Mixing up values from different 1password vaults

[MarcusElevait]

Describe the bug
We use 1password as our password manager. And we have a k8s cluster with different namespaces. Each namespace has the same applications deployed, but for different customers.
For each namespace we have a separate vault in 1password, holding the same items, but with different values (e.g. having a mongodb item that looks exactly the same, except the password itself).
We connect to the vaults with different service accounts (1 vault = 1 service account).
In the cluster we have a secret store in each namespace pointing to the respective vault.

Now it happens that as soon as the queue gets filled, there are passwords stored in the secrets, that come from a different vault. So namespace a doesn't have the password from vault a, but from vault b.

Steps to reproduce the behavior
Here are two examples of the secret stores we use:

secret store namespace a:

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: onepassword-vault
  namespace: a
spec:
  provider:
    onepasswordSDK:
      auth:
        serviceAccountSecretRef:
          key: token
          name: onepassword-vault
      integrationInfo:
        name: integration-info
        version: v1
      vault: k8s-dev-customer-a
  refreshInterval: 604800
status:
  capabilities: ReadWrite
  conditions:
  - lastTransitionTime: "2026-02-02T09:07:03Z"
    message: store validated
    reason: Valid
    status: "True"
    type: Ready

service account secret namespace a:

apiVersion: v1
data:
  token: fsdgdfgdsf
kind: Secret
metadata:
  annotations:
    1password-url: <1password url>
    token-name: service-account-token-k8s-dev-customer-a
    vault-name: k8s-dev-customer-a
  labels:
    token-name: service-account-token-k8s-dev-customer-a
  name: onepassword-vault
  namespace: a
type: Opaque

external secret namespace a:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: mongodb-user
  namespace: a
spec:
  data:
  - remoteRef:
      conversionStrategy: Default
      decodingStrategy: None
      key: mongodb-user/username
      metadataPolicy: None
    secretKey: username
  - remoteRef:
      conversionStrategy: Default
      decodingStrategy: None
      key: mongodb-user/password
      metadataPolicy: None
    secretKey: password
  refreshInterval: 1h0m0s
  refreshPolicy: OnChange
  secretStoreRef:
    kind: SecretStore
    name: onepassword-vault
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: mongodb-user
status:
  binding:
    name: mongodb-user
  conditions:
  - lastTransitionTime: "2026-02-02T19:18:54Z"
    message: secret synced
    reason: SecretSynced
    status: "True"
    type: Ready
  refreshTime: "2026-02-02T19:18:28Z"
  syncedResourceVersion: 1-9c37c17fa2c3d575f7b9b7629de81537b8c32d78715a39ecd7fb877f

service account secret namespace b:

apiVersion: v1
data:
  token: adsadsad
kind: Secret
metadata:
  annotations:
    1password-url: <1password url>
    token-name: service-account-token-k8s-dev-customer-b
    vault-name: k8s-dev-customer-b
  labels:
    token-name: service-account-token-k8s-dev-customer-b
  name: onepassword-vault
  namespace: b
type: Opaque

secret store namespace b:

piVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: onepassword-vault
  namespace: b
spec:
  provider:
    onepasswordSDK:
      auth:
        serviceAccountSecretRef:
          key: token
          name: onepassword-vault
      integrationInfo:
        name: integration-info
        version: v1
      vault: k8s-dev-customer-aicm
  refreshInterval: 604800
status:
  capabilities: ReadWrite
  conditions:
  - lastTransitionTime: "2026-02-02T09:05:20Z"
    message: store validated
    reason: Valid
    status: "True"
    type: Ready

external secret namespace b:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: mongodb-user
  namespace: b
spec:
  data:
  - remoteRef:
      conversionStrategy: Default
      decodingStrategy: None
      key: mongodb-user/username
      metadataPolicy: None
    secretKey: username
  - remoteRef:
      conversionStrategy: Default
      decodingStrategy: None
      key: mongodb-user/password
      metadataPolicy: None
    secretKey: password
  refreshInterval: 1h0m0s
  refreshPolicy: OnChange
  secretStoreRef:
    kind: SecretStore
    name: onepassword-vault
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: mongodb-user
status:
  binding:
    name: mongodb-user
  conditions:
  - lastTransitionTime: "2026-01-28T09:17:30Z"
    message: secret synced
    reason: SecretSynced
    status: "True"
    type: Ready
  refreshTime: "2026-01-28T09:15:25Z"
  syncedResourceVersion: 1-9c37c17fa2c3d575f7b9b7629de81537b8c32d78715a39ecd7fb877f

Kubernetes Server Version: v1.33.7
ESO image version: 1.2.1

Expected behavior
I expect that the right password is taken from the right vault

Here is what we see on the grafana dashboard:

The queues are constantly this high, no matter what we change on the settings (concurrent, caching, qbs, burst). Especially for the secret stores this is strange, because they all are shown as valid.

[Skarlso]

Ugh, that's a serious issue. And I think I see why it's happening, what I don't understand is how the heck it didn't happen before. 🤔

[MarcusElevait]

So great that you provide a fix so quickly 👍🏼

[MarcusElevait]

How long does it take for the fix to be released?

[Skarlso]

We'll try to get a patch through today or tomorrow. :) Because on Friday we want to release 2.0.0 which will have breaking changes.

[MarcusElevait]

This sounds good. Let's see if the problem with the full queue of secretstores will be solved then. Will create a new issue, if not :-)
But thanks a bunch for your help

[Skarlso]

You're version to test is 1.3.2 :)

[MarcusElevait]

Looks like the problem is solved with this version, thank you :-)

[Skarlso]

Yipiiii 🎉 Super glad. Thank you very much for confirming. :)