1Password (onepassword) PushSecret creates multiple entries to 1Password

[Zachu]

Describe the bug

Sometimes onepassword/PushSecret creates multiple entries to 1Password.

To Reproduce

1. One has to have the onepassword-connect running and Secret/1pass-token in the namespace
2. With following manifests:

   ---
   apiVersion: external-secrets.io/v1beta1
   kind: SecretStore
   metadata:
     name: 1pass
   spec:
     provider:
       onepassword:
         connectHost: http://onepassword-connect.1password.svc.cluster.local:8080
         vaults:
           Development: 1
         auth:
           secretRef:
             connectTokenSecretRef:
               name: 1pass-token
               key: token
   ---
   apiVersion: v1
   kind: Secret
   metadata:
     name: foo-secret
   stringData:
     foo: asd
   ---
   apiVersion: external-secrets.io/v1alpha1
   kind: PushSecret
   metadata:
     name: foo-secret
   spec:
     refreshInterval: 60s
     secretStoreRefs:
       - name: 1pass
         kind: SecretStore
     selector:
       secret:
         name: foo-secret
     data:
       - match:
           secretKey: foo
           remoteRef:
             remoteKey: test-foo-secret

3. Applying these manifests produces two entries into 1Password Vault. At first the PushSecret object shows everything being ok but on the next sync it changes into Errored state

   Events:
     Type     Reason   Age                     From        Message
     ----     ------   ----                    ----        -------
     Normal   Synced   5m59s (x2 over 5m59s)   pushsecret  PushSecret synced successfully
     Warning  Errored  2m14s (x16 over 4m58s)  pushsecret  set secret failed: could not write remote ref foo to target secretstore 1pass: expected one 1Password Item matching:
   

'test-foo-secret', got 2

Running on following versions:

External-Secrets: `0.9.12`
```sh
$ kubectl --namespace external-secrets get deployment external-secrets --output jsonpath={.spec.template.spec.containers[0].image}
ghcr.io/external-secrets/external-secrets:v0.9.12

Kubernetes: v1.27.8-gke.1067004

$ kubectl version --output json |jq --raw-output --compact-output '.serverVersion'
{"major":"1","minor":"27","gitVersion":"v1.27.8-gke.1067004","gitCommit":"6f460c12ad45abb234c18ec4f0ea335a1203c415","gitTreeState":"clean","buildDate":"2024-01-04T22:48:32Z","goVersion":"go1.20.11 X:boringcrypto","compiler":"gc","platform":"linux/amd64"}

Expected behavior
I would expect to have only one entry in 1Password. Instead I'm getting two.

Screenshots

Additional context
During my testing I think I have gotten only 1 entry in 1Password occasionally, and I'm fairly sure I got 3 at some point too. So either it doesn't seem to be fully deterministic or I happened to change some things to different position.

This feature was just released in 0.9.12 and implemented in the following PR #2646.

[ehsan310]

I am having the same issue

[Skarlso]

@bthuilot ? :D

[Zachu]

@bthuilot ? :D

I think their comment about the race condition in that other thread might be the reason for this issue. So fixing that might fix both of these.

[Zachu]

This issue was related to #3130 and got fixed at the same time as that one. There is more discussion in that issue too.