ksops with age using argocd #218
Comments
|
🤖 Hello @nureyni! I'm Dosu, an AI here to assist with your issue while we wait for a human maintainer. I'm here to help troubleshoot bugs, answer questions, and guide you through contributing to this project. I'm currently reviewing the issue you've posted and will provide a more detailed response shortly. Hang tight! |
|
🤖 From the error message you provided, it seems like the decryption process is failing. This could be due to several reasons:
To resolve the issue, you should check the logs of the You can refer to the KSOPS code here for more details. I hope this helps! If you have any more questions or need further clarification, feel free to ask. Sources
This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research. Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant. If you want to continue the conversation, start your reply with @dosu-bot. |
|
Hi @nureyni thanks for making an issue. Are you able to build the manifests when you exec into the pod? The error indicates KSOPS can't find the |
|
Hi @devstein, Thanks for your reply Below the content of my deployment (i removed all unrelevent keys): apiVersion: apps/v1
kind: Deployment
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
template:
metadata:
labels:
app.kubernetes.io/name: argocd-repo-server
spec:
volumes:
- name: custom-tools
emptyDir: {}
- name: sops-age
secret:
secretName: sops-age
defaultMode: 420
- name: ssh-known-hosts
configMap:
name: argocd-ssh-known-hosts-cm
defaultMode: 420
- name: tls-certs
configMap:
name: argocd-tls-certs-cm
defaultMode: 420
- name: gpg-keys
configMap:
name: argocd-gpg-keys-cm
defaultMode: 420
- name: gpg-keyring
emptyDir: {}
- name: tmp
emptyDir: {}
- name: helm-working-dir
emptyDir: {}
- name: var-files
emptyDir: {}
- name: plugins
emptyDir: {}
initContainers:
- name: install-ksops
image: viaductoss/ksops:v4.2.5
command:
- /bin/sh
- '-c'
args:
- >-
echo "Installing KSOPS..."; cp /usr/local/bin/ksops
/custom-tools/; cp /usr/local/bin/kustomize /custom-tools/; echo
"Done.";
resources: {}
volumeMounts:
- name: custom-tools
mountPath: /custom-tools
containers:
- name: argocd-repo-server
image: quay.io/argoproj/argocd:v2.9.0
args:
- /usr/local/bin/argocd-repo-server
ports:
- containerPort: 8081
protocol: TCP
- containerPort: 8084
protocol: TCP
env:
- name: SOPS_AGE_KEY_FILE
value: /.config/sops/age/keys.txt
resources: {}
volumeMounts:
- name: custom-tools
mountPath: /usr/local/bin/kustomize
subPath: kustomize
- name: custom-tools
mountPath: /usr/local/bin/ksops
subPath: ksops
- name: sops-age
mountPath: /.config/sops/age/keys.txt
subPath: keys.txt
- name: custom-tools
mountPath: /custom-tools
- name: ssh-known-hosts
mountPath: /app/config/ssh
- name: tls-certs
mountPath: /app/config/tls
- name: gpg-keys
mountPath: /app/config/gpg/source
- name: gpg-keyring
mountPath: /app/config/gpg/keys
- name: argocd-repo-server-tls
mountPath: /app/config/reposerver/tls
- name: tmp
mountPath: /tmp
- name: helm-working-dir
mountPath: /helm-working-dir
- name: plugins
mountPath: /home/argocd/cmp-server/plugins
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
serviceAccountName: argocd-repo-server
serviceAccount: argocd-repo-server
automountServiceAccountToken: false
securityContext: {}
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
inside the container argocd-repo-server, a # created: 2023-11-09T22:23:46+01:00
# public key: age1dsm5k********************************
AGE-SECRET-KEY-1UJTK80P5HZLR8S5T**************** |
|
@devstein do you have any idea on how can ksops find the AGE key |
|
Hi @nureyni, it's unclear to me if you're trying to use an age key which is still an encrypted secret or if you actually have two age keys (one is your own, one is used for argocd to decrypt your resources). The error: means there are no age keys available that can decrypt the file, not that IMHO you should have at least two age keys listed in your creation_rules:
- path_regex: .*\.sops\.ya?ml
age: "age1***this-is-your-personal-key,age1***this-is-argocd-key-to-decrypt-other-manifests"
encrypted_regex: "^(data|stringData)$"You'll want to encrypt the To confirm: in your screenshot we see that |
|
Had the same error but it was due to me having environment variable set directly to the age key string instead of a file path that contains the age key |
|
I had the same error. I had both the env var containing the |
|
More people will fall into this trap. The core issue is the incomplete documentation in the README.md for ArgoCD+Helm Chart. After way too many tries I arrived at this config: argocd-values.yaml configs:
cm:
kustomize.buildOptions: "--enable-helm --enable-alpha-plugins --enable-exec"
repoServer:
# Use init containers to configure custom tooling
# https://argoproj.github.io/argo-cd/operator-manual/custom_tools/
volumes:
- name: custom-tools
emptyDir: {}
- name: sops-age
secret:
secretName: sops-age
initContainers:
- name: install-ksops
image: viaductoss/ksops:v4.3.2
command: ["/bin/sh", "-c"]
args:
- echo "Installing KSOPS...";
mv ksops /custom-tools/;
mv kustomize /custom-tools/;
echo "Done.";
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
volumeMounts:
- mountPath: /usr/local/bin/kustomize
name: custom-tools
subPath: kustomize
- mountPath: /usr/local/bin/ksops
name: custom-tools
subPath: ksops
# missing in official docs until EOF
- mountPath: /home/argocd/.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
name: custom-tools
subPath: ksops
- mountPath: /.config/sops/age/key.txt
name: sops-age
subPath: key.txt
env:
- name: SOPS_AGE_KEY_FILE
value: /.config/sops/age/key.txtSide note @tcassaert : When I experimented locally, I needed to set both env vars for it to work! But in the argocd-repo-server the path to the key file was enough, just as you wrote. Don't understand why ksops is behaving differently locally. export AGEKEY=/path/to/my.agekey
# 1. Both: WORKS
export SOPS_AGE_KEY_FILE=$AGEKEY
export SOPS_AGE_KEY=$(cat $AGEKEY)
# 2. Content Only: doesn't work
export SOPS_AGE_KEY_FILE=
export SOPS_AGE_KEY=$(cat $AGEKEY)
# 3. Path only: doesn't work
export SOPS_AGE_KEY_FILE=$AGEKEY
export SOPS_AGE_KEY= |
Issue Summary
I am encountering an error when trying to decrypt a file using KSOPS with AGE in ArgoCD. The specific error occurs in the
argocd-repo-serverpod and relates to the decryption of the./secrets/sops-age-privatekey-secret.yamlfile. What i'm i doing wrong ?Environment Details
Context
argocd-repo-serverdeployment to install KSOPS and place the AGE private key in the container. The deployment YAML is as follows:./secret-generator.yamlwith the following content:Expected Behavior
The expected behavior is for the KSOPS to successfully decrypt the file specified in
./secrets/age-privatekey-secret.sops.yamland add it to the cliuster at the namespaceargocd. Not that ksops is actually installed and the private key in place in the container (have done test using the container shell)Actual Behavior
The
argocd-repo-serverpod is throwing the following error:Additional Information
and configmaps
Attachments:
My encrypted file and the project files in the screenshot below
The text was updated successfully, but these errors were encountered: