panic with Akeyless provider and an incorrect SecretStore configuration #1957
Description
When using external-secrets (v0.7.2 and most probably since v0.6.0) with the Akeyless provider with an incorrect (but validated) SecretStore configuration it is possible to crash the external-secret controller.
How:
- Specify a SecretStore configuration indicating the
accessTypeto be of "k8s" and do not provide anything forprovider.akeyless.authSecretRef.kubernetesAuth; the configuration will be perceived as valid - Create an ExternalSecret referencing this SecretStore, then the external-secrets controller will crash when attempting to look for a kubernetesAuth ServiceAccountRef
wrong config used:
apiVersion: v1
kind: Secret
metadata:
name: akeyless-secret-k8s
type: Opaque
stringData:
accessId: "p-xxxxxxxxxxxx"
accessType: "k8s"
accessTypeParam: "TOOLCHAIN_K8S_2/K8S_KV"
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: akeyless-secret-store-k8s
spec:
provider:
akeyless:
akeylessGWApiURL: "http://10.10.10.10:8000"
authSecretRef:
secretRef:
accessID:
name: akeyless-secret-k8s
key: accessId
accessType:
name: akeyless-secret-k8s
key: accessType
accessTypeParam:
name: akeyless-secret-k8s
key: accessTypeParam
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: akeyless-secret-toolchain-k8s-2-k8s
spec:
refreshInterval: 5m
secretStoreRef:
kind: SecretStore
name: akeyless-secret-store-k8s
target:
name: akeyless-secret-toolchain-k8s-2-k8s
creationPolicy: Owner
data:
- secretKey: secret1
remoteRef:
key: "/TOOLCHAIN_K8S_2/secret1"
- secretKey: secret2
remoteRef:
key: "/TOOLCHAIN_K8S_2/secret2"result on the controller side:
{"level":"info","ts":1674564802.5770037,"msg":"Observed a panic in reconciler: runtime error: invalid memory address or nil pointer dereference","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"akeyless-secret-toolchain-k8s-2-k8s","namespace":"akeyless"},"namespace":"akeyless","name":"akeyless-secret-toolchain-k8s-2-k8s","reconcileID":"3b80f8bf-217e-47c0-b8db-c253f3996373"}
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x1d9ac1b]
goroutine 429 [running]:
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile.func1()
/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go:119 +0x1fa
panic({0x2e334e0, 0x5f4f4d0})
/opt/hostedtoolcache/go/1.19.4/x64/src/runtime/panic.go:884 +0x212
github.com/external-secrets/external-secrets/pkg/provider/akeyless.(*akeylessBase).getK8SServiceAccountJWT(0x0?, {0x3bd86a8, 0xc000138000}, 0xc0004ea328?)
/home/runner/work/external-secrets/external-secrets/pkg/provider/akeyless/akeyless_api.go:252 +0x3b
github.com/external-secrets/external-secrets/pkg/provider/akeyless.(*akeylessBase).GetToken(0xc001084960, {0xc001b20860, 0xe}, {0xc001b20856, 0x3}, {0xc000f51590, 0x16}, 0x20?)
/home/runner/work/external-secrets/external-secrets/pkg/provider/akeyless/akeyless_api.go:51 +0x22b
github.com/external-secrets/external-secrets/pkg/provider/akeyless.(*akeylessBase).TokenFromSecretRef(0xc001084960, {0x3bd8718, 0xc00132fda0})
/home/runner/work/external-secrets/external-secrets/pkg/provider/akeyless/auth.go:107 +0x814
github.com/external-secrets/external-secrets/pkg/provider/akeyless.(*Akeyless).GetSecret(0xc001c190a0, {0x3bd8718, 0xc00132fda0}, {{0xc000f50378, 0x18}, {0x0, 0x0}, {0x0, 0x0}, {0x0, ...}, ...})
/home/runner/work/external-secrets/external-secrets/pkg/provider/akeyless/akeyless.go:227 +0x78
github.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).handleSecretData(_, {_, _}, _, {{{0x29dc7ef, 0xe}, {0xc001a220e0, 0x1b}}, {{0xc0015466f0, 0x23}, ...}, ...}, ...)
/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller_secret.go:95 +0xd3
github.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).getProviderSecretData(0xc000947d50, {0x3bd8718, 0xc00132fda0}, 0xc00151c5a0)
/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller_secret.go:77 +0x2be
github.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).Reconcile(0xc000947d50, {0x3bd8718?, 0xc00132fda0}, {{{0xc0010b9890, 0x8}, {0xc0015466f0, 0x23}}})
/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go:188 +0xf85
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0x3bd8718?, {0x3bd8718?, 0xc00132fda0?}, {{{0xc0010b9890?, 0x2c3ddc0?}, {0xc0015466f0?, 0x0?}}})
/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go:122 +0xc8
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc00118b0e0, {0x3bd8670, 0xc001438e00}, {0x2fa6b20?, 0xc000cd8420?})
/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go:323 +0x38f
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc00118b0e0, {0x3bd8670, 0xc001438e00})
/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go:274 +0x1d9
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()
/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go:235 +0x85
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2
/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go:231 +0x333