WIP: Adds PushSecret DeletionPolicy

Signed-off-by: Gustavo <gusfcarvalho@gmail.com>

apis/externalsecrets/v1alpha1/pushsecret_types.go

@@ -37,11 +37,21 @@ type PushSecretStoreRef struct {
 	Kind string `json:"kind,omitempty"`
 }
 
+type PushSecretDeletionPolicy string
+
+const (
+	PushSecretDeletionPolicyDelete PushSecretDeletionPolicy = "Delete"
+	PushSecretDeletionPolicyNone   PushSecretDeletionPolicy = "None"
+)
+
 // PushSecretSpec configures the behavior of the PushSecret.
 type PushSecretSpec struct {
 	// The Interval to which External Secrets will try to push a secret definition
 	RefreshInterval *metav1.Duration     `json:"refreshInterval,omitempty"`
 	SecretStoreRefs []PushSecretStoreRef `json:"secretStoreRefs"`
+	// Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".
+	// +kubebuilder:default="None"
+	DeletionPolicy PushSecretDeletionPolicy `json:"deletionPolicy"`
 	// The Secret Selector (k8s source) for the Push Secret
 	Selector PushSecretSelector `json:"selector"`
 	// Secret Data that should be pushed to providers

apis/externalsecrets/v1beta1/provider.go

@@ -70,6 +70,9 @@ type SecretsClient interface {
 	// SetSecret will write a single secret into the provider
 	SetSecret(ctx context.Context, value []byte, remoteRef PushRemoteRef) error
 
+	// DeleteSecret will delete the secret from a provider
+	DeleteSecret(ctx context.Context, remoteRef PushRemoteRef) error
+
 	// Validate checks if the client is configured correctly
 	// and is able to retrieve secrets from the provider.
 	// If the validation result is unknown it will be ignored.

apis/externalsecrets/v1beta1/provider_schema_test.go

@@ -39,6 +39,11 @@ func (p *PP) SetSecret(ctx context.Context, value []byte, remoteRef PushRemoteRe
 	return nil
 }
 
+// DeleteSecret deletes a single secret from a provider.
+func (p *PP) DeleteSecret(ctx context.Context, remoteRef PushRemoteRef) error {
+	return nil
+}
+
 // GetSecret returns a single secret from the provider.
 func (p *PP) GetSecret(ctx context.Context, ref ExternalSecretDataRemoteRef) ([]byte, error) {
 	return []byte("NOOP"), nil

config/crds/bases/external-secrets.io_pushsecrets.yaml

@@ -69,6 +69,11 @@ spec:
                   - match
                   type: object
                 type: array
+              deletionPolicy:
+                default: None
+                description: 'Deletion Policy to handle Secrets in the provider. Possible
+                  Values: "Delete/None". Defaults to "None".'
+                type: string
               refreshInterval:
                 description: The Interval to which External Secrets will try to push
                   a secret definition
@@ -148,6 +153,7 @@ spec:
                 - secret
                 type: object
             required:
+            - deletionPolicy
             - secretStoreRefs
             - selector
             type: object

deploy/crds/bundle.yaml

@@ -3374,6 +3374,10 @@ spec:
                       - match
                     type: object
                   type: array
+                deletionPolicy:
+                  default: None
+                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
+                  type: string
                 refreshInterval:
                   description: The Interval to which External Secrets will try to push a secret definition
                   type: string
@@ -3435,6 +3439,7 @@ spec:
                     - secret
                   type: object
               required:
+                - deletionPolicy
                 - secretStoreRefs
                 - selector
               type: object

pkg/controllers/pushsecret/pushsecret_controller.go

@@ -17,6 +17,7 @@ package pushsecret
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -103,6 +104,20 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 		r.recorder.Event(&ps, v1.EventTypeWarning, esapi.ReasonErrored, msg)
 		return ctrl.Result{}, err
 	}
+	switch ps.Spec.DeletionPolicy {
+	case esapi.PushSecretDeletionPolicyDelete:
+		err = r.DeleteSecretFromProviders(ctx, &ps, syncedSecrets)
+		if err != nil {
+			msg := fmt.Sprintf("Failed to Delete Secrets from Provider: %v", err)
+			cond := NewPushSecretCondition(esapi.PushSecretReady, v1.ConditionFalse, esapi.ReasonErrored, msg)
+			ps = SetPushSecretCondition(ps, *cond)
+			r.SetSyncedSecrets(&ps, syncedSecrets)
+			r.recorder.Event(&ps, v1.EventTypeWarning, esapi.ReasonErrored, msg)
+			return ctrl.Result{}, err
+		}
+	case esapi.PushSecretDeletionPolicyNone:
+	default:
+	}
 	msg := "PushSecret synced successfully"
 	cond := NewPushSecretCondition(esapi.PushSecretReady, v1.ConditionTrue, esapi.ReasonSynced, msg)
 	ps = SetPushSecretCondition(ps, *cond)
@@ -114,12 +129,29 @@ func (r *Reconciler) SetSyncedSecrets(ps *esapi.PushSecret, status esapi.SyncedP
 	ps.Status.SyncedPushSecrets = status
 }
 
