PushSecret updates Vault on every refreshInterval instead of only on Secret changes #5443
Description
Describe the bug
We’re implementing an automation to push certificates to Vault after they’re renewed by cert-manager. However, it appears that the current behavior of PushSecret causes Vault to be updated on every refreshInterval, even when the Kubernetes Secret data hasn’t changed. This results in new Vault versions being created unnecessarily.
To Reproduce
Steps to reproduce the behavior:
Apply below PushSecret manifest.
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: push-certificate
spec:
refreshInterval: 1h
updatePolicy: Replace
deletionPolicy: None
secretStoreRefs:
- name: tls-origination
kind: SecretStore
selector:
secret:
name: "tls-letsencrypt"
template:
engineVersion: v2
data:
bundle: |
{
"fullchain": {{ index . "tls.crt" | toJson }},
"key": {{ index . "tls.key" | toJson }}
}
data:
- conversionStrategy: None
match:
secretKey: bundle
remoteRef:
remoteKey: "ssl/test.com/"
ESO version: v0.18.1
K8s Version: 1.32
Expected behavior
If there is a diff with target then only push the secret
Additional context
Discussion on slack Link