1password provider tries to read wrong vault

[bo0tzz]

Describe the bug
I'm trying to pull a secret from a particular vault with the 1password provider. I have a few different ClusterSecretStores, one per vault, and I'm referencing the tf vault specifically from my ExternalSecret spec. However, I constantly get "key not found" events that reference a different vault name:
Warning UpdateFailed 48m (x69 over 2d17h) external-secrets error processing spec.data[5] (key: FUTO_ZULIP_DOMAIN), err: key not found in 1Password Vaults: FUTO_ZULIP_DOMAIN in: map[tf_dev:1]
This key indeed doesn't exist in tf_dev, but I'm not referencing that vault at all. It does exist in tf.

The Kubernetes Secret seems to be populated correctly, though I'm not sure whether it's receiving proper updates for the field that errors.

Specifically which field is mentioned in the error doesn't seem to be consistent; I can see six events right now mentioning different fields, and one of those is combined from similar events. It seems like it might be changing when a reconciliation loop runs, or something like that.

Events

~ ❯ k get event | grep externalsecret  
60m         Warning   UpdateFailed                   externalsecret/discord-bot                      error processing spec.data[5] (key: FUTO_ZULIP_DOMAIN), err: key not found in 1Password Vaults: FUTO_ZULIP_DOMAIN in: map[tf_dev:1]
50m         Warning   UpdateFailed                   externalsecret/discord-bot                      error processing spec.data[6] (key: IMMICH_DISCORD_BOT_GITHUB_WEBHOOK_SLUG), err: key not found in 1Password Vaults: IMMICH_DISCORD_BOT_GITHUB_WEBHOOK_SLUG in: map[tf_dev:1]
40m         Warning   UpdateFailed                   externalsecret/discord-bot                      error processing spec.data[7] (key: IMMICH_DISCORD_BOT_GITHUB_STATUS_SLUG), err: key not found in 1Password Vaults: IMMICH_DISCORD_BOT_GITHUB_STATUS_SLUG in: map[tf_dev:1]
25m         Warning   UpdateFailed                   externalsecret/discord-bot                      error processing spec.data[8] (key: IMMICH_DISCORD_BOT_STRIPE_PAYMENT_SLUG), err: key not found in 1Password Vaults: IMMICH_DISCORD_BOT_STRIPE_PAYMENT_SLUG in: map[tf_dev:1]
15m         Warning   UpdateFailed                   externalsecret/discord-bot                      (combined from similar events): error processing spec.data[9] (key: FOURTHWALL_USER), err: key not found in 1Password Vaults: FOURTHWALL_USER in: map[tf_dev:1]
10m         Warning   UpdateFailed                   externalsecret/discord-bot                      error processing spec.data[9] (key: FOURTHWALL_USER), err: key not found in 1Password Vaults: FOURTHWALL_USER in: map[tf_dev:1]
44s         Warning   UpdateFailed                   externalsecret/discord-bot                      error processing spec.data[10] (key: FOURTHWALL_PASSWORD), err: key not found in 1Password Vaults: FOURTHWALL_PASSWORD in: map[tf_dev:1]

To Reproduce

ClusterSecretStore: https://github.com/immich-app/devtools/blob/main/kubernetes/apps/infrastructure/secrets/external-secrets/stores/1p-tf.yaml
ExternalSecret: https://github.com/immich-app/devtools/blob/main/kubernetes/apps/tools/discord-bot/app/secret.yaml
ESO deployment: https://github.com/immich-app/devtools/blob/main/kubernetes/apps/infrastructure/secrets/external-secrets/app/helmrelease.yaml
Kubernetes version: 1.28.6

Expected behavior
The secret is pulled from the vault I reference

Screenshots
n/a

Additional context
I've tried to have a look at the code myself to see if I could work out the issue, but didn't find any leads.

[gusfcarvalho]

you don't even have any concurrency configured on your setup 🤔

I'm not sure why this is happening. does the issue persist when you use multiple vaults on one ClusterSecretStore? ( I know that's not your case, i just want to check something)

[bo0tzz]

I haven't found a consistent way to trigger this issue, other than waiting for it to happen. I tried removing the tf_dev CSS and adding that to the tf spec instead, but I don't know whether it did anything; I haven't seen the error since about 10 minutes before I made that change, and I'm still not seeing it even after setting things back to how they were.

