Nested secrets in json format do not pass manifest test

[Bert-Proesmans]

I threw this quickly together to showcase an issue I encountered with json unmarshalling (that happens throughout the process of staging/decrypting secrets data); https://go.dev/play/p/PQG4LcePXbA

The demo shows that a straightforward json object structure of

{
  "container": {
    "key": "value"
  }
}

Is not properly parsed by the recurseSecretKey method when the target is a nested value ("container/key" in this case). The thrown error during build of sops-nix manifest derivation is of this form

manifest is not valid: secret test_container/test_secret in <XXX> is not valid: key 'test_container' does not refer to a dictionary

It looks like map[interface{}]interface{} specifically is the issue, where my intuitive expectation would be to test for map[**string**]interface{} like the type of 'currentData' just below.

The YAML format doesn't have this issue and passes the different type validations.

[Bert-Proesmans]

Seems like #454 is en route to fix this issue.

EDIT; Also #328. Not sure how those PR's didn't pop up when I searched for causes.

[dezren39]

nested secrets render to /run/secrets for me, but when used in a template the file that's made in /run/secrets-rendered the placeholder doesn't resolve to the value. if i rework my yaml to be a flat dictionary it works.