Rewrite:`
✨Implements dataFrom key rewrite (#1381) * Implements dataFrom key rewrite Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com> * docs: add example to remove invalid characters Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Co-authored-by: Moritz Johner <beller.moritz@googlemail.com> 2022-08-04 18:24:02 +00:00
			`1. The input of a subsequent rewrite operation are the outputs of the previous rewrite.`
			`2. If a given set of keys do not match any Rewrite operation, there will be no error. Rather, the original keys will be used.`
			3. If a `source` is not a compilable `regexp` expression, an error will be produced and the external secret goes into a error state.

			`## Examples`
			`### Removing a common path from find operations`
			`The following ExternalSecret:`
			```yaml
			`{% include 'datafrom-rewrite-remove-path.yaml' %}`
			```
			Will get all the secrets matching `path/to/my/secrets/*` and then rewrite them by removing the common path away.

			`In this example, if we had the following secrets available in the provider:`
			```
			`path/to/my/secrets/username`
			`path/to/my/secrets/password`
			```
			`the output kubernetes secret would be:`
			```yaml
			`apiVersion: v1`
			`kind: Secret`
			`type: Opaque`
			`data:`
			`username: ...`
			`password: ...`
			```
			`### Avoiding key collisions`
			`The following ExternalSecret:`
			```yaml
			`{% include 'datafrom-rewrite-conflict.yaml' %}`

			```
			`Will allow two secrets with the same JSON keys to be imported into a Kubernetes Secret without any conflict.`
			`In this example, if we had the following secrets available in the provider:`
			```json
			`{`
			`"my-secrets-dev": {`
			`"password": "bar",`
			`},`
			`"my-secrets-prod": {`
			`"password": "safebar",`
			`}`
			`}`
			```
			`the output kubernetes secret would be:`
			```yaml
			`apiVersion: v1`
			`kind: Secret`
			`type: Opaque`
			`data:`
			`dev_password: YmFy #bar`
			`prod_password: c2FmZWJhcg== #safebar`
			```

			`### Remove invalid characters`
			`The following ExternalSecret:`
			```yaml
			`{% include 'datafrom-rewrite-invalid-characters.yaml' %}`

			```
			`Will remove invalid characters from the secret key.`
			`In this example, if we had the following secrets available in the provider:`
			```json
			`{`
			`"development": {`
			`"foo/bar": "1111",`
			`"foo$baz": "2222"`
			`}`
			`}`
			```
			`the output kubernetes secret would be:`
			```yaml
			`apiVersion: v1`
			`kind: Secret`
			`type: Opaque`
			`data:`
			`foo_bar: MTExMQ== #1111`
			`foo_baz: MjIyMg== #2222`
			```

			`## Limitations`

			Regexp Rewrite is based on golang `regexp`, which in turns implements `RE2` regexp language. There a a series of known limitations to this implementation, such as:

			`* Lack of ability to do lookaheads or lookbehinds;`
			`* Lack of negation expressions;`
Update guides-datafrom-rewrite.md for typo (#1491) Signed-off-by: Garrett Edwards <grrttedwards@users.noreply.github.com> Signed-off-by: Garrett Edwards <grrttedwards@users.noreply.github.com> 2022-08-27 07:48:30 +00:00			`* Lack of support for conditional branches;`
			`* Lack of support for possessive repetitions.`
✨Implements dataFrom key rewrite (#1381) * Implements dataFrom key rewrite Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com> * docs: add example to remove invalid characters Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Co-authored-by: Moritz Johner <beller.moritz@googlemail.com> 2022-08-04 18:24:02 +00:00
Update guides-datafrom-rewrite.md for typo (#1491) Signed-off-by: Garrett Edwards <grrttedwards@users.noreply.github.com> Signed-off-by: Garrett Edwards <grrttedwards@users.noreply.github.com> 2022-08-27 07:48:30 +00:00			`A list of compatibility and known limitations considering other commonly used regexp frameworks (such as PCRE and PERL) are listed [here](https://github.com/google/re2/wiki/Syntax).`