diff --git a/changelogs/unreleased/7058-ywk253100 b/changelogs/unreleased/7058-ywk253100
new file mode 100644
index 0000000000..2998980b48
--- /dev/null
+++ b/changelogs/unreleased/7058-ywk253100
@@ -0,0 +1 @@
+Remove the credential file first to avoid the change of secret content messing it up
\ No newline at end of file
diff --git a/internal/credentials/file_store.go b/internal/credentials/file_store.go
index 1332d4f8d8..ff5a552137 100644
--- a/internal/credentials/file_store.go
+++ b/internal/credentials/file_store.go
@@ -18,7 +18,6 @@ package credentials
 
 import (
 	"fmt"
-	"os"
 	"path/filepath"
 
 	"github.com/pkg/errors"
@@ -71,9 +70,16 @@ func (n *namespacedFileStore) Path(selector *corev1api.SecretKeySelector) (strin
 
 	keyFilePath := filepath.Join(n.fsRoot, fmt.Sprintf("%s-%s", selector.Name, selector.Key))
 
-	file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE, 0644)
+	// remove the file first to aovid the change of secret content messing it up
+	// e.g. if the file content is "key=value" and the secret is updated to "a=b",
+	// the file is messed up to "a=b=value" without removing the file first
+	if err = n.fs.RemoveAll(keyFilePath); err != nil {
+		return "", errors.Wrapf(err, "unable to remove the credentials file: %s", keyFilePath)
+	}
+
+	file, err := n.fs.Create(keyFilePath)
 	if err != nil {
-		return "", errors.Wrap(err, "unable to open credentials file for writing")
+		return "", errors.Wrap(err, "unable to create credentials file for writing")
 	}
 
 	if _, err := file.Write(creds); err != nil {