helm-secrets
helm-secrets copied to clipboard
Published
20 hours ago •
zendesk
zendesk
./test.sh failing
Hey everyone. This may be a local problem on my machine, but I thought I'd report it anyways, since it seems I am on the latest version on everything.
First tried to go through the example and it failed immediately:
helm secrets dec example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Decrypting example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
[PGP] INFO[0000] Decryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS] INFO[0000] Data key recovered successfully
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error
➜ helm-secrets git:(master) ✗
And then I tried to run test.sh which also failed.
➜ R git clone [email protected]:futuresimple/helm-secrets.git
Cloning into 'helm-secrets'...
remote: Counting objects: 409, done.
remote: Total 409 (delta 0), reused 0 (delta 0), pack-reused 409
Receiving objects: 100% (409/409), 147.13 KiB | 617.00 KiB/s, done.
Resolving deltas: 100% (202/202), done.
➜ R cd helm-secrets
➜ helm-secrets git:(master) brew install sops
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 3 taps (heroku/brew, homebrew/core, caskroom/cask).
==> New Formulae
jthread wp-cli
==> Updated Formulae
erlang ✔ nginx ✔ docker frugal groovyserv libswiften meson pygobject3 talloc
git ✔ arx docker-completion gdcm gst-python libucl openrct2 pytouhou unixodbc
heroku ✔ aws-sdk-cpp exploitdb gitlab-runner lean-cli mackup osquery sdlpop vips
heroku/brew/heroku ✔ czmq flow gom libbi mat parallel spigot xdot
heroku/brew/heroku-node ✔ diffoscope fribidi grip librealsense mbedtls pgroonga svgcleaner zeromq
==> Downloading https://homebrew.bintray.com/bottles/sops-3.0.2.high_sierra.bottle.tar.gz
Already downloaded: /Users/stoyle/Library/Caches/Homebrew/sops-3.0.2.high_sierra.bottle.tar.gz
==> Pouring sops-3.0.2.high_sierra.bottle.tar.gz
🍺 /usr/local/Cellar/sops/3.0.2: 5 files, 16.8MB
➜ helm-secrets git:(master) ./test.sh
+++ Installing helm-secrets plugin
[OK] helm-ecrets plugin installed
+++ Importing private pgp key for projectx
gpg: key AF1D073646ED4927: "helm-secrets-example-projectx <[email protected]>" not changed
gpg: key AF1D073646ED4927: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
+++ Importing private pgp key for projectx
gpg: key 19F6A67BB1B8DDBE: "helm-secrets-example-projecty <[email protected]>" not changed
gpg: key 19F6A67BB1B8DDBE: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
+++ Show helm_vars tree from example
example/helm_vars/
├── .sops.yaml
├── projectX
│ ├── .sops.yaml
│ ├── production
│ │ └── us-east-1
│ │ └── java-app
│ │ ├── secrets.yaml
│ │ └── value.yaml
│ └── sandbox
│ └── us-east-1
│ └── java-app
│ ├── secrets.yaml
│ └── value.yaml
├── projectY
│ ├── .sops.yaml
│ ├── production
│ │ └── us-east-1
│ │ └── java-app
│ │ ├── secrets.yaml
│ │ └── value.yaml
│ └── sandbox
│ └── us-east-1
│ └── java-app
│ ├── secrets.yaml
│ └── value.yaml
├── secrets.yaml
└── values.yaml
14 directories, 13 files
+++ Testing ./example/helm_vars/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
[PGP] INFO[0000] Decryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS] INFO[0000] Data key recovered successfully
[OK] File decrypted and viewable
+++ Decrypt
[PGP] INFO[0000] Decryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS] INFO[0000] Data key recovered successfully
[OK] File decrypted
+++ Cleanup Test
[OK] Cleanup specified directory
[OK] Cleanup specified .dec file
[OK] Cleanup specified encrypted secret file
+++ Once again Encrypt and Test
[PGP] INFO[0000] Encryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[PGP] INFO[0001] Encryption succeeded fingerprint=40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE
[CMD] INFO[0001] File written successfully
[OK] File properly encrypted
+++ Testing ./example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
[PGP] INFO[0000] Decryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS] INFO[0000] Data key recovered successfully
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error
[OK] File decrypted and viewable
+++ Decrypt
[PGP] INFO[0000] Decryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS] INFO[0000] Data key recovered successfully
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error
General error
➜ helm-secrets git:(master) ✗
So, is it my machine, or is this a bug?
Cheers, Alf
@stoyle did you find out what the cause of the issue was? I'm getting the same results.
No, still failing. But I am using helm-secrets successfully with my own encrypted files. So it works, regardless of this test failure.
Same problem here:
Error: plugin "secrets" exited with error
General error
➜ helm-secrets git:(master) ✗ sops --version
sops 3.0.3 (latest)
helm secrets is working for us, by the way. Just not in this test.
Cheers, Alf
I just tried to get the examples running:
helm secrets dec example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Decrypting example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Maybe this is related? Btw, helm secrets dec example/helm_vars/secrets.yaml works.
