Description

When a StackConfigPolicy (SCP) references a secret via secretMounts, ECK copies that secret to the Elasticsearch namespace with the appropriate naming convention. However, when the StackConfigPolicy is updated to remove the secret reference, the copied secret remains and is not cleaned up.

Steps to Reproduce

1. Create an Elasticsearch with the label env: test

2. Create the secret to be referenced inside the secretSources

kubectl create secret generic test --from-literal=test=test -n elastic-system -o yaml --save-config --dry-run=client | kubectl apply -f -

2. Create a StackConfigPolicy with a secretSources reference to a secret:

apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1
kind: StackConfigPolicy
metadata:
  name: test-stack-config-policy
  namespace: elastic-system
spec:
  resourceSelector:
    matchLabels:
      env: test
  elasticsearch:
    clusterSettings:
      indices.recovery.max_bytes_per_sec: "100mb"
    secretMounts:
      - secretName: test
        mountPath: /mnt/secret/test

2. Apply the SCP and verify that ECK copies the secret to the namespace of Elasticsearch

3. Update the StackConfigPolicy and remove secretMounts.

4. Observe that the previously copied secret still exists in the target namespace

Expected Behaviour

When a secret reference is removed from the StackConfigPolicy's secretMounts, ECK should:

• Delete the corresponding copied secret
• Clean up any secrets that are no longer referenced by any StackConfigPolicy

Actual Behaviour

The copied secret remains in the target namespace indefinitely, even after the reference is removed from the StackConfigPolicy.

Environment

• ECK Version: v3.2.0