Add explicit default fields to all ExternalSecret definitions

Add conversionStrategy, decodingStrategy, and metadataPolicy fields
explicitly to all ExternalSecret extract blocks to prevent ArgoCD
OutOfSync status.

The External Secrets Operator automatically adds these default values
to resources even when not specified in Git manifests, causing ArgoCD
to detect drift. By explicitly defining these fields with their default
values (Default, None, None respectively), we ensure the Git manifest
matches the live cluster state and eliminate false OutOfSync alerts.

For now, and as an additional verification step, this change is only
applied to staging.

Co-Authored-By: Claude <[email protected]>

Author: oswcab

components/build-service/base/external-secrets/pipelines-as-code-secret.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/pipeline-service/github-app
+        metadataPolicy: None
   refreshInterval: 5m
   secretStoreRef:
     kind: ClusterSecretStore

components/build-templates/staging/e2e-quay-push-secret.yaml

@@ -9,7 +9,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/build/tekton-ci/quay-push-secret
+        metadataPolicy: None
   refreshInterval: 15m
   secretStoreRef:
     kind: ClusterSecretStore

components/ci-helper-app/staging/external-secrets/ci-helper-app-secrets.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/qe/ci-helper-app-secrets
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/cluster-as-a-service/staging/external-secrets.yaml

@@ -7,10 +7,16 @@ metadata:
     hypershift.openshift.io/safe-to-delete-with-cluster: "false"
 spec:
   dataFrom:
-  - extract:
-      key: staging/eaas/stage-eaas-serviceaccount
-  - extract:
-      key: staging/eaas/konflux-eaas-stage
+    - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: staging/eaas/stage-eaas-serviceaccount
+        metadataPolicy: None
+    - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: staging/eaas/konflux-eaas-stage
+        metadataPolicy: None
   refreshInterval: 5m
   secretStoreRef:
     kind: ClusterSecretStore
@@ -28,7 +34,6 @@ spec:
         pull-secret: "{{ .ocp_pull_secret }}"
         ssh-privatekey: unused
         ssh-publickey: unused
-
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
@@ -37,8 +42,11 @@ metadata:
   namespace: local-cluster
 spec:
   dataFrom:
-  - extract:
-      key: staging/eaas/stage-eaas-bucket-s3
+    - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: staging/eaas/stage-eaas-bucket-s3
+        metadataPolicy: None
   refreshInterval: 5m
   secretStoreRef:
     kind: ClusterSecretStore

components/cost-management/base/external-service-account-secret.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: # will be added by the overlays
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/crossplane-control-plane/staging/provider-config.yaml

@@ -12,7 +12,6 @@ spec:
       namespace: crossplane-system
       name: eaas-cluster
       key: kubeconfig
-
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
@@ -25,7 +24,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/eaas/eaas-stage-kubeconfig
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/crossplane-control-plane/staging/testplatform-provider-config.yaml

@@ -24,7 +24,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: production/openshift-ci/appci-cluster
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/dora-metrics/base/external-secrets/exporters-secrets.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/qe/exporters-secret
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/has/base/external-secrets/has-github-token.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/has/github-token
+        metadataPolicy: None
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

components/image-controller/base/external-secrets/quaytoken.yaml

@@ -8,7 +8,10 @@ metadata:
 spec:
   dataFrom:
     - extract:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: staging/build/image-controller
+        metadataPolicy: None
   refreshInterval: 5m
   secretStoreRef:
     kind: ClusterSecretStore