failed to unmarshall JSON when using `dataFrom` and one of the secrets is empty

[sebagomez]

I'm using the following ExternalSecret to create a Secret with all the secrets in the cluster/SITE path of my Vault implementation.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: vault-my-secrets
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: synced-secrets

  dataFrom:
  - find:
      path: clusters/SITE
      name:
        regexp: ".*"

When I apply the ExternalSecret it does not get synced with status SecretSyncedError and message "could not get secret data from provider"

Also, if I go see the logs from the ESO pod, I see the following:

{"level":"error","ts":1661877217.5317729,"logger":"controllers.ExternalSecret","msg":"could not get secret data from provider","ExternalSecret":"default/vault-my-secrets","SecretStore":"/vault-backend","error":"failed to unmarshall JSON","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/Users/eq12350/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:121\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/Users/eq12350/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:320\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/Users/eq12350/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/Users/eq12350/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:234"}

The problem is that one of the secrets had all of its versions deleted, so there's nothing to sync, but I think that secret should be just skiped and retrieve the rest of the secrets.

Another option it would be to sync that secret as empty, which actually reflects more the reality.

What do you guys think? what should ESO do when it encounters an empty secret?
a) Skip it and do nothing?
b) Sync it as empty?

I'm asking this question because I'm already working on the solution :)

[gusfcarvalho]

in order for the deletionPolicy=Merge or deletionPolicy=Delete to work, I think we would need to skip it - otherwise it would be a valid secret Key and we wouldn't remove it (and we should when using those deletion Policies :P).