Skip to content

PushSecret fails to sync secrets to Vault in v0.20.3 #5492

New issue
New issue
Closed
#5501
Closed
PushSecret fails to sync secrets to Vault in v0.20.3#5492
#5501
Labels
kind/bugCategorizes issue or PR as related to a bug.triage/pending-triageThis issue was not triaged.
@hprotzek

Description

@hprotzek
hprotzek
opened on Oct 22, 2025

Describe the bug

PushSecret fails to sync secrets to Vault in v0.20.3 with error "failed to convert value to a valid JSON: Secret does not exist". This works correctly in v0.20.2.

To Reproduce

Steps to reproduce the behavior:

  1. Apply the following manifests:
apiVersion: v1
kind: Secret
metadata:
  name: source-secret
  namespace: default
type: Opaque
stringData:
  username: "test-user"
  password: "test-password"
---
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: vault-backend
  namespace: default
spec:
  provider:
    vault:
      server: "https://vault.example.com"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "external-secrets"
          serviceAccountRef:
            name: "default"
---
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-test
  namespace: default
spec:
  refreshInterval: 10s
  secretStoreRefs:
  - name: vault-backend
    kind: SecretStore
  selector:
    secret:
      name: source-secret
  data:
  - match:
      secretKey: username
      remoteRef:
        remoteKey: secret/test-credentials
        property: username
  - match:
      secretKey: password
      remoteRef:
        remoteKey: secret/test-credentials
        property: password
  1. Check PushSecret status:
kubectl get pushsecret pushsecret-test -o yaml
  1. Observe the error in status.conditions:
status:
  conditions:
  - lastTransitionTime: "2025-10-21T18:54:49Z"
    message: 'set secret failed: could not write remote ref key to target secretstore
      vault-backend: failed to convert value to a valid JSON: Secret does not exist'
    reason: Errored
    status: "False"
    type: Ready

Versions:

  • Kubernetes version: v1.33+ (GKE)
  • External Secrets Operator version:
    • Broken: v0.20.3
    • Working: v0.20.2
  • Helm chart version: external-secrets-0.20.3

Expected behavior

The PushSecret should successfully sync the secret data to Vault, creating the secret if it doesn't exist or updating individual properties using the property-based remoteRef configuration. This behavior works correctly in v0.20.2.

Additional context

  • The same PushSecret configuration works without issues in External Secrets Operator v0.20.2
  • Downgrading from v0.20.3 to v0.20.2 resolves the issue immediately
  • The error message suggests a regression in how PushSecret handles property-based writes to Vault KV v2
  • The SecretStore is valid and shows "Ready" status with ReadWrite capabilities
  • This appears to be a regression introduced in the v0.20.3 release

Related release notes: https://github.com/external-secrets/external-secrets/releases/tag/v0.20.3

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.triage/pending-triageThis issue was not triaged.

    Type

    No type

    Projects

    External Secrets

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions