Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm values file is unable to recognize the secret file which is encrypted using sops #457

Open
priyas16 opened this issue Jun 19, 2024 · 5 comments
Open

helm values file is unable to recognize the secret file which is encrypted using sops #457

priyas16 opened this issue Jun 19, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@priyas16
Copy link

Current Behavior

We are trying to deploy our changes using helm in Argo CD. Our Application file has reference to both the values.yaml and the secret which is encrypted using sops like below. But its not getting deployed, saying the fields referenced through the encrypted file are not set.

helm:
valueFiles:
- values.yaml
- secrets+age-import:///helm-secrets-private-keys/key.txt?accessToken.enc.yaml

Have verified manually that the encryption is working properly by decrypting the values and was able to deploy the helm manually with the same secret fields. Also in order to debug tried passing one of the field value directly inside the values.yaml and that error is not seen now. We would require your help to resolve this issue. Thanks!

Expected Behavior

We are trying to deploy our changes using helm in Argo CD. Our Application file has reference to both the values.yaml and the secret which is encrypted using sops like below.

helm:
valueFiles:
- values.yaml
- secrets+age-import:///helm-secrets-private-keys/key.txt?accessToken.enc.yaml

We are expecting the values.yaml file recognises the accessToken.enc.yaml and deploy the changes.

Steps To Reproduce

No response

Environment

  • Helm Version: 3.14.0
  • Helm Secrets Version: 4.4.2
  • ArgoCD Version : V2.10.3
  • OS: RHEL 8.9
  • Shell: 4.4

Anything else?

No response
@priyas16 priyas16 added the bug Something isn't working label Jun 19, 2024
@jkroepke
Copy link
Owner

tbh. it's not easy to debug from my side, but I feel one thing a bit strange:

But its not getting deployed, saying the fields referenced through the encrypted file are not set.

An age encrypted file looks like this:

helm-secrets/tests/assets/values/sops/secrets.age.yaml

Lines 1 to 4 in e473cb3

global_secret: ENC[AES256_GCM,data:8J9WPHdNUszCZQ==,iv:4/cZkfTgRrIZ29wybSHbe+6v0Xi5rsvqCcezesYfFEs=,tag:xrGJHNZVKxCuqTjXsU+Yow==,type:str]
key: ENC[AES256_GCM,data:gXs/PWsVPICrYYDZOBIDuc1PUqlVnGm8pVQ5UFPhbQ/BdntoIyX4sCtbdBOEyGqvbmkLEh++1NyWsNJdkY0KTA0u1BOt7Th+AhUeWjmjOpFWsbcji/GseDHDL4il2cEM81OQn2zOvC9Nm+AVvWeWJDAN7VQX9ynvI5ccYCa8RJDnl7iOryTKTdV9U6biFH/r6j3cRAvuEvbTAsCpMB8dNqeWVOSkhaKWkpOMHE5yfmeG7RBXD5WlY7XZNf8brKL2KoQdmr3yX+HFy0K0neROmyguK66hiNKSmUdXcXpUBp6KLFoULGXwNdI8WoGpfHeivOSVKwV/vwQf8igN/OOQuxNwcTwKFzlhcrLEc36KIqEtlXagN88uWTJayHgNzoqAaarkl54vu9ufw4x5IpGWpfJSDoPLfTmp9Y/E+Q2tN9b7rKJpdbkK20M2bURBulMKPJCBdK7ETh7p1ReP/GbCe5O6wNbHd01S6SKlBpqlkasLqz/2UCq9b7aPWHISTpBnMw+r+Q8sqqlsj0j2KgC8h0qdG6E9uwVlz+P0XWpu/t8Ss9D7mn6QNAF9sRL7LxjF2r6L7v1odUOpFB0hqEN4p2Nv42j6uQdpTor5nayYTbUISSb6xOO7zLOI/j1dssju3gfZVOjeXxApclFnE5O2ifl5YxcEqxRFDNEukuXd0GKIxZYkBTADJfmE7A2K0YELcTJdaHTgS2zqapPSiPlemxgBEKwIJZXw9Eflh0F1adcxn/bwU14v/38atDZ+tXuL3UIOL0AIjZcr1FI+RmorYr8lgGBlylNWYMjXWkHqdpqAeUNlw13ZDgm5eE4oiS7qbUZwJSP4JhTspvdI6yLvYQA/4bgdbhqK732KFIYyFpK0jUmU2kfy2wIMSfcDwmMb1CL+12WmnAE2nRVsRPzALrnNH4jZSrkF5d+juUO//K7bMNBSrlq1gHqT+KcnVC3EE5gEcuNeyuxVlJURLTmrnOnB+8WE+04ZRh+ez5/EiVhisUf9TZkd+d/hh0BhMt3wSsLxWriFZ3R6R766PHFYPE8TOHpKBxudLxXMEHuDOtPZtZYChHCHfhw/BpHJGcsv4m98iq8fyDITb9GA8NW/GwppZrontnOcBW3I+wa2kLNseRccuKx0hzx0vXescN2+0AQWVAg53zXcFpgHENcXG5Ey0zab7CHcyDGYWPabVSGbW4tqcl7gUCnAx7Yapg==,iv:Iwz2S9gpSerlXEIu4hmby0+anIWA63JI8EBxrfA+DVM=,tag:PlYpI2qZ7t+TX8QPELNbVw==,type:str]
service:
port: ENC[AES256_GCM,data:RPI=,iv:Hwx1wfPCuwXVn6kI2QX2oA5aN0uPdmIQh01hMxZI0bI=,tag:82MzqSJ4hPR9JEa8o5e5EA==,type:int]

Even the files are not decrypted by help, the keys should be still present, but the values should be encrypted only. Could you confirm that this:

helm:
  valueFiles:
  - values.yaml
  - accessToken.enc.yaml

is not return any errors?

