Add explicit default fields to all ExternalSecret definitions

components/build-templates/staging/e2e-quay-push-secret.yaml

@@ -9,7 +9,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/build/tekton-ci/quay-push-secret
+        metadataPolicy: None
   refreshInterval: 15m
   secretStoreRef:
     kind: ClusterSecretStore

components/ci-helper-app/staging/external-secrets/ci-helper-app-secrets.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/qe/ci-helper-app-secrets
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/cluster-as-a-service/staging/external-secrets.yaml

@@ -7,10 +7,16 @@ metadata:
     hypershift.openshift.io/safe-to-delete-with-cluster: "false"
 spec:
   dataFrom:
-  - extract:
-      key: staging/eaas/stage-eaas-serviceaccount
-  - extract:
-      key: staging/eaas/konflux-eaas-stage
+    - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: staging/eaas/stage-eaas-serviceaccount
+        metadataPolicy: None
+    - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: staging/eaas/konflux-eaas-stage
+        metadataPolicy: None
   refreshInterval: 5m
   secretStoreRef:
     kind: ClusterSecretStore
@@ -28,7 +34,6 @@ spec:
         pull-secret: "{{ .ocp_pull_secret }}"
         ssh-privatekey: unused
         ssh-publickey: unused
-
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
@@ -37,8 +42,11 @@ metadata:
   namespace: local-cluster
 spec:
   dataFrom:
-  - extract:
-      key: staging/eaas/stage-eaas-bucket-s3
+    - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: staging/eaas/stage-eaas-bucket-s3
+        metadataPolicy: None
   refreshInterval: 5m
   secretStoreRef:
     kind: ClusterSecretStore

components/cost-management/base/external-service-account-secret.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: # will be added by the overlays
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/crossplane-control-plane/staging/provider-config.yaml

@@ -12,7 +12,6 @@ spec:
       namespace: crossplane-system
       name: eaas-cluster
       key: kubeconfig
-
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
@@ -25,7 +24,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/eaas/eaas-stage-kubeconfig
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/crossplane-control-plane/staging/testplatform-provider-config.yaml

@@ -24,7 +24,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: production/openshift-ci/appci-cluster
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/dora-metrics/base/external-secrets/exporters-secrets.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/qe/exporters-secret
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/has/base/external-secrets/has-github-token.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/has/github-token
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/image-controller/base/external-secrets/quaytoken.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/build/image-controller
+        metadataPolicy: None
   refreshInterval: 5m
   secretStoreRef:
     kind: ClusterSecretStore

components/integration/base/external-secrets/pipelines-as-code-secret.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/pipeline-service/github-app
+        metadataPolicy: None
   refreshInterval: 5m
   secretStoreRef:
     kind: ClusterSecretStore

components/konflux-ci/base/external-secrets/clair-in-ci-db-github-token.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: "production/integration-service/tekton-ci/clair-in-ci-db-github-token"
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/konflux-ci/base/external-secrets/github-secret.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: "production/build/tekton-ci/github-read-only"
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/konflux-ci/base/external-secrets/infra-deployments-pr-creator.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/build/tekton-ci/infra-deployments-pr-creator
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/konflux-ci/base/external-secrets/konflux-ci-repo-creator.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: production/build/tekton-ci/konflux-ci-repo-creator
+        metadataPolicy: None
   refreshInterval: 15m
   secretStoreRef:
     kind: ClusterSecretStore

components/konflux-ci/base/external-secrets/quay-push-secret-konflux-ci.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/build/tekton-ci/quay-push-secret-konflux-ci
+        metadataPolicy: None
   refreshInterval: 15m
   secretStoreRef:
     kind: ClusterSecretStore

components/konflux-ci/base/external-secrets/registry-redhat-io-pull-secret.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: production/build/tekton-ci/registry-redhat-io-pull-secret
+        metadataPolicy: None
   refreshInterval: 15m
   secretStoreRef:
     kind: ClusterSecretStore

components/konflux-ci/base/external-secrets/slack-webhook-notification-secret.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: "production/build/tekton-ci/slack-webhook-notification-secret"
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/konflux-ci/base/external-secrets/snyk-shared-token.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: "staging/build/tekton-ci/snyk-shared-secret" # will be added by the overlays
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/konflux-kite/base/external-secrets/database-secret.yaml

@@ -8,8 +8,11 @@ metadata:
   namespace: konflux-kite
 spec:
   dataFrom:
-  - extract:
-      key: "" # will be added by a patch specific to each cluster
+    - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: "" # will be added by a patch specific to each cluster
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/kubearchive/staging/base/external-secret.yaml

@@ -10,7 +10,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/kubearchive/logging
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/kubearchive/staging/stone-stage-p01/database-secret.yaml

@@ -9,7 +9,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: integrations-output/external-resources/appsres09ue1/stone-stage-p01/stone-stage-p01-kube-archive-rds
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/kubearchive/staging/stone-stg-rh01/database-secret.yaml

@@ -9,7 +9,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: integrations-output/external-resources/appsres09ue1/stonesoup-infra-stage/kube-archive-staging-rds
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/mintmaker/base/external-secrets/pipelines-as-code-secret.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/pipeline-service/github-app
+        metadataPolicy: None
   refreshInterval: 5m
   secretStoreRef:
     kind: ClusterSecretStore

components/monitoring/kanary/staging/stone-stage-p01/external-secrets/kanary-db-credentials.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: # will be added by the overlays
+        metadataPolicy: None
   refreshInterval: 15m
   secretStoreRef:
     kind: ClusterSecretStore

components/monitoring/logging/base/external-secrets/splunk-log-forwarder-external-secrets.yaml

@@ -7,8 +7,11 @@ metadata:
     argocd.argoproj.io/sync-wave: "-1"
 spec:
   dataFrom:
-  - extract:
-      key: "" # will be added by the overlays
+    - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: "" # will be added by the overlays
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     name: appsre-stonesoup-vault
@@ -26,8 +29,11 @@ metadata:
     argocd.argoproj.io/sync-wave: "-1"
 spec:
   dataFrom:
-  - extract:
-      key: "" # will be added by the overlays
+    - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: "" # will be added by the overlays
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     name: appsre-stonesoup-vault

components/monitoring/logging/staging/base/dynatrace-operator/dynakube-secret.yaml

@@ -20,4 +20,7 @@ spec:
     deletionPolicy: Delete
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/monitoring/logging/dynatrace
+        metadataPolicy: None

components/monitoring/prometheus/base/external-secrets/rhobs.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: # will be added by the overlays
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/multi-platform-controller/staging-downstream/external-secrets.yaml

@@ -11,7 +11,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/infrastructure/multi-platform-controller/stone-stage-p01/aws-account
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore
@@ -34,7 +37,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/infrastructure/multi-platform-controller/stone-stage-p01/aws-ssh-key
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore
@@ -57,7 +63,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/infrastructure/multi-platform-controller/stone-stage-p01/ibm-ppc64le-ssh-key
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore
@@ -80,7 +89,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/infrastructure/multi-platform-controller/stone-stage-p01/ibm-s390x-ssh-key
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore