How to ignore certain key in the managed secret?

[musabmasood]

We have a situation where a secret is being managed by external-secrets controller. However one of the keys is dynamically added to the managed secret by another controller.

Is it possible instruct external-secrets controller not to manage a particular key? Or otherwise, only manage certain keys but ignore the rest?

Thanks.

[Flydiverny]

No this is not possible in KES.
Similar to how you can not merge into an existing secret. KES will overwrite the entire secret when it updates.

Quoting myself from a previous issue:

KES expects to fully own any secret it interacts with and does not support modifying / managing data in existing secrets. Any update or change in the ExternalSecret will overwrite the existing secret.
There's no need for the delete permission for KES as it never deletes any Secrets, deletion of an ExternalSecret by the user would orphan the created Secret which would then be deleted.

Originally posted by @Flydiverny in #804 (comment)

If you are just getting started with KES, you might want to explore ESO (https://external-secrets.io/) the Go rewrite of KES it allows for using a creationPolicy: 'Merge' (https://external-secrets.io/spec/#external-secrets.io/v1alpha1.ExternalSecretCreationPolicy) to update in an existing secret. ESO is still flagged as alpha but the beta stamp is inching closer.

Originally posted by @Flydiverny in #804 (comment)

[musabmasood]

Thank you for the prompt response 🙏