Immutable target isn't respected on first creation when creationPolicy is "Orphan" #3919
Description
Describe the bug
In an ExternalSecret, the target.immutable field prevents a secret from being changed once it has been created.
The target.creationPolicy field = "Orphan" allows a Secret to be created and updated without being deleted when the parent ExternalSecret is deleted.
When the target.creationPolicy is set to "Orphan" and the target.immutable field is set to true, the secret will still be updated the first time ESO syncs, and the immutable field is not taken into account until future syncs.
To Reproduce
Steps to reproduce the behavior:
apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
metadata:
name: example-password-generator
spec:
length: 42
digits: 5
symbols: 5
symbolCharacters: "-_$@"
noUpper: false
allowRepeat: true
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example-password-secret
spec:
refreshInterval: "0m"
target:
name: example-secret
immutable: true
creationPolicy: Orphan
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
name: "example-password-generator"
- On first apply, the secret is created
- Update the ExternalSecret (annotations, labels, etc.) and the target Secret will not change because of the immutable flag
- Delete the External Secret and the target Secret will be left in place due to the creationPolicy
- Re-create the External Secret and the target Secret will be updated, ignoring the immutable flag
Kubernetes version 1.28
ESO version 0.10.3
Expected behavior
I expect the secret to be created with a generated password only the first time the Secret is ever created, and even if the External Secret is deleted and re-applied the Secret should not be deleted or changed.