[bo0tzz]

The issue didn't return overnight. Then this morning I updated ESO to 0.16.0, and some time after that the problem returned, this time even weirder than before. It now seems to be going through all the vaults, and that includes errors for the (expected to be correct) tf vault:

error processing spec.data[7] (key: IMMICH_DISCORD_BOT_GITHUB_STATUS_SLUG), err: key not found in 1Password Vaults: IMMICH_DISCORD_BOT_GITHUB_STATUS_SLUG in: map[tf:1]

That key definitely exists in the vault.

During all of this, the status of the ES is still happy:

status:
  binding:
    name: discord-bot
  conditions:
    - lastTransitionTime: '2025-04-15T10:56:53Z'
      message: secret synced
      reason: SecretSynced
      status: 'True'
      type: Ready
  refreshTime: '2025-04-15T10:58:31Z'
  syncedResourceVersion: 3-f449e63a339f99f3404611bf5c644144

[gusfcarvalho]

Can you run the controller in debug mode and share the logs?

[bo0tzz]

I can't find anything about a "debug mode", I assume you just meant setting the log level to debug?

I did that, and after the controller restart I once again wasn't seeing the issue. I fiddled around with it a bunch, but couldn't manage to trigger the issue. I went and did something else for a while, and when I came back it was there again.

Logs:

{"level":"debug","ts":1744718206.2118082,"logger":"events","msg":"store validated","type":"Normal","object":{"kind":"ClusterSecretStore","name":"1p-tf-prod","uid":"613b1414-130c-44fe-8263-788972cbcdeb","apiVersion":"external-secrets.io/v1","resourceVersion":"131109821"},"reason":"Valid"}
{"level":"debug","ts":1744718206.2240212,"logger":"controllers.ClusterSecretStore","msg":"validating","clustersecretstore":{"name":"1p-kubernetes"}}
{"level":"debug","ts":1744718206.2240598,"logger":"clientmanager","msg":"creating new client","provider":"*onepassword.ProviderOnePassword","store":"/1p-kubernetes"}
{"level":"debug","ts":1744718206.2416453,"logger":"events","msg":"store validated","type":"Normal","object":{"kind":"ClusterSecretStore","name":"1p-kubernetes","uid":"030fb920-b5ea-4aa5-a544-5950878b58e0","apiVersion":"external-secrets.io/v1","resourceVersion":"131109825"},"reason":"Valid"}
{"level":"debug","ts":1744718206.2480862,"logger":"events","msg":"error processing spec.data[2] (key: IMMICH_DISCORD_BOT_TOKEN), err: key not found in 1Password Vaults: IMMICH_DISCORD_BOT_TOKEN in: map[Kubernetes:1]","type":"Warning","object":{"kind":"ExternalSecret","namespace":"tools","name":"discord-bot","uid":"0e6734f8-89b9-4ef5-ba1d-f87dd7e77157","apiVersion":"external-secrets.io/v1","resourceVersion":"131152777"},"reason":"UpdateFailed"}
{"level":"error","ts":1744718206.2584548,"msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"discord-bot","namespace":"tools"},"namespace":"tools","name":"discord-bot","reconcileID":"c1d88726-0062-4408-88f7-e4d146dcbfea","error":"error processing spec.data[2] (key: IMMICH_DISCORD_BOT_TOKEN), err: key not found in 1Password Vaults: IMMICH_DISCORD_BOT_TOKEN in: map[Kubernetes:1]","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}
{"level":"debug","ts":1744718206.2645857,"logger":"clientmanager","msg":"creating new client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718206.2781153,"logger":"controllers.ClusterSecretStore","msg":"validating","clustersecretstore":{"name":"1p-tf"}}
{"level":"debug","ts":1744718206.2781596,"logger":"clientmanager","msg":"creating new client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718206.3068073,"logger":"events","msg":"store validated","type":"Normal","object":{"kind":"ClusterSecretStore","name":"1p-tf","uid":"8ba5cbff-9541-4f2f-acfa-db97a524c7e2","apiVersion":"external-secrets.io/v1","resourceVersion":"131109828"},"reason":"Valid"}
{"level":"debug","ts":1744718206.3191895,"logger":"controllers.ClusterSecretStore","msg":"validating","clustersecretstore":{"name":"1p-tf-dev"}}
{"level":"debug","ts":1744718206.3192165,"logger":"clientmanager","msg":"creating new client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf-dev"}
{"level":"debug","ts":1744718206.340843,"logger":"events","msg":"store validated","type":"Normal","object":{"kind":"ClusterSecretStore","name":"1p-tf-dev","uid":"9d6a03b8-6762-485d-bcc0-173343ac9995","apiVersion":"external-secrets.io/v1","resourceVersion":"131147281"},"reason":"Valid"}
{"level":"debug","ts":1744718206.3518715,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"error","ts":1744718206.3897705,"msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"discord-bot","namespace":"tools"},"namespace":"tools","name":"discord-bot","reconcileID":"b80c8778-5f22-4197-9f7e-e3fa83400f1e","error":"error processing spec.data[1] (key: IMMICH_GITHUB_CLIENT_SECRET), err: key not found in 1Password Vaults: IMMICH_GITHUB_CLIENT_SECRET in: map[tf_dev:1]","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}
{"level":"debug","ts":1744718206.3897913,"logger":"events","msg":"error processing spec.data[1] (key: IMMICH_GITHUB_CLIENT_SECRET), err: key not found in 1Password Vaults: IMMICH_GITHUB_CLIENT_SECRET in: map[tf_dev:1]","type":"Warning","object":{"kind":"ExternalSecret","namespace":"tools","name":"discord-bot","uid":"0e6734f8-89b9-4ef5-ba1d-f87dd7e77157","apiVersion":"external-secrets.io/v1","resourceVersion":"131152930"},"reason":"UpdateFailed"}
{"level":"debug","ts":1744718207.0043833,"logger":"clientmanager","msg":"creating new client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.0960965,"logger":"controllers.ExternalSecret","msg":"reconciled secret","ExternalSecret":{"name":"previews-webhook-secret","namespace":"preview"}}
{"level":"debug","ts":1744718207.1054535,"logger":"clientmanager","msg":"creating new client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.1796906,"logger":"controllers.ExternalSecret","msg":"reconciled secret","ExternalSecret":{"name":"github-webhook-secret","namespace":"flux-system"}}
{"level":"debug","ts":1744718207.1939056,"logger":"controllers.ExternalSecret","msg":"skipping refresh","ExternalSecret":{"name":"previews-webhook-secret","namespace":"preview"}}
{"level":"debug","ts":1744718207.1976004,"logger":"controllers.ExternalSecret","msg":"skipping refresh","ExternalSecret":{"name":"github-webhook-secret","namespace":"flux-system"}}
{"level":"debug","ts":1744718207.2625751,"logger":"clientmanager","msg":"creating new client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.343787,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.4281049,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.518248,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.5886607,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.6709125,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.7475028,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.8245637,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.8796194,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718207.9575183,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718208.0602014,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718208.1716774,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718208.2824395,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718208.3649435,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718208.4646382,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"debug","ts":1744718208.5553365,"logger":"clientmanager","msg":"reusing stored client","provider":"*onepassword.ProviderOnePassword","store":"/1p-tf"}
{"level":"info","ts":1744718208.6689763,"logger":"controllers.ExternalSecret","msg":"reconciled secret","ExternalSecret":{"name":"discord-bot","namespace":"tools"}}
{"level":"debug","ts":1744718208.6837027,"logger":"controllers.ExternalSecret","msg":"skipping refresh","ExternalSecret":{"name":"discord-bot","namespace":"tools"}}