-func (r *Reconciler) DeleteSecretFromProviders(newMap, oldMap esapi.SyncedPushSecretsMap) error {
-	var err error
-	for store, oldData := range oldMap {
-		newData, ok := newMap[store]
+func (r *Reconciler) DeleteSecretFromProviders(ctx context.Context, ps *esapi.PushSecret, newMap esapi.SyncedPushSecretsMap) error {
+	for storeName, oldData := range ps.Status.SyncedPushSecrets {
+		storeRef := esapi.PushSecretStoreRef{
+			Name: strings.Split(storeName, "/")[1],
+			Kind: strings.Split(storeName, "/")[0],
+		}
+		store, err := r.getSecretStoreFromName(ctx, storeRef, ps.Namespace)
+		if err != nil {
+			return err
+		}
+		client, err := r.getClientFromStore(ctx, store, ps)
+		if err != nil {
+			return fmt.Errorf("could not get secrets client for store %v: %w", store.GetName(), err)
+		}
+		defer func() { //nolint
+			err := client.Close(ctx)
+			if err != nil {
+				r.Log.Error(err, errCloseStoreClient)
+			}
+		}()
+		newData, ok := newMap[storeName]
 		if !ok {
-			err = r.DeleteAllSecretsFromStore(store, oldData)
+			err = r.DeleteAllSecretsFromStore(ctx, client, oldData)
 			if err != nil {
 				return err
 			}
@@ -128,7 +160,7 @@ func (r *Reconciler) DeleteSecretFromProviders(newMap, oldMap esapi.SyncedPushSe
 		for oldEntry, oldRef := range oldData {
 			_, ok := newData[oldEntry]
 			if !ok {
-				err = r.DeleteSecretFromStore(store, oldRef)
+				err = r.DeleteSecretFromStore(ctx, client, oldRef)
 				if err != nil {
 					return err
 				}
@@ -138,9 +170,9 @@ func (r *Reconciler) DeleteSecretFromProviders(newMap, oldMap esapi.SyncedPushSe
 	return nil
 }
 
-func (r *Reconciler) DeleteAllSecretsFromStore(store string, data map[string]esapi.PushSecretData) error {
+func (r *Reconciler) DeleteAllSecretsFromStore(ctx context.Context, client v1beta1.SecretsClient, data map[string]esapi.PushSecretData) error {
 	for _, v := range data {
-		err := r.DeleteSecretFromStore(store, v)
+		err := r.DeleteSecretFromStore(ctx, client, v)
 		if err != nil {
 			return err
 		}
@@ -148,21 +180,30 @@ func (r *Reconciler) DeleteAllSecretsFromStore(store string, data map[string]esa
 	return nil
 }
 
-func (r *Reconciler) DeleteSecretFromStore(store string, data esapi.PushSecretData) error {
-	return nil
+func (r *Reconciler) DeleteSecretFromStore(ctx context.Context, client v1beta1.SecretsClient, data esapi.PushSecretData) error {
+	return client.DeleteSecret(ctx, data.Match.RemoteRef)
+}
+
+func (r *Reconciler) getClientFromStore(ctx context.Context, store v1beta1.GenericStore, ps *esapi.PushSecret) (v1beta1.SecretsClient, error) {
+	provider, err := v1beta1.GetProvider(store)
+	if err != nil {
+		return nil, fmt.Errorf(errGetProviderFailed)
+	}
+	client, err := provider.NewClient(ctx, store, r.Client, ps.Namespace)
+	if err != nil {
+		return nil, fmt.Errorf(errGetSecretsClientFailed)
+	}
+	return client, nil
 }
 
-func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores []v1beta1.GenericStore, ps esapi.PushSecret, secret *v1.Secret) (esapi.SyncedPushSecretsMap, error) {
+func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores map[esapi.PushSecretStoreRef]v1beta1.GenericStore, ps esapi.PushSecret, secret *v1.Secret) (esapi.SyncedPushSecretsMap, error) {
 	out := esapi.SyncedPushSecretsMap{}
 	for _, store := range stores {
-		out[store.GetName()] = make(map[string]esapi.PushSecretData)
-		provider, err := v1beta1.GetProvider(store)
-		if err != nil {
-			return out, fmt.Errorf(errGetProviderFailed)
-		}
-		client, err := provider.NewClient(ctx, store, r.Client, ps.Namespace)
+		storeKey := fmt.Sprintf("%v/%v", store.GetName(), store.GetObjectKind().GroupVersionKind().Kind)
+		out[storeKey] = make(map[string]esapi.PushSecretData)
+		client, err := r.getClientFromStore(ctx, store, &ps)
 		if err != nil {
-			return out, fmt.Errorf(errGetSecretsClientFailed)
+			return out, fmt.Errorf("could not get secrets client for store %v: %w", store.GetName(), err)
 		}
 		defer func() { //nolint
 			err := client.Close(ctx)
@@ -179,7 +220,7 @@ func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores []v1beta1
 			if err != nil {
 				return out, fmt.Errorf(errSetSecretFailed, ref.Match.SecretKey, store.GetName(), err)
 			}
-			out[store.GetName()][ref.Match.RemoteRef.RemoteKey] = ref
+			out[storeKey][ref.Match.RemoteRef.RemoteKey] = ref
 		}
 	}
 	return out, nil
@@ -194,8 +235,8 @@ func (r *Reconciler) GetSecret(ctx context.Context, ps esapi.PushSecret) (*v1.Se
 	return secret, nil
 }
 
-func (r *Reconciler) GetSecretStores(ctx context.Context, ps esapi.PushSecret) ([]v1beta1.GenericStore, error) {
-	stores := make([]v1beta1.GenericStore, 0)
+func (r *Reconciler) GetSecretStores(ctx context.Context, ps esapi.PushSecret) (map[esapi.PushSecretStoreRef]v1beta1.GenericStore, error) {
+	stores := make(map[esapi.PushSecretStoreRef]v1beta1.GenericStore)
 	for _, refStore := range ps.Spec.SecretStoreRefs {
 		if refStore.LabelSelector != nil {
 			labelSelector, err := metav1.LabelSelectorAsSelector(refStore.LabelSelector)
@@ -208,8 +249,12 @@ func (r *Reconciler) GetSecretStores(ctx context.Context, ps esapi.PushSecret) (
 				if err != nil {
 					return nil, fmt.Errorf("could not list cluster Secret Stores: %w", err)
 				}
-				for i := range clusterSecretStoreList.Items {
-					stores = append(stores, &clusterSecretStoreList.Items[i])
+				for k, v := range clusterSecretStoreList.Items {
+					key := esapi.PushSecretStoreRef{
+						Name: v.Name,
+						Kind: v1beta1.ClusterSecretStoreKind,
+					}
+					stores[key] = &clusterSecretStoreList.Items[k]
 				}
 			} else {
 				secretStoreList := v1beta1.SecretStoreList{}
@@ -217,37 +262,48 @@ func (r *Reconciler) GetSecretStores(ctx context.Context, ps esapi.PushSecret) (
 				if err != nil {
 					return nil, fmt.Errorf("could not list Secret Stores: %w", err)
 				}
-				for i := range secretStoreList.Items {
-					stores = append(stores, &secretStoreList.Items[i])
+				for k, v := range secretStoreList.Items {
+					key := esapi.PushSecretStoreRef{
+						Name: v.Name,
+						Kind: v1beta1.SecretStoreKind,
+					}
+					stores[key] = &secretStoreList.Items[k]
 				}
 			}
-		}
-		if refStore.Name != "" {
-			ref := types.NamespacedName{
-				Name: refStore.Name,
-			}
-			if refStore.Kind == v1beta1.ClusterSecretStoreKind {
-				var store v1beta1.ClusterSecretStore
-				err := r.Get(ctx, ref, &store)
-				if err != nil {
-					return nil, fmt.Errorf(errGetClusterSecretStore, ref.Name, err)
-				}
-				stores = append(stores, &store)
-			} else {
-				ref.Namespace = ps.Namespace
-
-				var store v1beta1.SecretStore
-				err := r.Get(ctx, ref, &store)
-				if err != nil {
-					return nil, fmt.Errorf(errGetSecretStore, ref.Name, err)
-				}
-				stores = append(stores, &store)
+		} else {
+			store, err := r.getSecretStoreFromName(ctx, refStore, ps.Namespace)
+			if err != nil {
+				return nil, err
 			}
+			stores[refStore] = store
 		}
 	}
 	return stores, nil
 }
 
