sops
sops copied to clipboard
getsops
Error- Failed to get the data key required to decrypt the SOPS file.
Hi Team, I am running helm chart in a container and passing below configurations for .sops.yaml. Also, I am using age for encryption and decryption. Now when I am running below helm command in CICD pipeline then I am getting error but when I am running same command in my local linux box then it is working fine. Can someone please help me here to fix this issue.
Command:-
"KUBECONFIG=\$KUBECONFIG helm secrets upgrade --install ${SERVICE_NAME} xperi-helm-repository/${SERVICE_NAME} \
-f secrets/\${NAMESPACE}/${SERVICE_NAME}/secrets.yaml \
-f secrets/\${NAMESPACE}/ml-common/regcred2.yaml \
-f environments/\${NAMESPACE}/${SERVICE_NAME}/values.yaml \
--version="${HELM_CHART_VERSION}" --set image.tag="${DOCKER_TAG}" -n ${NAMESPACE} --debug --dry-run --wait --timeout 20m0s"
Error :-
18:05:04 load_plugins.go:111: [info] File (/tmp/.local/share/helm/plugins/helm-diff/completion.yaml) not provided by plugin. No plugin auto-completion possible.
18:05:04 Failed to get the data key required to decrypt the SOPS file.
18:05:04
18:05:04 Group 0: FAILED
18:05:04 age1wv2tmu3szxlrn5gxr7yxx3c39spn9q30acdys5t2wpxsqzmd0yjs67XXXX: FAILED
18:05:04 - | no age identity found in "/tmp/.config/sops/age/keys.txt"
18:05:04 | that could decrypt the data
18:05:04
18:05:04 Recovery failed because no master key was able to decrypt the file. In
18:05:04 order for SOPS to recover the file, at least one key has to be successful,
18:05:04 but none were.
18:05:04 [helm-secrets] Error while decrypting file: secrets/ml-datapipeline-dev/ml-search/secrets.yaml
18:05:04 Error: plugin "secrets" exited with error
18:05:04 helm.go:88: [debug] plugin "secrets" exited with error
creation_rules:
- path_regex: .*
encrypted_regex: ^(data|stringData)$
age: "age1wv2tmu3szxlrn5gxr7yxx3c39spn9q30acdys5t2wpxsqzmd0yjsfdghgsd"
Code structure:-
environment |--> all_code_files secrets |--> environment | -- > secrets.yaml Jenkinsfile |--> Jenkinsfile Dockerfile |--> Dockerfile .sops.yaml
>
i have same issue. and i fix it by adding the key on the missing path. but i think there have the official way to fix this.
Only the public key (age1wv2tmu3szxlrn5gxr7yxx3c39spn9q30acdys5t2wpxsqzmd0yjsfdghgsd in your case) is added to the .sops.yaml as .sops.yaml is meant to be committed to git and committing the private key would negate the use of sops. For you to be able to decrypt it, you'll have to have keys.txt on your server and the environment variable: SOPS_AGE_KEY_FILE point to it or pass it in as an environment variable SOPS_AGE_KEY
i have same issue. and i fix it by adding the key on the missing path. but i think there have the official way to fix this.
can you elaborate, what is the missing path?
thank you @mthbrown
It seems like the env vars SOPS_AGE_KEY_FILE and SOPS_AGE_KEY are not well documented in SOPS, they did however fix the issue here.
