setSecret will only push updated values/secrets

Signed-off-by: William Young <will.young@engineerbetter.com>
Co-authored-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Co-authored-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Co-authored-by: Lilly Daniell <lilly.daniell@engineerbetter.com>

pkg/provider/vault/vault.go

@@ -369,15 +369,27 @@ func (v *client) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta
 
 	path := v.buildPath(remoteRef.GetRemoteKey())
 
-	_, err := v.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: path})
-
-	if err == nil {
+	// Retrieve the secret map from vault and convert the secret value in string form.
+	vaultSecret, err := v.GetSecretMap(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: path})
+	vaultSecretValue := string(vaultSecret[remoteRef.GetRemoteKey()])
+	// Retrieve the secret value to be pushed and convert it to string form.
+	secretToPush := secretData["data"].(map[string]interface{})[remoteRef.GetRemoteKey()]
+	pushSecretValue := fmt.Sprintf("%v", secretToPush)
+
+	if vaultSecretValue == pushSecretValue {
 		return errors.New("cannot push - secret already exists")
 	}
-	
-	stringError := err.Error()
 
-	if stringError == "secret not found" {
+	// If error is nil this will error out
+	if err != nil {
+		stringError := err.Error()
+		if stringError == "secret not found" {
+			_, err = v.logical.WriteWithContext(ctx, path, secretData)
+			if err != nil {
+				return err
+			}
+		}
+	} else {
 		_, err = v.logical.WriteWithContext(ctx, path, secretData)
 		if err != nil {
 			return err

pkg/provider/vault/vault_test.go

@@ -33,7 +33,6 @@ import (
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider/vault/fake"
-	"github.com/external-secrets/external-secrets/pkg/provider/vault/internal/fakes"
 )
 
 const (
@@ -1444,33 +1443,35 @@ func TestSetSecret(t *testing.T) {
 }
 
 func TestSetSecretUpdate(t *testing.T) {
-	// if an identical secret is found (ie not 404) throw error
-	// path := "secret"
-	// secretData := map[string]interface{}{
-	// 	"data": map[string]interface{}{
-	// 		"fake key": "fake value",
-	// 	},
-	// }
-	client1 := newClient()
-	// client1 = client{
-	// 	store: &esv1beta1.VaultProvider{
-	// 		Path: &path,
-	// 	},
-	// 	logical: fake.Logical{
-	// 		WriteWithContextFn:        fake.NewWriteWithContextFn(secretData, fmt.Errorf("error")),
-	// 		ReadWithDataWithContextFn: fake.NewReadWithContextFn(secretData, fmt.Errorf("error can't read data")),
-	// 	},
-	// }
-	client1
+
+	path := "secret"
+	secretData := map[string]interface{}{
+		"data": map[string]interface{}{
+			"fake key": "fake value",
+		},
+	}
+	client := client{
+		store: &esv1beta1.VaultProvider{
+			Path: &path,
+		},
+		logical: fake.Logical{
+			WriteWithContextFn:        fake.NewWriteWithContextFn(secretData, fmt.Errorf("error")),
+			ReadWithDataWithContextFn: fake.NewReadWithContextFn(secretData, fmt.Errorf("error can't read data")),
+		},
+	}
 	ref := fakeRef{key: "I'm a key"}
 
-	client1.SetSecret(context.Background(), []byte("HI"), ref)
-	err := client1.SetSecret(context.Background(), []byte("HI"), ref)
+	client.SetSecret(context.Background(), []byte("HI"), ref)
+	err := client.SetSecret(context.Background(), []byte("HI"), ref)
 
 	assert.Equal(t, err, "cannot push - secret already exists")
 }
 
-// counterfeiter helper methods.
-func newClient() *fakes.VaultClient {
-	return new(fakes.VaultClient)
-}
+// Above test pushing same exact secret twice.
+// Next test pushing a secret then pushing again with same key and different value
+// Test if secret is managed by eso
+
+// // counterfeiter helper methods.
+// func newClient() *fakes.VaultClient {
+// 	return new(fakes.VaultClient)
+// }