+func (r *Reconciler) getSecretStoreFromName(ctx context.Context, refStore esapi.PushSecretStoreRef, ns string) (v1beta1.GenericStore, error) {
+	if refStore.Name == "" {
+		return nil, fmt.Errorf("refStore Name must be provided")
+	}
+	ref := types.NamespacedName{
+		Name: refStore.Name,
+	}
+	if refStore.Kind == v1beta1.ClusterSecretStoreKind {
+		var store v1beta1.ClusterSecretStore
+		err := r.Get(ctx, ref, &store)
+		if err != nil {
+			return nil, fmt.Errorf(errGetClusterSecretStore, ref.Name, err)
+		}
+		return &store, nil
+	}
+	ref.Namespace = ns
+	var store v1beta1.SecretStore
+	err := r.Get(ctx, ref, &store)
+	if err != nil {
+		return nil, fmt.Errorf(errGetSecretStore, ref.Name, err)
+	}
+	return &store, nil
+}
 func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	r.recorder = mgr.GetEventRecorderFor("pushsecret")
 

pkg/controllers/pushsecret/pushsecret_controller_test.go

@@ -447,7 +447,7 @@ var _ = Describe("ExternalSecret controller", func() {
 				Type:    v1alpha1.PushSecretReady,
 				Status:  v1.ConditionFalse,
 				Reason:  v1alpha1.ReasonErrored,
-				Message: "set secret failed: could not start secrets client",
+				Message: "set secret failed: could not get secrets client for store test-store: could not start secrets client",
 			}
 			return checkCondition(ps.Status, expected)
 		}

pkg/provider/akeyless/akeyless.go

@@ -213,6 +213,10 @@ func (a *Akeyless) SetSecret(ctx context.Context, value []byte, remoteRef esv1be
 	return fmt.Errorf("not implemented")
 }
 
+func (a *Akeyless) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // Implements store.Client.GetSecret Interface.
 // Retrieves a secret with the secret name defined in ref.Name.
 func (a *Akeyless) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {

pkg/provider/alibaba/kms.go

@@ -118,6 +118,10 @@ func (kms *KeyManagementService) SetSecret(ctx context.Context, value []byte, re
 	return fmt.Errorf("not implemented")
 }
 
+func (kms *KeyManagementService) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // Empty GetAllSecrets.
 func (kms *KeyManagementService) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	// TO be implemented

pkg/provider/aws/parameterstore/parameterstore.go

@@ -84,6 +84,10 @@ func (pm *ParameterStore) getTagsByName(ctx aws.Context, ref *ssm.GetParameterOu
 	return data.TagList, nil
 }
 
+func (pm *ParameterStore) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 func (pm *ParameterStore) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	// TODO create tags outside of the flow of create parameter: so we can always create parameters
 	// and always create tags.

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -111,6 +111,10 @@ func (sm *SecretsManager) fetch(_ context.Context, ref esv1beta1.ExternalSecretD
 	return secretOut, nil
 }
 
+func (sm *SecretsManager) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 func (sm *SecretsManager) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	secretName := remoteRef.GetRemoteKey()
 	managedBy := "managed-by"

pkg/provider/azure/keyvault/keyvault.go

@@ -201,6 +201,10 @@ func (a *Azure) ValidateStore(store esv1beta1.GenericStore) error {
 	return nil
 }
 
+func (a *Azure) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // Not Implemented SetSecret.
 func (a *Azure) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	return fmt.Errorf("not implemented")

pkg/provider/doppler/client.go

@@ -115,6 +115,14 @@ func (c *Client) Validate() (esv1beta1.ValidationResult, error) {
 	return esv1beta1.ValidationResultReady, nil
 }
 
