SecretSyncedError when creating immutable ExternalSecret

[afine]

Describe the bug
Occasionally we see immutable ExternalSecrets with a refreshInterval of 0 show a SecretSyncedError immediately after creation.

When reconciling a recently created ExternalSecret it is possible that the Status subresource is not in the cache causing this condition to fail. The operator will then try and fail to update an immutable ExternalSecret.

I was able to reproduce the bug against v0.18.1

To Reproduce
Create a generator:

apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
metadata:
  name: password-generator
spec:
  allowRepeat: true
  length: 16
  noUpper: false
  symbolCharacters: ~!%^&*()_+-={}|[]\<>?,./4

Create a file issue-3604.yaml

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: es-5-test
spec:
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: Password
        name: password-generator
  refreshInterval: 0m
  target:
    immutable: true
    name: es-5-test
    template:
      data:
        password: '{{ .password }}'
        username: someone

Run the following and wait for a SecretSyncedError (it may take a few minutes for an external secret to fail):

$ while true; do; 
k apply -f ./issue-3604.yaml; sleep 1;
k get -oyaml es es-5-test;
k delete -f ./issue-3604.yaml
done

Something like this:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  creationTimestamp: "2025-07-01T22:38:41Z"
  generation: 1
  name: es-5-test
  namespace: ns1
spec:
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: Password
        name: password-generator
  refreshInterval: 0m
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    immutable: true
    name: es-5-test
    template:
      data:
        password: '{{ .password }}'
        username: someone
      engineVersion: v2
      mergePolicy: Replace
status:
  binding:
    name: es-5-test
  conditions:
  - lastTransitionTime: "2025-07-01T22:38:42Z"
    message: could not update secret, target is immutable
    reason: SecretSyncedError
    status: "False"
    type: Ready
  refreshTime: "2025-07-01T22:38:41Z"
  syncedResourceVersion: 1-4ad390e963569d66e90f310049156cbbb14da6731b587ba313d42d1b

Expected behavior

The external secret should be in a successful state

Additional context
This bug was previously reported and fixed here: #3608

But the fix appears to have been removed here: #4086 (see the "Removals" section here)

[gusfcarvalho]

Hi @afine! Can you tell me if this bug is reproducible if you set up a proper refreshPolicy for your use case?

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: es-5-test
spec:
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: Password
        name: password-generator
  refreshPolicy: Once   ### This Line
  target:
    immutable: true
    name: es-5-test
    template:
      data:
        password: '{{ .password }}'
        username: someone

[afine]

I was able to reproduce the issue with refreshPolicy: CreatedOnce

[jakobmoellerdev]

Hey folks, interested in working on this issue to get involved in external secrets. is that alright?

[gusfcarvalho]

thanks @jakobmoellerdev ! Really appreciate it