Support labels/annotations (all or by regexp/list) being ignored and not trigger update.

[angelh-kr]

Is your feature request related to a problem? Please describe.
Using eso with flux, gcp config sync or any similar solution causes external secrets to be updated even when no changes are made to the resource because some annotation (like the git ref) is maintained as an annotation/label.

This is especially problematic when using generators like webhook or password.
Webhook is being invoked, or password refreshed with every commit.

Describe the solution you'd like
Add an annotation or spec to control the behavior: Which annotations or labels can trigger an update.
It could be at controller level, or per external secret.

Describe alternatives you've considered

Additional context
I'm forced to leverage immutable secrets, making impossible to have any interval refresh.
And facing problems if secret name needs to be constant (cannot change) with the normal issues around immutable secrets deletion and reuse of the same name.
Right now my solution is using eso to create the secret with a suffix that changes if we need to recreate it, and reflector (other controller) to mirror it to the standard name (without suffix)

[thesuperzapper]

@angelh-kr I'm not sure if it solves your problem, but after #4086, when refreshInterval is set to 0, we actually will never re-sync the ExternalSecret unless the target secret is deleted or has its data field updated, but we ignore the annotations/label updates on the ES and target secret.

[alexremn]

@thesuperzapper good day!

As far as i discovered, when refreshInterval is set to 0, even with ES data field being updated, re-sync is not happening anymore. Is it expected?
So seems like refreshInterval now disabling whole sync.

Upd: also, updating target secret is not triggering re-sync as well. ES version: v0.12.1.

[selecsosi]

@thesuperzapper good day!

As far as i discovered, when refreshInterval is set to 0, even with ES data field being updated, re-sync is not happening anymore. Is it expected? So seems like refreshInterval now disabling whole sync.

Upd: also, updating target secret is not triggering re-sync as well. ES version: v0.12.1.

This is the experience we are seeing recently upgrading from the 0.10.X series.

This is kind of a "very intended" use case where you want no automatic refresh and only to manually trigger a resync via a deployment job that annotates the ES resource.

Would love some guidance here on what to do for us to resume the original https://external-secrets.io/v0.13.0/introduction/faq/#can-i-manually-trigger-a-secret-refresh

[thesuperzapper]

@selecsosi currently, the only way to force a refresh of a Secret when refreshInterval is 0 is to make the target secret invalid.

You can do this in one of the following ways:

1. delete the target secret
2. set the reconcile.external-secrets.io/data-hash annotation (on the Secret) to a random value (or nothing)
3. change the data to something different (which makes the data-hash annotation not match)

---

Note, there is not currently a way to force a refresh using an annotation on the ExternalSecret.

So, I guess if none of the above methods work for you, we could make a special case for when a force-sync annotation is present on the ExternalSecret, and always sync if it's present, then remove it once we successfully sync once.

Although, probably makes more sense to use reconcile.external-secrets.io/force-sync to avoid possibly conflicting with existing annotations.

[selecsosi]

@thesuperzapper thank you for mentioning the annotation, I missed that (had tried the other options).

We'll give that a shot tomorrow, thanks for the quick reply!

[evrardj-roche]

(Closing this, it's been a year now, I assume it's fine).