+func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
+func (c *Client) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 func (c *Client) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	request := dClient.SecretRequest{
 		Name:    ref.Key,

pkg/provider/doppler/provider.go

@@ -46,6 +46,10 @@ func init() {
 	})
 }
 
+func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
+	return esv1beta1.SecretStoreReadOnly
+}
+
 func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 

pkg/provider/fake/fake.go

@@ -101,7 +101,10 @@ func getProvider(store esv1beta1.GenericStore) (*esv1beta1.FakeProvider, error)
 	return spc.Provider.Fake, nil
 }
 
-// Not Implemented SetSecret.
+func (p *Provider) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return nil
+}
+
 func (p *Provider) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	currentData, ok := p.config[remoteRef.GetRemoteKey()]
 	if !ok {

pkg/provider/gcp/secretmanager/client.go

@@ -84,6 +84,10 @@ type GoogleSecretManagerClient interface {
 
 var log = ctrl.Log.WithName("provider").WithName("gcp").WithName("secretsmanager")
 
+func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // SetSecret pushes a kubernetes secret key into gcp provider Secret.
 func (c *Client) SetSecret(ctx context.Context, payload []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	createSecretReq := &secretmanagerpb.CreateSecretRequest{

pkg/provider/gitlab/gitlab.go

@@ -160,6 +160,10 @@ func (g *Gitlab) NewClient(ctx context.Context, store esv1beta1.GenericStore, ku
 	return g, nil
 }
 
+func (g *Gitlab) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // Not Implemented SetSecret.
 func (g *Gitlab) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	return fmt.Errorf("not implemented")

pkg/provider/ibm/provider.go

@@ -101,6 +101,10 @@ func (c *client) setAuth(ctx context.Context) error {
 	return nil
 }
 
+func (ibm *providerIBM) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // Not Implemented SetSecret.
 func (ibm *providerIBM) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	return fmt.Errorf("not implemented")

pkg/provider/kubernetes/client.go

@@ -49,6 +49,10 @@ func (c *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretData
 	return jsonStr, nil
 }
 
+func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // Not Implemented SetSecret.
 func (c *Client) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	return fmt.Errorf("not implemented")

pkg/provider/onepassword/onepassword.go

@@ -152,6 +152,10 @@ func validateStore(store esv1beta1.GenericStore) error {
 	return nil
 }
 
+func (provider *ProviderOnePassword) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // Not Implemented SetSecret.
 func (provider *ProviderOnePassword) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	return fmt.Errorf("not implemented")

pkg/provider/oracle/oracle.go

@@ -72,6 +72,10 @@ func (vms *VaultManagementService) SetSecret(ctx context.Context, value []byte,
 	return fmt.Errorf("not implemented")
 }
 
+func (vms *VaultManagementService) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // Empty GetAllSecrets.
 func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	// TO be implemented

pkg/provider/senhasegura/dsm/dsm.go

@@ -90,6 +90,10 @@ func New(isoSession *senhaseguraAuth.SenhaseguraIsoSession) (*DSM, error) {
 	}, nil
 }
 
+func (dsm *DSM) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // Not Implemented SetSecret.
 func (dsm *DSM) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	return fmt.Errorf("not implemented")

pkg/provider/testing/fake/fake.go

@@ -16,6 +16,7 @@ package fake
 
 import (
 	"context"
+	"fmt"
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -83,6 +84,10 @@ func (v *Client) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta
 	return v.SetSecretFn()
 }
 
+func (v *Client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // GetSecret implements the provider.Provider interface.
 func (v *Client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	return v.GetSecretFn(ctx, ref)

pkg/provider/vault/vault.go

@@ -361,6 +361,10 @@ func (c *connector) ValidateStore(store esv1beta1.GenericStore) error {
 	return nil
 }
 
+func (v *client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 func (v *client) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	label := map[string]interface{}{
 		"custom_metadata": map[string]string{

pkg/provider/webhook/webhook.go

@@ -116,6 +116,10 @@ func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelect
 	return secret, nil
 }
 
+func (w *WebHook) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 // Not Implemented SetSecret.
 func (w *WebHook) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	return fmt.Errorf("not implemented")

pkg/provider/yandex/common/secretsclient.go

@@ -34,6 +34,10 @@ func (c *yandexCloudSecretsClient) GetSecret(ctx context.Context, ref esv1beta1.
 	return c.secretGetter.GetSecret(ctx, c.iamToken, ref.Key, ref.Version, ref.Property)
 }
 
+func (c *yandexCloudSecretsClient) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
+	return fmt.Errorf("not implemented")
+}
+
 func (c *yandexCloudSecretsClient) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
 	return fmt.Errorf("not implemented")
 }