PushSecret fails to push PKCS#12 certs to Azure Key Vault due to binary data corruption in template engine

[prismatic-koi]

Describe the bug

When using a PushSecret to push a cert-manager generated TLS secret to Azure Key Vault as a PKCS#12 certificate, the operation fails with a parsing error. This happens because the templating engine incorrectly handles binary data returned from functions like b64dec. Specifically, it casts the raw binary bytes of the PFX bundle to a string, which corrupts the data before it's passed to the Azure provider's validation logic. The PushSecret status shows the following error:

set secret failed: could not write remote ref pfx-output-data to target secretstore azure-keyvault-push-store: value from secret is not a valid certificate: could not parse certificate value as PKCS#12, DER or PEM

To Reproduce

Steps to reproduce the behavior:

1. provide all relevant manifests

source secret is in this format

apiVersion: v1
kind: Secret
metadata:
  name: my-app-tls-secret
  namespace: networking
type: kubernetes.io/tls   
data:
  tls.crt: xxx #note, contains leaf and root certs
  tls.key: xxx

pushsecret looks like this:

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: my-app-tls-cert-push
  namespace: networking
spec:
  refreshInterval: 1h
  selector:
    secret:
      # The source secret created by cert-manager
      name: my-app-tls-secret
  secretStoreRefs:
  - name: azure-keyvault-push-store
    kind: ClusterSecretStore
  data:
  - match:
      secretKey: pfx-output-data
      remoteRef:
        # The destination certificate object in Key Vault
        remoteKey: cert/my-app-certificate
  template:
    engineVersion: v2
    data:
      pfx-output-data: |
        {{ fullPemToPkcs12 (index . "tls.crt") (index . "tls.key") | b64dec }}

2. provide the Kubernetes and ESO version

• Kubernetes version: v1.32.5
• External Secrets Operator Version: v0.18.0

Expected behavior

The PushSecret should successfully create the PKCS#12 bundle, and the Azure provider should push it to Key Vault without error.

Screenshots

n/A

Additional context

I've locally tested putting the output of fullPemToPkcs12 into getCertificateFromValue and found that to work fine.

I suspect the root cause to be in the v2 template engine in pkg/template/v2/template.go.

The valueScopeApply function processes the template. I think it is correctly executing the template and getting the raw binary bytes of the PFX bundle from the execute function, but then it casts the binary data to a string, which I think would corrupt its structure.

func valueScopeApply(tplMap, data map[string][]byte, target esapi.TemplateTarget, secret *corev1.Secret) error {
	for k, v := range tplMap {
		val, err := execute(k, string(v), data)
		if err != nil {
			return fmt.Errorf(errExecute, k, err)
		}
		applyToTarget(k, string(val), target, secret) // problem maybe here? in the string(val)
	}
	return nil
}

The corrupted data is then passed to the azure providers validation function getCertificateFromValue which fails to parse it as any valid certificate format.

[Skarlso]

Nice work on tracking this down. Interesting. I'm pretty sure we faced this once somewhere else as well, but I'm unsure.

You're right in the bug though I believe. Funny enough after that if it's not an annotation it will cast it back to []byte:

	case esapi.TemplateTargetData:
		if secret.Data == nil {
			secret.Data = make(map[string][]byte)
		}
		secret.Data[k] = []byte(val)

:D Maybe the fix is easy.

[Skarlso]

Well, as always with these things, it's a bit more involved. Since we parse to string() in a lot more places in that particular chain.... I'll have to do some digging.

[gusfcarvalho]

Related to #4850

[prismatic-koi]

Seems to still be an issue, getting an identical error:

pushsecret  set secret failed: could not write remote ref pfx-output-data to target secretstore azure-keyvault-push-store: value from secret is not a valid certificate: could not parse certificate value as PKCS#12, DER or PEM

while running the tag: main image.
Maybe there are other places that byte is being cast to string.

[Skarlso]

I'm not a 100% sure main contains the change. :D Our helm push operations are a bit wacky... Please try from source using tilt for example to make sure you are actually running the fix.

If this still persists, then there is another issue I guess.

[prismatic-koi]

I see how main might not contain the change, but I'm not really in a position to build from source and test in our cluster just now, I have no experience with tilt.

I deployed main@sha256:daa73d089d49d32c5daa6e66bada09d81a7dc0edda16d59cb1b2640f5cd8cc84 which is a direct output of https://github.com/external-secrets/external-secrets/actions/runs/16167477108/job/45632693745
and so should contain the fix. It has the same output error however.

I did a little more local testing and suspect the issue might be within the execute function, I suspect the use of text/template is what is causing us issues.

I did a little local test, one using execute and using text/template with fullPemToPkcsPass, the other just using fullPemToPkcsPass. the test that uses execute and the templating functions fails to decode the pfx.

Unfortunately, this looks like fairly bad news, since the whole implementation relies heavily on this templating. Maybe I'm way off in my analysis (likely, I'm no go programmer).

I had a look at your template_test.go and it seems like you arent yet testing this particular code path, you have tests for things that exctract data from pre-existing pfx bundles (pkcs12key, pkcs12cert) but nothing that creates a pfx bundle, testing the fullPemToPkcs12 or fullPemToPkcs12Pass. You do have tests in pkcs12_test.go for the functions directly (fullPemToPkcsPass etc), which my local testing confirmed works fine, but nothing that goes through the template functions.

[Skarlso]

Thanks for the analysis. I will have to take a deeper look at that.

[Skarlso]

Just to confirm, are you saying that the YAML that you have in the first post is still causing issues?

[Skarlso]

Could you also please provide some certificates that you generated and don't need or something? Test certificates I could use to reproduce the problem?

[Skarlso]

BTW you can use esoctl to render templates and test them faster. https://github.com/external-secrets/external-secrets/blob/main/cmd/esoctl/README.md

[prismatic-koi]

Just to confirm, are you saying that the YAML that you have in the first post is still causing issues?

Correct, that pushsecret results in the same error message
set secret failed: could not write remote ref pfx-output-data to target secretstore azure-keyvault-push-store: value from secret is not a valid certificate: could not parse certificate value as PKCS#12, DER or PEM

I'm not really in a position to provide you one of our certs just now, but they are just regular letsencrypt certificates using domain verification. Instead, I have tested and gotten the same results with the certificates in your /pkg/template/v2/_testdata folder, which should make it easier for you to test.

I created a kubernetes.io/tls using the following:
make (though I also tried with the files in main branch currently, though they are expired)
cat foo.crt intermediate-ca.crt root-ca.crt | base64
cat foo.key | base64
I realise these will be different since they are ed25519 certs and mine are RSA, but either way, the issue persists.

The resultant secret, referenced in the same pushsecret yaml above, with the same template, using the same external-secrets image as before (main@sha256:daa73d089d49d32c5daa6e66bada09d81a7dc0edda16d59cb1b2640f5cd8cc84) results in the same error.

set secret failed: could not write remote ref pfx-output -data to target secretstore azure-keyvault-push-store: value from secret is not a valid certificate: could no t parse certificate value as PKCS#12, DER or PEM