feat(kubernetes): implement SecretExists by Saku2 · Pull Request #5973 · external-secrets/external-secrets

Saku2 · 2026-02-18T22:08:10Z

Problem Statement

Kubernetes provider does not support PushSecrets with updatePolicy: IfNotExists

Related Issue

Fixes #3999

Proposed Changes

Implement SecretExists function for the kubernetes provider

Checklist

I have read the contribution guidelines
All commits are signed with git commit --signoff
My changes have reasonable test coverage
All tests pass with make test
I ensured my PR is ready for review with make reviewable

Implements SecretExists for Kubernetes Provider

Adds support for UpdatePolicy: IfNotExists in PushSecret by implementing the SecretExists method for the Kubernetes provider.

Changes

providers/v1/kubernetes/client.go

Implements SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) to query the Kubernetes API via Get.
Records the API call with metrics.
Returns (false, nil) for NotFound, (false, err) for other client errors.
If ref.Property is set, checks that property exists in secret.Data; otherwise returns (true, nil).
Updates method signature to use named parameters (ctx, ref).

providers/v1/kubernetes/client_test.go

Adds TestSecretExists suite covering: existing secret (no property), non-existent secret, existing secret with property, existing secret missing property, and client error propagation.
Tests use a fake Kubernetes client with predefined secrets.
Note: the patch appears to include a duplicated TestSecretExists block; this should be deduplicated.

Impact

Enables PushSecret to create a Kubernetes Secret only if it does not already exist when using UpdatePolicy: IfNotExists.

Fixes #3999

Signed-off-by: Sakari Tanskanen <sakari.tanskanen@gmail.com>

coderabbitai · 2026-02-18T22:11:16Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c8da0aa4-9774-42b3-8b1d-78cc07846270

📥 Commits

Reviewing files that changed from the base of the PR and between 0f74ad6 and 4a1320d.

📒 Files selected for processing (2)

providers/v1/kubernetes/client.go
providers/v1/kubernetes/client_test.go

Walkthrough

Implements SecretExists in the Kubernetes provider client: performs a Kubernetes GET for the referenced Secret, records the API call, returns false on NotFound, propagates other client errors, and when a specific property is requested, checks that property exists in secret.Data. Also adds tests for the new behavior (appears duplicated).

Changes

Cohort / File(s)	Summary
Core Implementation `providers/v1/kubernetes/client.go`	Implements `SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error)` to GET the Secret, record metrics, return false for NotFound, propagate other errors, and optionally check for a specific key in `secret.Data`. Updated parameter names from underscores to `ctx` and `ref`.
Test Coverage (added, duplicated) `providers/v1/kubernetes/client_test.go`	Adds `TestSecretExists` suite covering: secret exists (no property), secret missing (NotFound), secret exists with property, secret exists without requested property, and client error propagation. File appears to contain two identical `TestSecretExists` blocks (duplicate).

Possibly related issues

UpdatePolicy IfNotExists for kubernetesprovider #4333: Implements the previously missing Client.SecretExists method referenced by the issue, addressing the "not implemented" check causing IfNotExists failures.

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	Test file contains duplicate TestSecretExists function blocks, which appears unintended and outside the scope of implementing SecretExists functionality.	Remove the duplicate TestSecretExists test block in providers/v1/kubernetes/client_test.go to ensure clean test implementation.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR implements SecretExists method for kubernetes provider, enabling UpdatePolicy IfNotExists for PushSecret as requested in issue `#3999`.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

sonarqubecloud · 2026-03-06T14:22:06Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

