ACK SecretsManager panics when adopting Secret #2543
Description
Describe the bug
When adopting an existing secret with annotation adopt-or-create, the SecretsManager controller fails and panics.
Steps to reproduce
-
aws secretsmanager create-secret --name adopt-test1 -
Create this resource
apiVersion: secretsmanager.services.k8s.aws/v1alpha1
kind: Secret
metadata:
name: "adopt-test"
namespace: "default"
annotations:
services.k8s.aws/adoption-policy: adopt-or-create
services.k8s.aws/adoption-fields: |
{
"name": "adopt-test1",
"id": $ARN
}
spec:
name: "adopt-test1"
tags:
- key: Team
value: foo-team
- Error on Secret resource when it tried to create it
Conditions:
Message: ResourceExistsException: The operation failed because the secret adopt-test1 already exists.
Status: True
Type: ACK.Recoverable
logs:
{"level":"error","ts":"2025-06-27T01:02:26.448Z","msg":"Observed a panic","controller":"secret","controllerGroup":"secretsmanager.services.k8s.aws","controllerKind":"Secret","Secret":{"name":"adopt-test1","namespace":"default"},"namespace":"default","name":"adopt-test1","reconcileID":"7239d167-64af-4f2a-961f-f195a0cb0498","panic":"runtime error: invalid memory address or nil pointer dereference","panicGoValue":"\"invalid memory address or nil pointer dereference\"","stacktrace":"goroutine 264 [running]:\nk8s.io/apimachinery/pkg/util/runtime.logPanic({0x26eaa98, 0xc000c8e8d0}, {0x1f6ea40, 0x394b330})\n\t/go/pkg/mod/k8s.io/apimachinery@v0.32.1/pkg/util/runtime/runtime.go:107 +0xbc\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile.func1()\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:108 +0x112\npanic({0x1f6ea40?, 0x394b330?})\n\t/usr/local/go/src/runtime/panic.go:792 +0x132\ngithub.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret.(*resourceManager).syncTags(0xc000ad2520?, {0x26eaa98?, 0xc000c8fef0?}, 0x22c62bb?, 0xc0004f1180?)\n\t/github.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret/hooks.go:32 +0x3a\ngithub.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret.(*resourceManager).sdkUpdate(0xc000ab0008, {0x26eaa98, 0xc000c8fef0}, 0xc000012b20, 0xc0008a4140, 0xc000c00b88)\n\t/github.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret/sdk.go:341 +0x1b2\ngithub.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret.(*resourceManager).Update(0xc000ab0008, {0x26eaa98?, 0xc000c8fef0?}, {0x26f8cb0?, 0xc000012b20?}, {0x26f8cb0?, 0xc0008a4140}, 0xc000c8fe90?)\n\t/github.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret/manager.go:157 +0x77\ngithub.com/aws-controllers-k8s/runtime/pkg/runtime.(*resourceReconciler).updateResource(0xc0001c5c00, {0x26eaa98, 0xc000c8fef0}, {0x26f8c40, 0xc000ab0008}, {0x26f8cb0, 0xc000012b20}, {0x26f8cb0, 0xc0008a4140})\n\t/go/pkg/mod/github.com/aws-controllers-k8s/runtime@v0.48.0/pkg/runtime/reconciler.go:757 +0x3bc\ngithub.com/aws-controllers-k8s/runtime/pkg/runtime.(*resourceReconciler).Sync(0xc0001c5c00, {0x26eaa98, 0xc000c8fef0}, {0x26f8c40, 0xc000ab0008}, {0x26f8cb0, 0xc000012a78})\n\t/go/pkg/mod/github.com/aws-controllers-k8s/runtime@v0.48.0/pkg/runtime/reconciler.go:500 +0xf53\ngithub.com/aws-controllers-k8s/runtime/pkg/runtime.(*resourceReconciler).reconcile(0xc0001c5c00, {0x26eaa98, 0xc000c8fef0}, {0x26f8c40, 0xc000ab0008}, {0x26f8cb0, 0xc000012a78})\n\t/go/pkg/mod/github.com/aws-controllers-k8s/runtime@v0.48.0/pkg/runtime/reconciler.go:381 +0x265\ngithub.com/aws-controllers-k8s/runtime/pkg/runtime.(*resourceReconciler).Reconcile(0xc0001c5c00, {0x26eaa98, 0xc000c8e8d0}, {{{0xc000b0a100?, 0x22c0bcf?}, {0xc000b0a0f0?, 0x100?}}})\n\t/go/pkg/mod/github.com/aws-controllers-k8s/runtime@v0.48.0/pkg/runtime/reconciler.go:288 +0xa25\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile(0xc000c8e840?, {0x26eaa98?, 0xc000c8e8d0?}, {{{0xc000b0a100?, 0x0?}, {0xc000b0a0f0?, 0x0?}}})\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:119 +0xbf\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler(0x27106e0, {0x26eaad0, 0xc0006952c0}, {{{0xc000b0a100, 0x7}, {0xc000b0a0f0, 0xb}}}, 0x0)\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:334 +0x3ad\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem(0x27106e0, {0x26eaad0, 0xc0006952c0})\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294 +0x21b\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2()\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255 +0x85\ncreated by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2 in goroutine 162\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:251 +0x6b5\n","stacktrace":"runtime.sigpanic\n\t/usr/local/go/src/runtime/signal_unix.go:925\ngithub.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret.(*resourceManager).syncTags\n\t/github.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret/hooks.go:32\ngithub.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret.(*resourceManager).sdkUpdate\n\t/github.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret/sdk.go:341\ngithub.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret.(*resourceManager).Update\n\t/github.com/aws-controllers-k8s/secretsmanager-controller/pkg/resource/secret/manager.go:157\ngithub.com/aws-controllers-k8s/runtime/pkg/runtime.(*resourceReconciler).updateResource\n\t/go/pkg/mod/github.com/aws-controllers-k8s/runtime@v0.48.0/pkg/runtime/reconciler.go:757\ngithub.com/aws-controllers-k8s/runtime/pkg/runtime.(*resourceReconciler).Sync\n\t/go/pkg/mod/github.com/aws-controllers-k8s/runtime@v0.48.0/pkg/runtime/reconciler.go:500\ngithub.com/aws-controllers-k8s/runtime/pkg/runtime.(*resourceReconciler).reconcile\n\t/go/pkg/mod/github.com/aws-controllers-k8s/runtime@v0.48.0/pkg/runtime/reconciler.go:381\ngithub.com/aws-controllers-k8s/runtime/pkg/runtime.(*resourceReconciler).Reconcile\n\t/go/pkg/mod/github.com/aws-controllers-k8s/runtime@v0.48.0/pkg/runtime/reconciler.go:288\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:334\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}
Expected outcome
I expected the existing secret to be adopted.
It appears this bug was introduced with a recent commit aws-controllers-k8s/secretsmanager-controller@9f46424 , possibly this line aws-controllers-k8s/secretsmanager-controller@9f46424#diff-8969c15c1e18410729b539cb28875508279d4c45cb21a440a4949d78db2d37a1R32 .
I was previously successfully adopting resources in v1.0.7.
Environment
- kind v1.32.2
- SecretsManager controller version v1.0.11