-
-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm values file is unable to recognize the secret file which is encrypted using sops #457
Comments
tbh. it's not easy to debug from my side, but I feel one thing a bit strange:
An age encrypted file looks like this: helm-secrets/tests/assets/values/sops/secrets.age.yaml Lines 1 to 4 in e473cb3
Even the files are not decrypted by help, the keys should be still present, but the values should be encrypted only. Could you confirm that this:
is not return any errors? |
Hi jkroepke, Yes, we are seeing the error. Have attached it for your reference. |
If
returns the same error, then the keys |
Hi jkroepke, Thanks for your response. Please find below the different error message for 2 scenarios of passing the encrypted file. Scenario1: helm:
Scenario2: helm:
But the keys are correct we did verify by decrypting them. Could you please check and let us know your thoughts. Thanks! |
Could it be possible that you miss an additional value property which is required in addition? Since, we can see a difference between encrypted an non-encrypted. I expected that encryption works as expected. |
@jkroepke even I'm facing same issue
Getting error values.sops.yaml file not found.
If I remove values.sops.yaml, then it works fine. |
@jkroepke Even we have the same problem , Pasting my configuration below Please help argocd helm chart file : repoServer:
env:
## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#option-2-init-container
- name: HELM_PLUGINS
value: /custom-tools/helm-plugins/
- name: HELM_SECRETS_SOPS_PATH
value: /custom-tools/sops
- name: HELM_SECRETS_KUBECTL_PATH
value: /custom-tools/kubectl
volumeMounts:
## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#option-2-init-container
- mountPath: /custom-tools
name: custom-tools
## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#method-1-mount-the-private-key-from-a-kubernetes-secret-as-volume
- mountPath: /helm-secrets-private-keys/
name: helm-secrets-private-keys
# -- Additional volumes to the repo server pod
volumes:
## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#option-2-init-container
- name: custom-tools
emptyDir: {}
## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#method-1-mount-the-private-key-from-a-kubernetes-secret-as-volume
- name: helm-secrets-private-keys
secret:
secretName: helm-secrets-private-keys
initContainers:
## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#option-2-init-container
- name: download-tools
image: alpine:latest
command: [sh, -ec]
env:
- name: HELM_SECRETS_VERSION
value: "4.6.0"
- name: KUBECTL_VERSION
value: "1.30.1"
- name: VALS_VERSION
value: "0.37.1"
- name: SOPS_VERSION
value: "3.8.1"
args:
- |
mkdir -p /custom-tools/helm-plugins
wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
wget -qO /custom-tools/curl https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64
wget -qO /custom-tools/sops https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64
wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
wget -qO- https://github.com/helmfile/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz | tar -xzf- -C /custom-tools/ vals;
cp /custom-tools/helm-plugins/helm-secrets/scripts/wrapper/helm.sh /custom-tools/helm
chmod +x /custom-tools/*
volumeMounts:
- mountPath: /custom-tools
name: custom-tools argo yaml file
argocd confimap : apiVersion: v1
data:
admin.enabled: "true"
application.instanceLabelKey: argocd.argoproj.io/instance
exec.enabled: "false"
helm.valuesFileSchemes: secrets+gpg-import, secrets+gpg-import-kubernetes, secrets+age-import,
secrets+age-import-kubernetes, secrets,secrets+literal, https
server.rbac.log.enforce.enable: "false"
statusbadge.enabled: "false"
timeout.hard.reconciliation: 0s
timeout.reconciliation: 180s
url: https://argocd.example.com
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: argocd
meta.helm.sh/release-namespace: argocd
creationTimestamp: "2024-07-05T14:30:12Z"
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.11.3
helm.sh/chart: argo-cd-7.1.3
name: argocd-cm
namespace: argocd
resourceVersion: "3889857"
uid: ce560fb5-5800-4ca3-bde0-78293095eea7 error: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = |
Last time I used ArgoCD, it does not extract the helm tar.gz package that contains the secrets.yaml. helm-secrets just looks on the file system and may not found the file on the filesystem. |
Sound like age does not find a valid decryption key in /helm-secrets-private-keys/key.txt but the error is not the same. |
Hi @jkroepke, Only these two parameters (realm and accessToken) are required and they are working fine when we deploy the values.yaml manually. The issue occurs while using ArgoCD with the encrypted file reference. Thanks! |
Current Behavior
We are trying to deploy our changes using helm in Argo CD. Our Application file has reference to both the values.yaml and the secret which is encrypted using sops like below. But its not getting deployed, saying the fields referenced through the encrypted file are not set.
helm:
valueFiles:
- values.yaml
- secrets+age-import:///helm-secrets-private-keys/key.txt?accessToken.enc.yaml
Have verified manually that the encryption is working properly by decrypting the values and was able to deploy the helm manually with the same secret fields. Also in order to debug tried passing one of the field value directly inside the values.yaml and that error is not seen now. We would require your help to resolve this issue. Thanks!
Expected Behavior
We are trying to deploy our changes using helm in Argo CD. Our Application file has reference to both the values.yaml and the secret which is encrypted using sops like below.
helm:
valueFiles:
- values.yaml
- secrets+age-import:///helm-secrets-private-keys/key.txt?accessToken.enc.yaml
We are expecting the values.yaml file recognises the accessToken.enc.yaml and deploy the changes.
Steps To Reproduce
No response
Environment
Anything else?
No response
The text was updated successfully, but these errors were encountered: