fix: gcp regional push should have no replications (#4815)

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

pkg/provider/gcp/secretmanager/client.go

@@ -215,12 +215,14 @@ func (c *Client) PushSecret(ctx context.Context, secret *corev1.Secret, pushSecr
 			}
 		}
 		parent := getParentName(c.store.ProjectID, c.store.Location)
-
 		scrt := &secretmanagerpb.Secret{
 			Labels: map[string]string{
 				managedByKey: managedByValue,
 			},
-			Replication: replication,
+		}
+		// fix: cannot set Replication at all when using regional Secrets.
+		if c.store.Location == "" {
+			scrt.Replication = replication
 		}
 
 		topics, err := utils.FetchValueFromMetadata(topicsKey, pushSecretData.GetMetadata(), []any{})

pkg/provider/gcp/secretmanager/client_test.go

@@ -721,6 +721,9 @@ func TestPushSecret(t *testing.T) {
 					if !ok {
 						return errors.New(errCallNotFoundAtIndex0)
 					}
+					if req.Secret.Replication == nil {
+						return errors.New("expected replication - found nil")
+					}
 
 					user, ok := req.Secret.Replication.Replication.(*secretmanagerpb.Replication_UserManaged_)
 					if !ok {
@@ -740,6 +743,48 @@ func TestPushSecret(t *testing.T) {
 			},
 		},
 		{
+			desc: "dont set replication when pushing regional secrets",
+			args: args{
+				store: &esv1.GCPSMProvider{ProjectID: smtc.projectID, Location: "us-east1"},
+				mock:  smtc.mockClient,
+				Metadata: &apiextensionsv1.JSON{
+					Raw: []byte(`{
+						"apiVersion": "kubernetes.external-secrets.io/v1alpha1",
+						"kind": "PushSecretMetadata",
+						"spec": {
+							"replicationLocation": "us-east1"
+						}
+					}`),
+				},
+				GetSecretMockReturn: fakesm.SecretMockReturn{Secret: nil, Err: notFoundError},
+				CreateSecretMockReturn: fakesm.SecretMockReturn{Secret: &secretmanagerpb.Secret{
+					Name:        "projects/default/secrets/bangg",
+					Replication: nil,
+					Labels: map[string]string{
+						managedBy:    externalSecrets,
+						"label-key1": "label-value1",
+					},
+					Annotations: map[string]string{
+						"annotation-key1": "annotation-value1",
+					},
+				}, Err: nil},
+				AccessSecretVersionMockReturn: fakesm.AccessSecretVersionMockReturn{Res: &res, Err: nil},
+				AddSecretVersionMockReturn:    fakesm.AddSecretVersionMockReturn{SecretVersion: &secretVersion, Err: nil}},
+			want: want{
+				err: nil,
+				req: func(m *fakesm.MockSMClient) error {
+					req, ok := m.CreateSecretCalledWithN[0]
+					if !ok {
+						return errors.New(errCallNotFoundAtIndex0)
+					}
+					if req.Secret.Replication != nil {
+						return errors.New("expected no replication - found something")
+					}
+					return nil
+				},
+			},
+		},
+		{
 			desc: "SetSecret successfully pushes a secret with topics",
 			args: args{
 				Metadata: &apiextensionsv1.JSON{
@@ -902,6 +947,7 @@ func TestPushSecret(t *testing.T) {
 	}
 	for _, tc := range tests {
 		t.Run(tc.desc, func(t *testing.T) {
+			tc.args.mock.Cleanup()
 			tc.args.mock.NewGetSecretFn(tc.args.GetSecretMockReturn)
 			tc.args.mock.NewUpdateSecretFn(tc.args.UpdateSecretReturn)
 			tc.args.mock.NewCreateSecretFn(tc.args.CreateSecretMockReturn)

pkg/provider/gcp/secretmanager/fake/fake.go

@@ -40,6 +40,12 @@ type MockSMClient struct {
 	DeleteSecretFn          func(ctx context.Context, req *secretmanagerpb.DeleteSecretRequest, opts ...gax.CallOption) error
 }
 
+func (mc *MockSMClient) Cleanup() {
+	mc.CreateSecretCalledWithN = map[int]*secretmanagerpb.CreateSecretRequest{}
+	mc.createSecretCallN = 0
+	mc.UpdateSecretCallN = 0
+}
+
 type AccessSecretVersionMockReturn struct {
 	Res *secretmanagerpb.AccessSecretVersionResponse
 	Err error