[gusfcarvalho]

while I know this is not a fix, can you set your ClusterSecretStores refreshInterval to 999999h and see if the issues will disappear?

This seems like a race condition between secretstore controller and the externalsecrets controller, so disabling one of them with this fake refreshInterval should validate this hypothesis.

[gusfcarvalho]

You will need to restart your controllers at least once I think

[bo0tzz]

I've set the refreshInterval (to 31536000 seconds, 1 year, because on the CSS spec it's an int field) and restarted all the ESO pods. I'll let you know if I see the issue happen again.

[gusfcarvalho]

If this issue does not persist for the next couple of days, I think we will have enough evidence of the conflict here.

[bo0tzz]

As expected, I haven't seen this issue since.

[bo0tzz]

Did you have an idea of where this issue lies? With some guidance I would be willing to try my hand at a PR to fix it.

[gusfcarvalho]

At this point this would be a guess, but we might need to add sync.Mutex to 1passwrod connect provider.

Logic itself should be simple; testing is what makes it hard.

You can check GCPSM - we also use mutexes there

[bo0tzz]

I would be happy to test on my deployment of course. I don't know the project architecture well enough to know where the mutex should go, would it be at the top of NewClient similar to GCPSM?

[kiemlicz]

I'm also affected by this (exactly the same problem, 1pass)

Are there any updates on the progress?

What are the consequences of "delaying" the ClusterSecretStore.spec.refreshInterval ?
It's pretty clear what would be the consequence of delaying ExternalSecret.spec.refreshInterval however what do I risk with CSS refreshInterval (1password-wise)?