Webhook provider PushSecret not working

[cosandr]

Describe the bug

PushSecrets don't appear to work with the webhook provider.

To Reproduce

Try to apply the manifests from the documentation https://external-secrets.io/v0.20.2/provider/webhook/

For completeness:

---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: webhook-backend
spec:
  provider:
    webhook:
      url: "http://httpbin.org/push?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey }}"
      body: '{"secret-field": "{{ index .remoteRef .remoteRef.remoteKey }}"}'
      headers:
        Content-Type: application/json
        Authorization: Basic {{ print .auth.username ":" .auth.password | b64enc }}
      secrets:
      - name: auth
        secretRef:
          name: webhook-credentials
---
apiVersion: v1
kind: Secret
metadata:
  name: webhook-credentials
  labels:
    external-secrets.io/type: webhook #Needed to allow webhook to use this secret
data:
  username: dGVzdA== # "test"
  password: dGVzdA== # "test"
---
apiVersion: v1
kind: Secret
metadata:
  name: test-secret
stringData:
  testsecret: testsecret
---
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-example # Customisable
spec:
  refreshInterval: 1h # Refresh interval for which push secret will reconcile
  secretStoreRefs: # A list of secret stores to push secrets to
    - name: webhook-backend
      kind: SecretStore
  selector:
    secret:
      name: test-secret
  data:
    - conversionStrategy:
      match:
        secretKey: testsecret
        remoteRef:
          remoteKey: remotekey

Output:

$ kubectl apply -f push.yaml
secret/webhook-credentials created
secret/test-secret created
pushsecret.external-secrets.io/pushsecret-example created
The SecretStore "webhook-backend" is invalid: spec.provider.webhook.result: Required value

Firstly, the example is invalid. result is marked as required in the CRD. If I add a dummy value (from the pull example), the store is created but the secret is not pushed.

---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  creationTimestamp: "2025-10-04T09:40:05Z"
  generation: 1
  name: webhook-backend
  namespace: default
  resourceVersion: "212110557"
  uid: 79da855f-dcd0-4551-ac41-e4da7df7e62e
spec:
  provider:
    webhook:
      body: '{"secret-field": "{{ index .remoteRef .remoteRef.remoteKey }}"}'
      headers:
        Authorization: Basic {{ print .auth.username ":" .auth.password | b64enc }}
        Content-Type: application/json
      result:
        jsonPath: $.args.parameter
      secrets:
      - name: auth
        secretRef:
          name: webhook-credentials
      url: http://httpbin.org/push?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey
        }}
status:
  capabilities: ReadOnly
  conditions:
  - lastTransitionTime: "2025-10-04T09:40:05Z"
    message: store validated
    reason: Valid
    status: "True"
    type: Ready
---
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  creationTimestamp: "2025-10-04T09:41:07Z"
  generation: 1
  name: pushsecret-example
  namespace: default
  resourceVersion: "212111068"
  uid: fc82c9cd-3fc7-4857-8097-84a771f4d9f0
spec:
  data:
  - conversionStrategy: None
    match:
      remoteRef:
        remoteKey: remotekey
      secretKey: testsecret
  deletionPolicy: None
  refreshInterval: 1h
  secretStoreRefs:
  - kind: SecretStore
    name: webhook-backend
  selector:
    secret:
      name: test-secret
  updatePolicy: Replace
status:
  conditions:
  - lastTransitionTime: "2025-10-04T09:41:07Z"
    message: 'set secret failed: could not write remote ref testsecret to target secretstore
      webhook-backend: failed to push webhook data: failed to push webhook data: Secret
      does not exist'
    reason: Errored
    status: "False"
    type: Ready
  syncedPushSecrets:
    SecretStore/webhook-backend: {}
---
apiVersion: v1
data:
  testsecret: dGVzdHNlY3JldA==
kind: Secret
metadata:
  creationTimestamp: "2025-10-04T09:34:35Z"
  name: test-secret
  namespace: default
  resourceVersion: "212107898"
  uid: 820751da-b5a6-40bd-88f8-5b3c8f672065
type: Opaque

Log from external-secrets container

{"level":"error","ts":1759571033.5866334,"msg":"Reconciler error","controller":"pushsecret","controllerGroup":"external-secrets.io","controllerKind":"PushSecret","PushSecret":{"name":"pushsecret-example","namespace":"default"},"namespace":"default","name":"pushsecret-example","reconcileID":"90883c2a-158a-4fb1-a12c-5396350008b7","error":"could not write remote ref testsecret to target secretstore webhook-backend: failed to push webhook data: failed to push webhook data: Secret does not exist","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:474\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:421\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:296"}

Expected behavior

PushSecret should be created.

Additional context

I'm working on my own webhook provider that's supposed to actually push secrets somewhere, that's where I discovered this issue. I've never managed to get external-secrets to push any data to my service, it appears the webhook provider simply doesn't support pushing at the moment.

I noticed it is declared as ReadOnly (visible in the k8s status as well). I've tried compiling ESO with that line changed to ReadWrite, the SecretStore changes to RW but I encounter the same error. I'm unfortunately not familiar enough with the code to debug it further at this time.

[Skarlso]

Ops. I think a few things were missing when I implemented PushSecret.