feat: introduce secret rewrite merge operation

[riccardomc]

Problem Statement

This pull request implements the suggestion in #2987 which allows to merge secret values from different secrets obtained from a provider through a dataFrom.find in one single Secret according to configurable priority, merge strategy and conflict policy.

Related Issue

Implements #2987

Proposed Changes

The implementation extends the ExternalSecretDataFromRemoteRef API by introducing a new ExternalSecretRewriteMerge method to instruct the controller on how to perform merge operations on secret key/value pairs as part of ExternalSecretRewrite.

The implementation follows this detailed suggestion comment for the most part, with some interpretations and choices.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: example
spec:
  # ...
  dataFrom:
  - find:
      path: cluster1/backend
      name: 
        regexp: ".*"
    rewrite:
    - merge:
        # define the key under which we want to store the resulting merged values
        # It is required if the strategy is 'JSON' and ignored if strategy is 'Extract' 
        into: ""

        # JSON: keep the keys (secret names from the provider)
        # and only merge the secret values, treating it as JSON.
        # The resulting JSON object is stored in the `into` property.
        #
        # Extract: parse the value as JSON and hoist
        # the key/value pairs up just like dataFrom.Extract it does.
        strategy: Extract # or JSON

        # Control the behavior when a conflicting key/value is encountered
        # When conflictPolicy=Ignore the conflicting key/value will be 
        # silently overridden. When conflictPolicy=Error the conflict will cause
        # an Error that will be reported in the Status of the ExternalSecret with
        # details about all conflicting keys.
        conflictPolicy: Error # or Ignore

        # define a list of keys that take precedence over all keys,
        # no matter what sorting strategy/order is being used.
        # These priority-keys are merged into the result map
        # in the defined order.
        priority:
          - custom-stuff-controlled-by-developers

Found secret keys are sorted in alphabetical order before being processed. This guarantees a stable and predictable conflict resolution order. Keys specified in the priority list are processed after all the others, guaranteeing that the last key on the priority list has precedence over all the others.

Documentation and extensive unit tests are provided to further illustrate the implementation details.

Additional Notes

• This is my first contribution in a long while, so please be patient with me, ok? 😘
• There are a couple of failing tests that might depend on my local environment since I get the same failures on main. So I would like to get the ball rolling nonetheless and see if they pass in CI (update: passed...). Here's a snippet of the locally failing tests:

 [FAILED] in [It] - /Users/rmc/dev/external-secrets/pkg/controllers/secretstore/common_test.go:69 @ 06/11/25 21:19:48.454
  << Timeline

  [FAILED] Timed out after 10.001s.
  Expected
      <bool>: false
  to be true
  In [It] at: /Users/rmc/dev/external-secrets/pkg/controllers/secretstore/common_test.go:69 @ 06/11/25 21:19:48.454
------------------------------
•••

Summarizing 2 Failures:
  [FAIL] SecretStore reconcile Controller Reconcile logic [It] [namespace] invalid provider with secretStore should set InvalidStore condition
  /Users/rmc/dev/external-secrets/pkg/controllers/secretstore/common_test.go:69
  [FAIL] SecretStore reconcile Controller Reconcile logic [It] [cluster] invalid provider with secretStore should set InvalidStore condition
  /Users/rmc/dev/external-secrets/pkg/controllers/secretstore/common_test.go:69

Ran 8 of 8 Specs in 40.041 seconds
FAIL! -- 6 Passed | 2 Failed | 0 Pending | 0 Skipped

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

[gusfcarvalho]

why the hell did helm-release run here? 🤔

[riccardomc]

why the hell did helm-release run here? 🤔

I didn't do nothing, I swear! 🥲

A few quesitons:

• Do you want me to refactor this issue by sonarqube? I'd be happy to if necessary
• Any idea why tests I pointed out in the description fail locally?

[Skarlso]

@riccardomc Yes please, if you could take care of the sonar issue that would be fantastic. :) 🙇

[riccardomc]

@Skarlso sure, here you go! 😉

[Skarlso]

Thanks! :)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Aransh]

This looks incredible!
Will save me so much work and current headaches, thanks a lot for your work!

[Skarlso]

Nice. :) This has been released with 0.18.1. :) Enjoy!

[Aransh]

@riccardomc Just wanted to say I finally had the chance to start working with this today and it's working perfectly!
Thanks again for your contribution 🙏

[Aransh]

Quick update
While looking into migrating to this approach I stumbled into a bit of a soft blocker.
To quote #2987 (comment) - "it would be great to be able to specify priority for specific secret(s), if they exist"

Seems like this implementation is missing the "if they exist" part, as if I try to create an externalSecret with a "priority" configuration, but the key specified does not exist, it will result in an error.

For example, for this:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: my-app-secrets
spec:
  refreshInterval: 1m
  secretStoreRef:
    kind: ClusterSecretStore
    name: hashicorp-vault-backend
  target:
    name: my-app-secrets
  dataFrom:
  - find:
      path: my-app
      name:
        regexp: ".*"
    rewrite:
    - merge:
        strategy: Extract
        conflictPolicy: Ignore
        priority:
          - my-app/secrets

If "my-app/secrets" does not exist, will result in:

Warning UpdateFailed 26s (x2 over 48s) external-secrets error processing spec.dataFrom[0].find, err: error applying rewrite to keys: failed rewrite operation[0]: merge failed with key "my-app/secrets" not found in input map

While I CAN see value in this causing an error if a secret is missing in some use-cases (for example if there's a secret you want to mandate), I think the "this key is prioritized if it exists" approach makes more sense, at least as the default.
Other solution for me would be requiring all apps create a blank "prioritized" secret (and I'm talking hundreds of apps 😵‍💫), so I think I'll hold off with this migration for now unfortunately

@riccardomc May I please request a follow up to either make prioritized secrets optional, or if you see fit, add a "priorityStrategy" field for either "Error" or "Ignore" 👉👈

[riccardomc]

Hey, thanks! I am very happy you're using it and thanks for reaching out, much appreciated.

The main reason I decided to keep this behavior is to minimize surprises for end users: if we just ignore the non existing remote secret, then the final content in the Secret might be different than expected without very little possibility of noticing.

I thought that this could lead to very unpleasant circumstances: it's quite easy to fail to override credentials that might cause significant issues at the application level. Imagine failing to override Production connection string because the Staging remote secret has a typo.

Maybe the priorityStrategy suggestion is the right thing to do, so at least there's a conscious opt-in into this behavior.

Would you mind opening a separate Issue for this as this is now merged?

[Aransh]

@riccardomc sure, will do, thanks!