…2.1.0 (#4491) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets/external-secrets](https://github.com/external-secrets/external-secrets) | minor | `v2.0.1` → `v2.1.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets/external-secrets)</summary> ### [`v2.1.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.1.0) [Compare Source](external-secrets/external-secrets@v2.0.1...v2.1.0) Image: `ghcr.io/external-secrets/external-secrets:v2.1.0` Image: `ghcr.io/external-secrets/external-secrets:v2.1.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.1.0-ubi-boringssl`  #### What's Changed ##### General - chore(release): Update helm chart by [@evrardj-roche](https://github.com/evrardj-roche) in [#5981](external-secrets/external-secrets#5981) - fix: cosign verify does not use signing config by [@gusfcarvalho](https://github.com/gusfcarvalho) in [#5982](external-secrets/external-secrets#5982) - docs: Update release process by [@evrardj-roche](https://github.com/evrardj-roche) in [#5980](external-secrets/external-secrets#5980) - fix: allow cross-namespace push with ClusterSecretStore objects by [@Skarlso](https://github.com/Skarlso) in [#5998](external-secrets/external-secrets#5998) - feat(charts): add new flag enable leader for cert-manager by [@nutmos](https://github.com/nutmos) in [#5863](external-secrets/external-secrets#5863) - feat(kubernetes): fall back to system CA roots when no CA is configured by [@rajsinghtech](https://github.com/rajsinghtech) in [#5961](external-secrets/external-secrets#5961) - feat: dedup sbom but keep it monolithic by [@moolen](https://github.com/moolen) in [#6004](external-secrets/external-secrets#6004) - fix: add missing metrics and fundamentally fix the caching logic by [@Skarlso](https://github.com/Skarlso) in [#5894](external-secrets/external-secrets#5894) - docs: designate Oracle Vault provider as 'stable' by [@anders-swanson](https://github.com/anders-swanson) in [#6020](external-secrets/external-secrets#6020) - docs: Oracle Vault provider capabilities by [@anders-swanson](https://github.com/anders-swanson) in [#6023](external-secrets/external-secrets#6023) - docs(azurekv): cert-manager pushsecret example and cleanups by [@illrill](https://github.com/illrill) in [#5972](external-secrets/external-secrets#5972) - feat(kubernetes): implement SecretExists by [@Saku2](https://github.com/Saku2) in [#5973](external-secrets/external-secrets#5973) - fix(charts): Fix wrongly set annotations for cert-controller metrics service by [@josemaia](https://github.com/josemaia) in [#6029](external-secrets/external-secrets#6029) - feat(providers): Nebius MysteryBox integration by [@greenmapc](https://github.com/greenmapc) in [#5868](external-secrets/external-secrets#5868) ##### Dependencies - chore(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#5986](external-secrets/external-secrets#5986) - chore(deps): bump mkdocs-material from 9.7.1 to 9.7.2 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#5992](external-secrets/external-secrets#5992) - chore(deps): bump ubi9/ubi from `b8923f5` to `cecb1cd` by [@dependabot](https://github.com/dependabot)\[bot] in [#5984](external-secrets/external-secrets#5984) - chore(deps): bump helm/kind-action from 1.13.0 to 1.14.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#5985](external-secrets/external-secrets#5985) - chore(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 by [@dependabot](https://github.com/dependabot)\[bot] in [#5990](external-secrets/external-secrets#5990) - chore(deps): bump github/codeql-action from 4.32.3 to 4.32.4 by [@dependabot](https://github.com/dependabot)\[bot] in [#5989](external-secrets/external-secrets#5989) - chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#5987](external-secrets/external-secrets#5987) - chore(deps): bump regex from 2026.1.15 to 2026.2.19 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#5991](external-secrets/external-secrets#5991) - chore(deps): bump actions/stale from 10.1.1 to 10.2.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#5988](external-secrets/external-secrets#5988) - chore(deps): bump regex from 2026.2.19 to 2026.2.28 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6012](external-secrets/external-secrets#6012) - chore(deps): bump mkdocs-material from 9.7.2 to 9.7.3 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6014](external-secrets/external-secrets#6014) - chore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6015](external-secrets/external-secrets#6015) - chore(deps): bump anchore/sbom-action from 0.22.2 to 0.23.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6016](external-secrets/external-secrets#6016) - chore(deps): bump certifi from 2026.1.4 to 2026.2.25 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6013](external-secrets/external-secrets#6013) - chore(deps): bump actions/setup-go from 6.2.0 to 6.3.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6010](external-secrets/external-secrets#6010) - chore(deps): bump hashicorp/setup-terraform from [`ce70bcf`](external-secrets/external-secrets@ce70bcf) to [`5e8dbf3`](external-secrets/external-secrets@5e8dbf3) by [@dependabot](https://github.com/dependabot)\[bot] in [#6011](external-secrets/external-secrets#6011) - chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6009](external-secrets/external-secrets#6009) - chore(deps): bump distroless/static from `972618c` to `28efbe9` by [@dependabot](https://github.com/dependabot)\[bot] in [#6008](external-secrets/external-secrets#6008) #### New Contributors - [@nutmos](https://github.com/nutmos) made their first contribution in [#5863](external-secrets/external-secrets#5863) - [@rajsinghtech](https://github.com/rajsinghtech) made their first contribution in [#5961](external-secrets/external-secrets#5961) - [@illrill](https://github.com/illrill) made their first contribution in [#5972](external-secrets/external-secrets#5972) - [@Saku2](https://github.com/Saku2) made their first contribution in [#5973](external-secrets/external-secrets#5973) - [@greenmapc](https://github.com/greenmapc) made their first contribution in [#5868](external-secrets/external-secrets#5868) **Full Changelog**: <external-secrets/external-secrets@v2.0.1...v2.1.