fix(azure)!: Unwraps the value returned from Azure Key vault (migration: "property: value" -> remove property selector) (#460)

Previously secret value was wrapped in an object { "value": <secret> } while now <secret> will be returned so KES features can be properly used

Author: Flydiverny

README.md

@@ -422,7 +422,6 @@ spec:
   data:
     - key: hello-service/credentials
       name: password
-      property: value
 ```
 
 Due to the way Azure handles binary files, you need to explicitly let the ExternalSecret know that the secret is binary.

lib/backends/azure-keyvault-backend.js

@@ -38,7 +38,7 @@ class AzureKeyVaultBackend extends KVBackend {
     if (keyOptions && keyOptions.isBinary) {
       return Buffer.from(secret.value, 'base64')
     }
-    return JSON.stringify(secret)
+    return secret.value
   }
 }
 

lib/backends/azure-keyvault-backend.test.js

@@ -15,13 +15,20 @@ describe('AzureKeyVaultBackend', () => {
   const secret = 'fakeSecretPropertyValue'
   const key = 'password'
   const keyVaultName = 'vault_name'
-  const quotedSecretValue = '"' + secret + '"'
+  const quotedSecretValueAsBase64 = Buffer.from(secret).toString('base64')
+
+  const azureSecret = {
+    properties: {},
+    value: secret,
+    name: key
+  }
 
   beforeEach(() => {
     credentialMock = sinon.mock()
     loggerMock = sinon.mock()
     credentialFactoryMock = sinon.fake.returns(credentialMock)
     clientMock = sinon.mock()
+    clientMock.getSecret = sinon.stub().returns(azureSecret)
     loggerMock.info = sinon.stub()
 
     azureKeyVaultBackend = new AzureKeyVaultBackend({
@@ -32,18 +39,38 @@ describe('AzureKeyVaultBackend', () => {
   })
 
   describe('_get', () => {
-    beforeEach(() => {
-      clientMock.getSecret = sinon.stub().returns(secret)
-    })
-
     it('returns secret property value', async () => {
       const secretPropertyValue = await azureKeyVaultBackend._get({
         key: key,
         specOptions: {
           keyVaultName: keyVaultName
         }
       })
-      expect(secretPropertyValue).equals(quotedSecretValue)
+      expect(secretPropertyValue).equals(secret)
+    })
+  })
+
+  describe('getSecretManifestData', () => {
+    it('returns secret property value', async () => {
+      const returnedData = await azureKeyVaultBackend.getSecretManifestData({
+        spec: {
+          backendType: 'vault',
+          keyVaultName: keyVaultName,
+          data: [{
+            key: key,
+            name: 'name-in-k8s'
+          }]
+        }
+      })
+
+      // First, we get the client...
+      sinon.assert.calledWith(azureKeyVaultBackend._keyvaultClient, { keyVaultName })
+
+      // ... then we fetch the secret ...
+      sinon.assert.calledWith(clientMock.getSecret, key)
+
+      // ... and expect to get the full proper value
+      expect(returnedData['name-in-k8s']).equals(quotedSecretValueAsBase64)
     })
   })
 })