@priyas16
Copy link
Author

tbh. it's not easy to debug from my side, but I feel one thing a bit strange:

But its not getting deployed, saying the fields referenced through the encrypted file are not set.

An age encrypted file looks like this:

helm-secrets/tests/assets/values/sops/secrets.age.yaml

Lines 1 to 4 in e473cb3

global_secret: ENC[AES256_GCM,data:8J9WPHdNUszCZQ==,iv:4/cZkfTgRrIZ29wybSHbe+6v0Xi5rsvqCcezesYfFEs=,tag:xrGJHNZVKxCuqTjXsU+Yow==,type:str]
key: ENC[AES256_GCM,data:gXs/PWsVPICrYYDZOBIDuc1PUqlVnGm8pVQ5UFPhbQ/BdntoIyX4sCtbdBOEyGqvbmkLEh++1NyWsNJdkY0KTA0u1BOt7Th+AhUeWjmjOpFWsbcji/GseDHDL4il2cEM81OQn2zOvC9Nm+AVvWeWJDAN7VQX9ynvI5ccYCa8RJDnl7iOryTKTdV9U6biFH/r6j3cRAvuEvbTAsCpMB8dNqeWVOSkhaKWkpOMHE5yfmeG7RBXD5WlY7XZNf8brKL2KoQdmr3yX+HFy0K0neROmyguK66hiNKSmUdXcXpUBp6KLFoULGXwNdI8WoGpfHeivOSVKwV/vwQf8igN/OOQuxNwcTwKFzlhcrLEc36KIqEtlXagN88uWTJayHgNzoqAaarkl54vu9ufw4x5IpGWpfJSDoPLfTmp9Y/E+Q2tN9b7rKJpdbkK20M2bURBulMKPJCBdK7ETh7p1ReP/GbCe5O6wNbHd01S6SKlBpqlkasLqz/2UCq9b7aPWHISTpBnMw+r+Q8sqqlsj0j2KgC8h0qdG6E9uwVlz+P0XWpu/t8Ss9D7mn6QNAF9sRL7LxjF2r6L7v1odUOpFB0hqEN4p2Nv42j6uQdpTor5nayYTbUISSb6xOO7zLOI/j1dssju3gfZVOjeXxApclFnE5O2ifl5YxcEqxRFDNEukuXd0GKIxZYkBTADJfmE7A2K0YELcTJdaHTgS2zqapPSiPlemxgBEKwIJZXw9Eflh0F1adcxn/bwU14v/38atDZ+tXuL3UIOL0AIjZcr1FI+RmorYr8lgGBlylNWYMjXWkHqdpqAeUNlw13ZDgm5eE4oiS7qbUZwJSP4JhTspvdI6yLvYQA/4bgdbhqK732KFIYyFpK0jUmU2kfy2wIMSfcDwmMb1CL+12WmnAE2nRVsRPzALrnNH4jZSrkF5d+juUO//K7bMNBSrlq1gHqT+KcnVC3EE5gEcuNeyuxVlJURLTmrnOnB+8WE+04ZRh+ez5/EiVhisUf9TZkd+d/hh0BhMt3wSsLxWriFZ3R6R766PHFYPE8TOHpKBxudLxXMEHuDOtPZtZYChHCHfhw/BpHJGcsv4m98iq8fyDITb9GA8NW/GwppZrontnOcBW3I+wa2kLNseRccuKx0hzx0vXescN2+0AQWVAg53zXcFpgHENcXG5Ey0zab7CHcyDGYWPabVSGbW4tqcl7gUCnAx7Yapg==,iv:Iwz2S9gpSerlXEIu4hmby0+anIWA63JI8EBxrfA+DVM=,tag:PlYpI2qZ7t+TX8QPELNbVw==,type:str]
service:
port: ENC[AES256_GCM,data:RPI=,iv:Hwx1wfPCuwXVn6kI2QX2oA5aN0uPdmIQh01hMxZI0bI=,tag:82MzqSJ4hPR9JEa8o5e5EA==,type:int]

Even the files are not decrypted by help, the keys should be still present, but the values should be encrypted only. Could you confirm that this:

helm:
  valueFiles:
  - values.yaml
  - accessToken.enc.yaml

is not return any errors?

Hi jkroepke,

Yes, we are seeing the error. Have attached it for your reference.
image

@jkroepke
Copy link
Owner

If

helm:
  valueFiles:
  - values.yaml
  - accessToken.enc.yaml

returns the same error, then the keys accessToken.enc.yaml are wrong. The file should contain splunkObservability.realm or splunkPlatform.endpoint.

@priyas16
Copy link
Author

Hi jkroepke,

Thanks for your response. Please find below the different error message for 2 scenarios of passing the encrypted file.

Scenario1:

helm:
valueFiles:

  • values.yaml
  • secrets+age-import:///helm-secrets-private-keys/key.txt?accessToken.enc.yaml

Error:
image

Scenario2:

helm:
valueFiles:

  • values.yaml
  • accessToken.enc.yaml

Error:
image

But the keys are correct we did verify by decrypting them.

Could you please check and let us know your thoughts. Thanks!

@jkroepke
Copy link
Owner

Could it be possible that you miss an additional value property which is required in addition?

Since, we can see a difference between encrypted an non-encrypted. I expected that encryption works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jkroepke @priyas16