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4491 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `2.0.1` → `2.1.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v2.1.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.1.0) [Compare Source](external-secrets/external-secrets@v2.0.1...v2.1.0) Image: `ghcr.io/external-secrets/external-secrets:v2.1.0` Image: `ghcr.io/external-secrets/external-secrets:v2.1.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.1.0-ubi-boringssl`  #### What's Changed ##### General - chore(release): Update helm chart by [@evrardj-roche](https://github.com/evrardj-roche) in [#5981](external-secrets/external-secrets#5981) - fix: cosign verify does not use signing config by [@gusfcarvalho](https://github.com/gusfcarvalho) in [#5982](external-secrets/external-secrets#5982) - docs: Update release process by [@evrardj-roche](https://github.com/evrardj-roche) in [#5980](external-secrets/external-secrets#5980) - fix: allow cross-namespace push with ClusterSecretStore objects by [@Skarlso](https://github.com/Skarlso) in [#5998](external-secrets/external-secrets#5998) - feat(charts): add new flag enable leader for cert-manager by [@nutmos](https://github.com/nutmos) in [#5863](external-secrets/external-secrets#5863) - feat(kubernetes): fall back to system CA roots when no CA is configured by [@rajsinghtech](https://github.com/rajsinghtech) in [#5961](external-secrets/external-secrets#5961) - feat: dedup sbom but keep it monolithic by [@moolen](https://github.com/moolen) in [#6004](external-secrets/external-secrets#6004) - fix: add missing metrics and fundamentally fix the caching logic by [@Skarlso](https://github.com/Skarlso) in [#5894](external-secrets/external-secrets#5894) - docs: designate Oracle Vault provider as 'stable' by [@anders-swanson](https://github.com/anders-swanson) in [#6020](external-secrets/external-secrets#6020) - docs: Oracle Vault provider capabilities by [@anders-swanson](https://github.com/anders-swanson) in [#6023](external-secrets/external-secrets#6023) - docs(azurekv): cert-manager pushsecret example and cleanups by [@illrill](https://github.com/illrill) in [#5972](external-secrets/external-secrets#5972) - feat(kubernetes): implement SecretExists by [@Saku2](https://github.com/Saku2) in [#5973](external-secrets/external-secrets#5973) - fix(charts): Fix wrongly set annotations for cert-controller metrics service by [@josemaia](https://github.com/josemaia) in [#6029](external-secrets/external-secrets#6029) - feat(providers): Nebius MysteryBox integration by [@greenmapc](https://github.com/greenmapc) in [#5868](external-secrets/external-secrets#5868) ##### Dependencies - chore(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#5986](external-secrets/external-secrets#5986) - chore(deps): bump mkdocs-material from 9.7.1 to 9.7.2 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#5992](external-secrets/external-secrets#5992) - chore(deps): bump ubi9/ubi from `b8923f5` to `cecb1cd` by [@dependabot](https://github.com/dependabot)\[bot] in [#5984](external-secrets/external-secrets#5984) - chore(deps): bump helm/kind-action from 1.13.0 to 1.14.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#5985](external-secrets/external-secrets#5985) - chore(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 by [@dependabot](https://github.com/dependabot)\[bot] in [#5990](external-secrets/external-secrets#5990) - chore(deps): bump github/codeql-action from 4.32.3 to 4.32.4 by [@dependabot](https://github.com/dependabot)\[bot] in [#5989](external-secrets/external-secrets#5989) - chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#5987](external-secrets/external-secrets#5987) - chore(deps): bump regex from 2026.1.15 to 2026.2.19 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#5991](external-secrets/external-secrets#5991) - chore(deps): bump actions/stale from 10.1.1 to 10.2.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#5988](external-secrets/external-secrets#5988) - chore(deps): bump regex from 2026.2.19 to 2026.2.28 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6012](external-secrets/external-secrets#6012) - chore(deps): bump mkdocs-material from 9.7.2 to 9.7.3 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6014](external-secrets/external-secrets#6014) - chore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6015](external-secrets/external-secrets#6015) - chore(deps): bump anchore/sbom-action from 0.22.2 to 0.23.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6016](external-secrets/external-secrets#6016) - chore(deps): bump certifi from 2026.1.4 to 2026.2.25 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6013](external-secrets/external-secrets#6013) - chore(deps): bump actions/setup-go from 6.2.0 to 6.3.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6010](external-secrets/external-secrets#6010) - chore(deps): bump hashicorp/setup-terraform from [`ce70bcf`](external-secrets/external-secrets@ce70bcf) to [`5e8dbf3`](external-secrets/external-secrets@5e8dbf3) by [@dependabot](https://github.com/dependabot)\[bot] in [#6011](external-secrets/external-secrets#6011) - chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6009](external-secrets/external-secrets#6009) - chore(deps): bump distroless/static from `972618c` to `28efbe9` by [@dependabot](https://github.com/dependabot)\[bot] in [#6008](external-secrets/external-secrets#6008) #### New Contributors - [@nutmos](https://github.com/nutmos) made their first contribution in [#5863](external-secrets/external-secrets#5863) - [@rajsinghtech](https://github.com/rajsinghtech) made their first contribution in [#5961](external-secrets/external-secrets#5961) - [@illrill](https://github.com/illrill) made their first contribution in [#5972](external-secrets/external-secrets#5972) - [@Saku2](https://github.com/Saku2) made their first contribution in [#5973](external-secrets/external-secrets#5973) - [@greenmapc](https://github.com/greenmapc) made their first contribution in [#5868](external-secrets/external-secrets#5868) **Full Changelog**: <external-secrets/external-secrets@v2.0.1...v2.1.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4516 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com> Signed-off-by: Evyatar Shtern <evyatar.shtern@gong.io>

Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>

Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com>

feat(kubernetes): implement SecretExists

0f74ad6

Signed-off-by: Sakari Tanskanen <sakari.tanskanen@gmail.com>

github-project-automation bot added this to External Secrets Feb 18, 2026

github-actions bot added area/kubernetes Issues / Pull Requests related to kubernetes kind/feature Categorizes issue or PR as related to a new feature. size/s labels Feb 18, 2026

Skarlso approved these changes Mar 6, 2026

View reviewed changes

Merge branch 'main' into main

4a1320d

Skarlso merged commit 441d838 into external-secrets:main Mar 6, 2026
33 checks passed

github-project-automation bot moved this to Done in External Secrets Mar 6, 2026

dsp0x4 pushed a commit to dsp0x4/external-secrets that referenced this pull request Mar 22, 2026

feat(kubernetes): implement SecretExists (external-secrets#5973)

4cad219

Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com>

github-actions bot mentioned this pull request Mar 30, 2026

Update Helm release external-secrets to v2.1.0 claytono/infra#1875

Merged

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(kubernetes): implement SecretExists#5973

feat(kubernetes): implement SecretExists#5973
Skarlso merged 2 commits intoexternal-secrets:mainfrom
Saku2:main

Saku2 commented Feb 18, 2026 •

edited by coderabbitai bot

Loading

Uh oh!

coderabbitai bot commented Feb 18, 2026 •

edited

Loading

❌ Failed checks (1 warning)

Uh oh!

sonarqubecloud bot commented Mar 6, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

Saku2 commented Feb 18, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Problem Statement

Related Issue

Proposed Changes

Checklist

Implements SecretExists for Kubernetes Provider

Changes

Impact

Uh oh!

coderabbitai bot commented Feb 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Possibly related issues

❌ Failed checks (1 warning)

Uh oh!

sonarqubecloud bot commented Mar 6, 2026

Quality Gate passed

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Saku2 commented Feb 18, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Feb 18, 2026 •

edited

Loading