Add nil/null checks to image registry secret decode

The MCO pod can sometimes panic early on, seemingly with an empty docker
config json. Not sure if it's the json null literal, or if the decode
removed unknown fields to end up empty, so adding a check for both.

Author: yuqi-zhang

pkg/secrets/secrets.go

@@ -186,17 +186,28 @@ func newImageRegistrySecretFromDockerConfigBytes(in []byte) (ImageRegistrySecret
 		return nil, fmt.Errorf("empty dockerconfig bytes")
 	}
 
+	// Check if the input is just the JSON null literal
+	if bytes.TrimSpace(in) != nil && string(bytes.TrimSpace(in)) == "null" {
+		return nil, fmt.Errorf("dockerconfig bytes contain JSON null")
+	}
+
 	errs := []error{}
 
 	cfg, err := decodeDockerConfigJSONBytes(in)
 	if err == nil {
+		if cfg == nil {
+			return nil, fmt.Errorf("decoded DockerConfigJSONBytes is nil")
+		}
 		return &imageRegistrySecretImpl{cfg: *cfg, isLegacyStyle: false}, nil
 	}
 
 	errs = append(errs, err)
 
 	auths, err := decodeDockercfgBytes(in)
 	if err == nil {
+		if auths == nil {
+			return nil, fmt.Errorf("decoded DockercfgBytes is nil")
+		}
 		return &imageRegistrySecretImpl{cfg: DockerConfigJSON{Auths: *auths}, isLegacyStyle: true}, nil
 	}