From 9aea4cb44b2ddec667cf36b39b14dacb65532a11 Mon Sep 17 00:00:00 2001 From: Matheus Peviani Vellone Date: Mon, 25 May 2026 15:49:38 -0300 Subject: [PATCH] fix(pushsecret): honor updatePolicy: None for operator-managed secrets The final "Check if any of the existing secrets values have changed" loop in ReconcileInfisicalPushSecret updated secrets in Infisical whenever the secret was originally created by the same resource, regardless of updatePolicy. The earlier branches already gate on updatePolicy correctly; this one short-circuited with `managedByOperator || ...`. The most visible symptom is a Password ClusterGenerator pushed via InfisicalPushSecret with updatePolicy: None: every reconcile (including the implicit one fired by CreateFunc on operator pod restart or leader election flip) regenerates the value and pushes it, even though the user explicitly opted out of updates. Drop the managedByOperator branch so updatePolicy is the single gate, matching the documented "defaults to no replacement" behavior. Co-Authored-By: Claude Opus 4.7 (1M context) --- internal/services/infisicalpushsecret/reconciler.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/internal/services/infisicalpushsecret/reconciler.go b/internal/services/infisicalpushsecret/reconciler.go index ee2cbf9..bb5048e 100644 --- a/internal/services/infisicalpushsecret/reconciler.go +++ b/internal/services/infisicalpushsecret/reconciler.go @@ -451,11 +451,9 @@ func (r *InfisicalPushSecretReconciler) ReconcileInfisicalPushSecret(ctx context if existingSecret != nil { - _, managedByOperator := infisicalPushSecret.Status.ManagedSecrets[existingSecret.ID] - if secretValue != existingSecret.SecretValue { - if managedByOperator || updatePolicy == string(constants.PUSH_SECRET_REPLACE_POLICY_ENABLED) { + if updatePolicy == string(constants.PUSH_SECRET_REPLACE_POLICY_ENABLED) { logger.Info(fmt.Sprintf("Secret with key [key=%s] has changed value. Updating secret in Infisical", secretKey)) updatedSecret, err := infisicalClient.Secrets().Update(infisicalSdk.UpdateSecretOptions{