From 4136c96c0580004e62fb3cdaef1077780f1fcb9f Mon Sep 17 00:00:00 2001
From: mchekalov <mchekalov@gmail.com>
Date: Mon, 3 Nov 2025 13:51:19 +0500
Subject: [PATCH] fix: secret handling in PrepareOldCreds: ensure correct
 creation and updating of old secrets

---
 pkg/hook/credentials.go | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/pkg/hook/credentials.go b/pkg/hook/credentials.go
index bc4ddfe..79ffa6c 100644
--- a/pkg/hook/credentials.go
+++ b/pkg/hook/credentials.go
@@ -59,19 +59,29 @@ func PrepareOldCreds(secrets []string) {
 		if err != nil {
 			panic(err)
 		}
-		oldSecret := oldSecret(oldSecretName)
-		oldSecret.Data = newSecret.Data
-		oldSecret.Labels = newSecret.Labels
 		if !isSecretExist {
+			oldSecret := oldSecret(oldSecretName)
+			oldSecret.Data = newSecret.Data
+			oldSecret.Labels = newSecret.Labels
 			err = k8sClient.Create(ctx, oldSecret)
 			if err != nil {
 				logger.Info(fmt.Sprintf("cannot create %s secret", oldSecret.Name))
 				panic(err)
 			}
 		} else {
-			err = k8sClient.Update(ctx, oldSecret)
+			existingOldSecret := &corev1.Secret{}
+			err = k8sClient.Get(ctx, types.NamespacedName{
+				Name: oldSecretName, Namespace: namespace,
+			}, existingOldSecret)
 			if err != nil {
-				logger.Info(fmt.Sprintf("cannot update %s secret", oldSecret.Name))
+				logger.Info(fmt.Sprintf("cannot get existing %s secret", oldSecretName))
+				panic(err)
+			}
+			existingOldSecret.Data = newSecret.Data
+			existingOldSecret.Labels = newSecret.Labels
+			err = k8sClient.Update(ctx, existingOldSecret)
+			if err != nil {
+				logger.Info(fmt.Sprintf("cannot update %s secret", existingOldSecret.Name))
 				panic(err)
 			}
 		}