Object patches failing when Secret redaction is enable

[dariozachow]

What happened?

I've tried to redact all Secret data in the objects by using the the '--santize-secrets' for the provider. But now my Object errors, when trying to access the status.atProvider.manifest.data[ca.crt] field

How can we reproduce it?

I have 2 Objects, one creates a Serviceaccount-Token Secret in another cluster and looks like this

apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: my-object
  annotations:
    crossplane.io/composition-resource-name: secret-sa-token
    crossplane.io/external-create-pending: '2024-03-15T12:24:58Z'
    crossplane.io/external-create-succeeded: '2024-03-15T12:24:58Z'
    crossplane.io/external-name: my-object
status:
  atProvider:
    manifest:
      apiVersion: v1
      data:
        redacted: null
      kind: Secret
      metadata:
        annotations:
          kubectl.kubernetes.io/last-applied-configuration: >-
            {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{"kubernetes.io/service-account.name":"secret-store-sa"},"name":"sa-secret","namespace":"my-namespace"},"type":"kubernetes.io/service-account-token"}
          kubernetes.io/service-account.name: secret-store-sa
          kubernetes.io/service-account.uid: f6e32098-8547-4989-b0df-459379441c78
        creationTimestamp: '2024-03-15T12:24:58Z'
        name: sa-secret
        namespace: my-namespace
      type: kubernetes.io/service-account-token
spec:
  deletionPolicy: Delete
  forProvider:
    manifest:
      apiVersion: v1
      kind: Secret
      metadata:
        annotations:
          kubernetes.io/service-account.name: secret-store-sa
        name: sa-secret
        namespace: my-namesapce
      type: kubernetes.io/service-account-token
  managementPolicies:
    - '*'
  providerConfigRef:
    name: kubernetes-extern

This Object works fine with and without the given flag.
The Problem comes up with the second object which looks like following:

apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
   name: my-object-2
status:
  atProvider: {}
  conditions:
    - lastTransitionTime: '2024-03-18T07:21:05Z'
      message: >-
        observe failed: cannot resolve resource references: cannot patch from
        referenced resource: status.atProvider.manifest.data[ca.crt]: no such
        field
      reason: ReconcileError
      status: 'False'
      type: Synced
spec:
  deletionPolicy: Delete
  forProvider:
    manifest:
      apiVersion: external-secrets.io/v1beta1
      kind: SecretStore
      metadata:
        name: my-store
        namespace: my-namespace
      spec:
        provider:
          kubernetes:
            auth:
              token:
                bearerToken:
                  key: token
                  name: sa-token-sync
            remoteNamespace: my-namespace
            server:
              url: ""
  managementPolicies:
    - '*'
  providerConfigRef:
    name: kubernetes-in-cluster
  readiness:
    policy: SuccessfulCreate
  references:
    - patchesFrom:
        apiVersion: kubernetes.crossplane.io/v1alpha1
        fieldPath: status.atProvider.manifest.data["ca.crt"]
        kind: Object
        name: my-object-2
      toFieldPath: spec.provider.kubernetes.server.caBundle

The Object displays an error in the status, that the field which is redacted by the provider can not be patched from.
Without the sanatize-secrets flag the ca.crt would be in the status field and patching would be successful.
But now with the redacted field no patching is possible and I can not access the ca.crt field.

What environment did it happen in?

Crossplane version: 1.14.4
provider-kubernetes: 0.12.1
Kubernetes version:
Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.1-eks-508b6b3

Kubernetes distribution: EKS