Non-existent AWS Secrets Manager secret not created when PushSecret is used with updatePolicy: IfNotExists #3682
Description
Describe the bug
When pushing secrets to AWS Secrets Manager with PushSecret that has updatePolicy: IfNotExists, an aws secret is not created at all if it does not exist. No error logs are generated. Without the updatePolicy: IfNotExists configuration the secret is created correctly.
To Reproduce
kubernetes version: 1.27.13, ESO version: 0.9.19
manifests:
apiVersion: v1
kind: Secret
metadata:
name: test-secret-k8s
type: Opaque
data:
password: {{ "test-password" | b64enc | quote }}apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws
spec:
provider:
aws:
service: SecretsManager
role: sample-role
region: us-east-2
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: test-push-secret # Customisable
namespace: test # Same of the SecretStores
spec:
updatePolicy: IfNotExists
refreshInterval: 10s # Refresh interval for which push secret will reconcile
secretStoreRefs: # A list of secret stores to push secrets to
- name: aws
kind: SecretStore
selector:
secret:
name: test-secret-k8s # Source Kubernetes secret to be pushed
data:
- conversionStrategy: None
match: # Source Kubernetes secret key to be pushed
secretKey: password
remoteRef:
remoteKey: test-secret # Remote reference (where the secret is going to be pushed)
property: password
metadata:
secretPushFormat: stringExpected behavior
A secret should be created in AWS Secrets Manager if it does not exist there.
Additional context
Inspecting the code I believe the implementation of SecretExists for this provider contains a bug here -- It returns true, nil in case the aws secret was not found, resulting in no action. I believe it should return false, nil.