feat: do not modify the secret in case of a NotModified (#3746)

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

apis/externalsecrets/v1beta1/provider.go

@@ -105,3 +105,13 @@ type NoSecretError struct{}
 func (NoSecretError) Error() string {
 	return "Secret does not exist"
 }
+
+var NotModifiedErr = NotModifiedError{}
+
+// NotModifiedError to signal that the webhook received no changes,
+// and it should just return without doing anything.
+type NotModifiedError struct{}
+
+func (NotModifiedError) Error() string {
+	return "not modified"
+}

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -1931,6 +1931,21 @@ func (in *NoSecretError) DeepCopy() *NoSecretError {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NotModifiedError) DeepCopyInto(out *NotModifiedError) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotModifiedError.
+func (in *NotModifiedError) DeepCopy() *NotModifiedError {
+	if in == nil {
+		return nil
+	}
+	out := new(NotModifiedError)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OnboardbaseAuthSecretRef) DeepCopyInto(out *OnboardbaseAuthSecretRef) {
 	*out = *in
 	in.OnboardbaseAPIKeyRef.DeepCopyInto(&out.OnboardbaseAPIKeyRef)

docs/api/spec.md

@@ -5033,6 +5033,12 @@ string
 <p>NoSecretError shall be returned when a GetSecret can not find the
 desired secret. This is used for deletionPolicy.</p>
 </p>
+<h3 id="external-secrets.io/v1beta1.NotModifiedError">NotModifiedError
+</h3>
+<p>
+<p>NotModifiedError to signal that the webhook received no changes,
+and it should just return without doing anything.</p>
+</p>
 <h3 id="external-secrets.io/v1beta1.OnboardbaseAuthSecretRef">OnboardbaseAuthSecretRef
 </h3>
 <p>

pkg/common/webhook/webhook.go

@@ -196,6 +196,11 @@ func (w *Webhook) GetWebhookData(ctx context.Context, provider *Spec, ref *esv1b
 	if resp.StatusCode == 404 {
 		return nil, esv1beta1.NoSecretError{}
 	}
+
+	if resp.StatusCode == http.StatusNotModified {
+		return nil, esv1beta1.NotModifiedError{}
+	}
+
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
 		return nil, fmt.Errorf("endpoint gave error %s", resp.Status)
 	}

pkg/controllers/externalsecret/externalsecret_controller.go

@@ -17,6 +17,7 @@ package externalsecret
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"strings"
 	"time"
@@ -226,6 +227,14 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 		return ctrl.Result{}, err
 	}
 
+	// secret data was not modified.
+	if errors.Is(err, esv1beta1.NotModifiedErr) {
+		log.Info("secret was not modified as a NotModified was returned by the provider")
+		r.markAsDone(&externalSecret, start, log)
+
+		return ctrl.Result{}, nil
+	}
+
 	// if no data was found we can delete the secret if needed.
 	if len(dataMap) == 0 {
 		switch externalSecret.Spec.Target.DeletionPolicy {