ESO pod crashes if the secret referenced in the PushSecret has no data

[ma-ble]

Describe the bug
If you create a PushSecret that references a secret without a data key, the ESO pod crashes with the error message

{"level":"info","ts":1711105214.26202,"msg":"Observed a panic in reconciler: assignment to entry in nil map","controller":"pushsecret","controllerGroup":"external-secrets.io","controllerKind":"PushSecret","PushSecret":{"name":"my-secret","namespace":"test"},"namespace":"test","name":"my-secret","reconcileID":"566de87-9b33-403c-9006-adbece35940a"}
panic: assignment to entry in nil map [recovered]
	panic: assignment to entry in nil map

To Reproduce
Steps to reproduce the behavior:

1. Install ESO with Version v0.9.13
2. Create Secret without data field

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: test

3. Create PushSecret

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: my-secret
  namespace: test
spec:
  deletionPolicy: Delete
  refreshInterval: 10s
  secretStoreRefs:
    - name: build
      kind: SecretStore
  selector:
    secret:
      name: my-secret
  template:
    data:
      test: "{{ .test }}"
  data:
    - match:  
        secretKey: test
        remoteRef:
          remoteKey: test
          property: test

Expected behavior
My expectation is that the pod will not crash when a secret referenced by a PushSecret has no data field.

[shuheiktgw]

@ma-ble Thanks for reporting the issue! I cannot reproduce the behavior with the fake provider. I believe this is a provider-specific problem. Would you tell me which provider you use for the "build" SecretStore?

[ma-ble]

@shuheiktgw sorry that I didn't include this information. I use the kubernetes provider in my SecretStore:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: build
  namespace: test
spec:
  provider:
    kubernetes:
      remoteNamespace: target
      server:
        url: "https://kubernetes.default.svc/"
        caProvider:
          type: ConfigMap
          name: kube-root-ca.crt
          key: ca.crt
      auth:
        serviceAccount:
          name: "store"

In my test setup I push the secrets from one namespace (test) into the target namespace (target) of the same cluster.

[empath-nirvana]

I get the same error with the azure provider in the same situation.

[markussiebert]

Just figured out, that something similar occurs, if the referenced secret does not exist ...

[shuheiktgw]

I've tried reproducing the behavior with the operator v0.9.13 using Kubernetes provider, but I cannot reproduce the error with the provided manifests. Something may still be missing to reproduce it... Would any of you provider complete manifests to reproduce the problem if that still happens?

[Skarlso]

Also, can you please include the full stacktrace so we know where it happened?

[ma-ble]

Hi @shuheiktgw and @Skarlso,

in fact, there was a little thing missing from my example above for reproduction. The secret key must be used in the template. I adapted my example above accordingly. Sorry for that.

The stack trace is the following:

{"level":"error","ts":1713876995.4361815,"msg":"Reconciler error","controller":"pushsecret","controllerGroup":"external-secrets.io","controllerKind":"PushSecret","PushSecret":{"name":"my-secret","namespace":"test"},"namespace":"test","name":"my-secret","reconcileID":"92f1e0d8-02e6-4b88-bd70-822a77090eea","error":"secret key test does not exist","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.1/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.1/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.1/pkg/internal/controller/controller.go:227"}
{"level":"info","ts":1713877008.3481667,"msg":"Observed a panic in reconciler: assignment to entry in nil map","controller":"pushsecret","controllerGroup":"external-secrets.io","controllerKind":"PushSecret","PushSecret":{"name":"my-secret","namespace":"test"},"namespace":"test","name":"my-secret","reconcileID":"8c008926-ad40-4e7c-b706-aec4b1b3d2fb"}
panic: assignment to entry in nil map [recovered]
	panic: assignment to entry in nil map

goroutine 297 [running]:
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile.func1()
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.1/pkg/internal/controller/controller.go:116 +0x1a4
panic({0x2e9d040?, 0x3f1c3a0?})
	/opt/hostedtoolcache/go/1.21.7/x64/src/runtime/panic.go:914 +0x218
github.com/external-secrets/external-secrets/pkg/template/v2.applyToTarget(...)
	/home/runner/work/external-secrets/external-secrets/pkg/template/v2/template.go:76
github.com/external-secrets/external-secrets/pkg/template/v2.valueScopeApply(0x10?, 0xc000?, {0x37df7ea, 0x4}, 0x400035d180)
	/home/runner/work/external-secrets/external-secrets/pkg/template/v2/template.go:87 +0x124
github.com/external-secrets/external-secrets/pkg/template/v2.Execute(0x40012fb3c8?, 0x400187a6f0?, {0x37e6571?, 0x4?}, {0x37df7ea?, 0x30?}, 0x40012fb428?)
	/home/runner/work/external-secrets/external-secrets/pkg/template/v2/template.go:122 +0x64
github.com/external-secrets/external-secrets/pkg/controllers/templating.(*Parser).MergeMap(0x40012fb4a8, 0x3f6da40?, {0x37df7ea, 0x4})
	/home/runner/work/external-secrets/external-secrets/pkg/controllers/templating/parser.go:146 +0x12c
github.com/external-secrets/external-secrets/pkg/controllers/pushsecret.(*Reconciler).applyTemplate(0x4000d81f80, {0x3f6da40, 0x40018d0030}, 0x40017b2c40, 0x400035d180)
	/home/runner/work/external-secrets/external-secrets/pkg/controllers/pushsecret/pushsecret_controller_template.go:70 +0x364
github.com/external-secrets/external-secrets/pkg/controllers/pushsecret.(*Reconciler).Reconcile(0x4000d81f80, {0x3f6da40?, 0x40018d0030}, {{{0x4001889e00, 0x10}, {0x4001889df6, 0x9}}})
	/home/runner/work/external-secrets/external-secrets/pkg/controllers/pushsecret/pushsecret_controller.go:154 +0x788
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0x3f72860?, {0x3f6da40?, 0x40018d0030?}, {{{0x4001889e00?, 0xb?}, {0x4001889df6?, 0x0?}}})
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.1/pkg/internal/controller/controller.go:119 +0x8c
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0x40006d99a0, {0x3f6da78, 0x4001028ff0}, {0x311b840?, 0x40018ab580?})
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.1/pkg/internal/controller/controller.go:316 +0x2e8
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0x40006d99a0, {0x3f6da78, 0x4001028ff0})
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.1/pkg/internal/controller/controller.go:266 +0x16c
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.1/pkg/internal/controller/controller.go:227 +0x74
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 in goroutine 129
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.1/pkg/internal/controller/controller.go:223 +0x43c