Best, Marc
Have the same issue when trying the example
helm secrets dec example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Decrypting example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error
- sops 3.0.5 (latest)
- helm-secrets 1.3.1
Here's a couple more datapoints: the issue happens with plain old sops (not just helm-secrets), and before the upgrade from sops 2.x to sops 3.x, the error wasn't happening:
tarrall@Tarrall <~/gits/helm-secrets>git status
HEAD detached at 98509c7
nothing to commit, working tree clean
tarrall@Tarrall <~/gits/helm-secrets>sops -d example/helm_vars/projectX/production/us-east-1/java-app/secrets.yaml
secret_production_projectx: secret_foo_123
tarrall@Tarrall <~/gits/helm-secrets>git checkout 098df35aabbd4169d0a9569227cef454560e7f86
[...]
tarrall@Tarrall <~/gits/helm-secrets>sops -d example/helm_vars/projectX/production/us-east-1/java-app/secrets.yaml
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Given the timing on that commit, I wonder if it was bitten by https://github.com/mozilla/sops/issues/278 ... though mildly surprising that it's not failing for everyone.
If it's that, re-encrypting the examples with a more recent version of sops (e.g. 3.1.1) would be a fix.
Getting the same error with secrets 2.0.0, sops 3.1.1, both are latest.
@jbuettnerbild @sandywang1982 @stoyle anyone can check if these issues exist on latest 2.0.1 version from the master?
Looks like it is failing somewhat earlier now. On latest master:
➜ helm-secrets git:(master) sops --version
sops 3.2.0 (latest)
➜ helm-secrets git:(master) ./test.sh
+++ Installing helm-secrets plugin
[OK] helm-secrets plugin installed
+++ Importing private pgp key for projectx
gpg: key AF1D073646ED4927: "helm-secrets-example-projectx <[email protected]>" not changed
gpg: key AF1D073646ED4927: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
+++ Importing private pgp key for projectx
gpg: key 19F6A67BB1B8DDBE: "helm-secrets-example-projecty <[email protected]>" not changed
gpg: key 19F6A67BB1B8DDBE: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
+++ Show helm_vars tree from example
example/helm_vars/
├── .sops.yaml
├── projectX
│ ├── .sops.yaml
│ ├── production
│ │ └── us-east-1
│ │ └── java-app
│ │ ├── secrets.yaml
│ │ └── value.yaml
│ └── sandbox
│ └── us-east-1
│ └── java-app
│ ├── secrets.yaml
│ └── value.yaml
├── projectY
│ ├── .sops.yaml
│ ├── production
│ │ └── us-east-1
│ │ └── java-app
│ │ ├── secrets.yaml
│ │ └── value.yaml
│ └── sandbox
│ └── us-east-1
│ └── java-app
│ ├── secrets.yaml
│ └── value.yaml
├── secrets.yaml
└── values.yaml
14 directories, 13 files
+++ Testing ./example/helm_vars/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[FAIL] Not Encrypted or re-encrypted. Should be already encrypted with no re-encryption.
General error
Mine works fine, I have checked out the latest code.
sandy@xxxx:~/helm-secrets$ ./test.sh
+++ Installing helm-secrets plugin
[OK] helm-secrets plugin installed
+++ Importing private pgp key for projectx
gpg: key AF1D073646ED4927: "helm-secrets-example-projectx <[email protected]>" not changed
gpg: key AF1D073646ED4927: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
+++ Importing private pgp key for projectx
gpg: key 19F6A67BB1B8DDBE: "helm-secrets-example-projecty <[email protected]>" not changed
gpg: key 19F6A67BB1B8DDBE: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
+++ Show helm_vars tree from example
example/helm_vars/
├── .sops.yaml
├── projectX
│ ├── .sops.yaml
│ ├── production
│ │ └── us-east-1
│ │ └── java-app
│ │ ├── secrets.yaml
│ │ └── value.yaml
│ └── sandbox
│ └── us-east-1
│ └── java-app
│ ├── secrets.yaml
│ └── value.yaml
├── projectY
│ ├── .sops.yaml
│ ├── production
│ │ └── us-east-1
│ │ └── java-app
│ │ ├── secrets.yaml
│ │ └── value.yaml
│ └── sandbox
│ └── us-east-1
│ └── java-app
│ ├── secrets.yaml
│ └── value.yaml
├── secrets.yaml
└── values.yaml
14 directories, 13 files
+++ Testing ./example/helm_vars/projectX/production/us-east-1/java-app/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
[OK] File decrypted and viewable
+++ Decrypt
[OK] File decrypted
+++ Cleanup Test
[OK] Cleanup specified directory
[OK] Cleanup specified .dec file
+++ Once again Encrypt and Test
[OK] File properly encrypted
+++ Testing ./example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
[OK] File decrypted and viewable
+++ Decrypt
[OK] File decrypted
+++ Cleanup Test
[OK] Cleanup specified directory
[OK] Cleanup specified .dec file
+++ Once again Encrypt and Test
[OK] File properly encrypted
+++ Testing ./example/helm_vars/projectY/production/us-east-1/java-app/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
[OK] File decrypted and viewable
+++ Decrypt
[OK] File decrypted
+++ Cleanup Test
[OK] Cleanup specified directory
[OK] Cleanup specified .dec file
+++ Once again Encrypt and Test
[OK] File properly encrypted
+++ Testing ./example/helm_vars/projectY/sandbox/us-east-1/java-app/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
[OK] File decrypted and viewable
+++ Decrypt
[OK] File decrypted
+++ Cleanup Test
[OK] Cleanup specified directory
[OK] Cleanup specified .dec file
+++ Once again Encrypt and Test
[OK] File properly encrypted
+++ Testing ./example/helm_vars/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
[OK] File decrypted and viewable
+++ Decrypt
[OK] File decrypted
+++ Cleanup Test
[OK] Cleanup specified directory
[OK] Cleanup specified .dec file
+++ Once again Encrypt and Test
[OK] File properly encrypted