Skip to content

1Password Connect Server: PushSecret will not delete item with multiple fields #5753

Closed
#5927
#5799
Closed
1Password Connect Server: PushSecret will not delete item with multiple fields#5753
#5927
#5799
Labels
kind/bugCategorizes issue or PR as related to a bug.triage/pending-triageThis issue was not triaged.
@salbracco24

Description

@salbracco24
salbracco24
opened on Dec 19, 2025

Describe the bug
If you create a PushSecret with multiple keys, then deleting it will fail. When you run kubectl delete ... then it will say the PushSecret was deleted, however, the command will hang indefinitely. If you look at the corresponding 1Password (1P) item, you will see its fields get deleted over the course of a few minutes, but the command still hangs.

The only solution is to remove all finalizers from the secret with a command like kubectl patch pushsecret.external-secrets.io/test-secret-pushsecret -p '{"metadata":{"finalizers":[]}}' --type=merge. Then, you can delete the 1P item manually.

Note that this does not affect deleting a 1P item that has a single field. In that case, deletion will succeed. The only strange behavior is that the 1P item does not get deleted, only its single field. This leaves behind an empty 1P item. However, this might be the intended behavior.

To Reproduce
Steps to reproduce the behavior:

  1. Set up a Kubernetes cluster with the External Secret Operator.
  2. Set up a SecretStore that connects to 1Password by following this guide.
  3. Create a file named test-pushsecret.yaml with the following content. Replace anything beginning with "your" with the correct values:
apiVersion: v1
kind: Secret
metadata:
  name: test-secret
  namespace: your_namespace_here
type: Opaque
stringData:
  username: test-user
  password: mediocrefakepassword123
---
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: test-secret-pushsecret
  namespace: your_namespace_here
spec:
  deletionPolicy: Delete
  refreshInterval: 1h
  secretStoreRefs:
    - name: your_secretstore_here
      kind: SecretStore
  selector:
    secret:
      name: test-secret
  data:
    - match:
        secretKey: username
        remoteRef:
          remoteKey: test-secret
          property: username
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          vault: your_1P_vault_name_here
    - match:
        secretKey: password
        remoteRef:
          remoteKey: test-secret
          property: password
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          vault: your_1P_vault_name_here
  1. Create the Secret and PushSecret using kubectl apply -f test-pushsecret.yaml
  2. Delete the PushSecret using kubectl delete pushsecret.external-secrets.io/test-secret-pushsecret

Expected behavior
The kubectl delete command will hang indefinitely. The underlying 1P item will have its fields deleted, but it will persist.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Tested using ghcr.io/external-secrets/external-secrets:v1.1.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.triage/pending-triageThis issue was not triaged.

    Type

    No type

    Projects

    External Secrets

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions