fix(gcp): check for secret version exists in PushSecret

[bpalko]

Related Issue

Fixes #5584

Problem Statement

The GCP PushSecret controller has a race condition. When creating secrets, the controller calls CreateSecret() followed by AddSecretVersion(). If something interrupts between these calls (timeout, rate limit, etc.), you end up with a secret in GCP that has no versions. From here, the secret is considered created, yet isn't functional with no data. The goal of this PR is to address this by expanding the reconcilation check.

Proposed Changes

I've modified SecretExists() to check both:

• That the secret resource exists
• At least one version exists. In this case, I'm just using latest.

If the secret exists but has no versions, SecretExists() now returns false. This allows for a retry and the ability to complete the push.

How I tested this

I started by reproducing the race condition locally. I used the GCP API directly to create a secret without a version, then verified SecretExists() returns false. Then, I wanted to test the new logic, so I went and added a version to confirm it returns true.

I also ran the full PushSecret flow on a local Kind cluster with GCP Secret Manager integration. I created multiple secrets, updated them, verified sync status matches actual state in GCP. I had a few debug logs within the SecretExists() function for tracing to ensure each step and if checks were hit.

I added unit tests covering:

• Secret with version exists
• Secret exists but no version
• Secret doesn't exist
• Unexpected error handling for both API calls

Checklist

• [x ] I have read the contribution guidelines
• [x ] All commits are signed with git commit --signoff
• [x ] My changes have reasonable test coverage
• [x ] All tests pass with make test
• [x ] I ensured my PR is ready for review with make reviewable

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Skarlso]

My problem with this pull request is that it's obviously Claude Code, or some other LLM, generated. This tells me that you didn't investigate the root cause or didn't even bother to verify / test your fixes just committed whatever the LLM spewed out.

I'm not against using LLMs, but I am against trusting it blindly.

Before I even look at this, please update your PR description to be something that you wrote that shows me that you investigated the problem, understood the root cause and the fix makes sense in-light of that.

Thanks.

[gusfcarvalho]

I agree this PR description tells very little about what has been committed.

though, I think the implementation here looks okay.

[Skarlso]

Sure. Sorry if this came over too cross, but I would like to make sure we/you understand what you're trying to fix/do. And the description doesn't tell that story.

[bpalko]

Thanks for the feedback. I'm happy to rewrite the PR description. I did use Claude to help structure the description with the template given; I'll be fully transparent here. I can understand your position as a maintainer trying to review PRs, and I imagine it's difficult to assess the merit of the committer. I recognize that AI-styled wording can sometimes raise red flags for maintainers.

I spent several hours yesterday, first trying to understand the codebase, and tracing the issue described by the user. Second, I wrote local, additional tests that weren't committed here to confirm my understanding and implementation. I’m still getting familiar with the internals of the project, but I feel confident in the implementation I've submitted. My new PR description will reflect this.

My intention in being here is to help your team and project out as I've been using it for years, and feel I can make a meaningful impact here. Tangentially, contributing is accelerating my skills as an engineer. I won't learn vibing a PR through Claude.

AI is an accelerator. It's something that can help with drafting, not a replacement for understanding the root cause or validating a change. I don’t think its use should be dismissed outright or treated exclusively as a sign of poor-quality work. I appreciate your callout, but I do want to emphasize that responsible use of AI tools should be viewed as normal and acceptable as long as the contributor is owning the work behind it.

[gusfcarvalho]

Thanks a lot for clarifying your point of view @bpalko! It really means a lot (and it is way more than most AI slop contributions we’ve had)

I’ll write something up related to some contribution guidelines with AI and suggest as a policy to the other maintainers 🙂 I think it is fair as a user to try to use whatever the tools you have available. We just need to define what “good” looks like for both sides here

[Skarlso]

Thank you very much from me too! Really appreciate it! :)

[bpalko]

Thanks again! Please let me know if you need anything else from me to get this over the line.

[Skarlso]

I'll take a closer look later today. :)

[Skarlso]

Thank you for taking the effort of the description update again. I really appreciate it. 🙇

[tosih]

Oops, I had already made the PR for this. I meant to post it today as I didn't expect someone to pick this up so fast.

My main difference was that the GetSecret was an extraneous call. We only really need to grab the latest enabled secret version for SecretExists. This code has an additional call to GCP, which I would say is less efficient.

[tosih]

@Skarlso would you mind if I posted a PR to remove that extra call and grab the latest enabled secret version?

Also, thanks for your work @bpalko

[Skarlso]

Sure. Go for it!