kapitan icon indicating copy to clipboard operation
kapitan copied to clipboard

Published 20 hours ago verified publisher icon kapicorp

Secrets: Dependency problem when creating a RSA key pair in Kapitan inventory

Open siku4 opened this issue 3 years ago • 2 comments

Describe the bug/feature We try to generate the RSA pub key via Kapitan (||reveal:path/to/encrypted_private_key|publickey) from a private key that should also be created by Kapitan (||rsa) in the same run.

It is not possible to make Kapitan generate both keys in a single kapitan compile run: It seems that Kapitan always tries to create the pub key first (independent of the order in the inventory or of the components that access the parameter). This behavior leads to the error, that the |publickey function cannot find the referenced private key.

To Reproduce

  1. In the inventory add:
node:
    node_privkey: "?{awskms:${target}/aws/node_ssh_privkey||rsa:4096}"
    node_pubkey: "?{awskms:${target}/aws/node_ssh_pubkey||reveal:${target}/aws/node_ssh_privkey|publickey}"
  1. In a component add:
ssh_keys:
   private_key: {{ inventory.parameters.node.node_privkey }}
   public_key: {{ inventory.parameters.node.node_pubkey }}
  1. Run kapitan compile --target target1

Everything works fine if you set node_pubkey to a random string (remove the function call), run kapitan compile --target target1 so that privkey is generated, then add the function call to node_pubkey again and run kapitan compile --target target1 once again.

Expected behavior Kapitan resolves the dependencies automatically or there is any possibility to influence the order of the function calls, so that the priv key can be created first.

If it's a bug (please complete the following information):

  • python --version: Python 3.8.8
  • pip3 --version: pip 21.0.1 from /usr/local/lib/python3.8/site-packages/pip (python 3.8)
  • Are you using pyenv or virtualenv? -

Additional context

Thank you!

siku4 avatar Jul 07 '21 07:07 siku4

Hello @siku4 ,

thank you for reporting this issue.

I confirm I also observe this behaviour, with the error message being:

|reveal function error: targets/XXX/token_private_key file in gkms:targets/XXX/token_private_key_encoded|reveal:targets/XXX/token_private_key does not exist

Please feel free to also join our community at the #kapitan channel of the kubernetes slack.

ademariag avatar Jul 07 '21 09:07 ademariag