base64 decode is not displaying base64 encoded value

[kavita1205]

Current Behavior

I have a secrets.yaml file that contains the values of the secrets needed by my application. After encoding via helm secrets enc secrets.yaml it contains the following:

imageCredentials:
    registry: ENC[AES256_GCM,data:FUeBx2vJEsYWHu3Fcz/zegjwFoTQadBx,iv:aoJ/dpVzlzTDcS/Ko96gtpC9VEbuZe1FQsgnEazxAIg=,tag:1HzNCLdpxRxpXkNJ7uFdbw==,type:str]
    username: ENC[AES256_GCM,data:CDkJ6Q2hN6tqkA==,iv:qrs2mc4242bWxgCO2X7TeRyhQPxsnVUC+PRBEJe72ug=,tag:H3rRHchV89Jacft5xNrwXg==,type:str]
    password: ENC[AES256_GCM,data:kfJcl2s632KpFnIhE5E0zZw7g3/z6hwD7cYiHEfZVoh8mLL3DC65Mk1MQv8ZkgttFrVHOpnz5JREceN6ooux0Itrod12Xnoi7w==,iv:dlAFW3F9Tz12wLnc0H8nXsHxVPThyyqzkJDTHMmdrik=,tag:v2ohS2zLHudREyM7A4KfZw==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age17******************************************************
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNGE0RkJZTktId1Evdm83
            anA3dG8wYUd5amxzZnNDRDVzMVAzdGNsbG00CkVOekVZcWp0ell3TXF0cVlRd3g1
            YnByVStHd1BaWXdzUFlEcDF4bCt5dXMKLS0tIGJ4NzBqOWVlSGZLdnRKcEZDM2pa
            UDg0dHI1MmZxYVRXVWJsT1lKbmlCcncKl7H8crVY8vVWgiMhX0+QVoFnF39Svxsg
            qT1pQG6A54MaTaSjY0qCJbJXSQEi61qs/EjrHYidw7hKEZuUxVrLkg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-09-20T15:50:05Z"
    mac: ENC[AES256_GCM,data:GfWYbem2i5tDIN1sRKP0gZzNQgmXf1p9vqr+xPEAyg9jpDfaYwlK08d5Taaq03h1qLO8v0Y5vSJpfTroIsLn2OfGybkrKPZ87cTrVro1el/kAPKPLVW9WW6upTld5T+Dxsp++LUsf5a3xtDaC+hKcsBpCqjuMZv6neCmBFRLcN4=,iv:Ae9VaDx4kqfLAbobBlBCJ4IhVBRl3IMoBi8I/CbBl7k=,tag:Je8EUQXGgRfdAm6fY8lh9g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.2

secrets.yaml

{{- define "imagePullSecret" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.imageCredentials.registry (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc ) | b64enc }}
{{- end }}

apiVersion: v1
kind: Secret
metadata:
  name: secrets
  namespace: {{ .Values.namespace }}
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: {{ template "imagePullSecret" . }}

I am running below commands for this deployment in my pipeline

//decrypt secret key
        sh ('KUBECONFIG=\$KUBECONFIG helm secrets upgrade --install ${SERVICE_NAME} helm-repository/${SERVICE_NAME} \
                     -f secrets/\${NAMESPACE}/${SERVICE_NAME}/secrets.yaml \
                     -f environments/\${NAMESPACE}/${SERVICE_NAME}/values.yaml \
                    --version=${HELM_CHART_VERSION} --set image.tag=${DOCKER_TAG} -n ${NAMESPACE} --debug --username "${USER}" --wait --timeout 20m0s')

 // Packaging Helm Chart
                    sh('KUBECONFIG=\$KUBECONFIG helm upgrade --install ${SERVICE_NAME} helm-repository/${SERVICE_NAME} \
                    -f secrets/\${NAMESPACE}/${SERVICE_NAME}/secrets.yaml \
                    -f environments/\${NAMESPACE}/${SERVICE_NAME}/values.yaml \
                    --version=${HELM_CHART_VERSION} --set image.tag=${DOCKER_TAG} -n ${NAMESPACE} --debug --username "${USER}" --wait --timeout 20m0s') 

Now, Running base64 decoding against the above values renders:

kubectl get secrets -n ml-datapipeline-test secrets -o json|jq -r .data.'".dockerconfigjson"'|base64 -d
{"auths": {"ENC[AES256_GCM,data:FUeBx2vJEsYWHu3Fcz/zegjwFoTQadBx,iv:aoJ/dpVzlzTDcS/Ko96gtpC9VEbuZe1FQsgnEazxAIg=,tag:1HzNCLdpxRxpXkNJ7uFdbw==,type:str]": {"auth": "RU5DW0FFUzI1Nl9HQ00sZGF0YTpDRGtKNlEyaE42dHFrQT09LGl2OnFyczJtYzQyNDJiV3hnQ08yWDdUZVJ5aFFQeHNuVlVDK1BSQkVKZTcydWc9LHRhZzpIM3JSSGNoVjg5SmFjZnQ1eE5yd1hnPT0sdHlwZTpzdHJdOkVOQ1tBRVMyNTZfR0NNLGRhdGE6a2ZKY2wyczYzMktwRm5JaEU1RTB6Wnc3ZzMvejZod0Q3Y1lpSEVmWlZvaDhtTEwzREM2NU1rMU1Rdjhaa2d0dEZyVkhPcG56NUpSRWNlTjZvb3V4MEl0cm9kMTJYbm9pN3c9PSxpdjpkbEFGVzNGOVR6MTJ3TG5jMEg4blhzSHhWUFRoeXlxemtKRFRITW1kcmlrPSx0YWc6djJvaFMyekxIdWRSRXlNN0E0S2Zadz09LHR5cGU6c3RyXQ=="}}}

Here, for this issue I have checked Issue no #95 and #128 mentioned in this repo [zendesk/helm-secrets ](zendesk/helm-secrets#148)

I am using secrets.yaml and following naming convention then why I am still getting helm encrypted value while running base64 --decode.

Can someone help me here?

Expected Behavior

No response

Steps To Reproduce

No response

Environment

• Helm Version:
• Helm Secrets Version:
• OS:
• Shell:

Anything else?

No response

[jkroepke]

The Packaging Helm Chart step from your code re-runs helm upgrade without secrets (instead helm package?). From my point of view, the second helm upgrade does not decrypt the values and override the decrypted values from the helm secrets update

[kavita1205]

@jkroepke thanks for your response. So what should I do in this case to achieve base64 decode value should be original value instead of helm encrypted value

[jkroepke]

What happends, if you skip your 'Packaging Helm Chart' task?

[kavita1205]

Helm chart would not be deployed for that application

[jkroepke]

Not sure, helm secrets upgrade --install already deploy the application

[kavita1205]

Will check and update you if I can skip packaging step. But I have a query .. running simply helm secrets upgrade install would resolve this issue means after that I run kubectl get secrets regcred -n namespaces -o json etc would result original value.

[jkroepke]

helm secrets upgrade does the same like helm upgrade + decrypt the secrets.

If you run helm upgrade after helm secrets upgrade, helm upgrade will override the decrypted value with the encrypted one.

[kavita1205]

Thanks @jkroepke your above comments resolved my issue. Actually I am new to the Helm and your statement provided more clarity to me. Now I am running only decrypt secret key and it resolved my issue.

Thanks a ton :)

//decrypt secret key
        sh ('KUBECONFIG=\$KUBECONFIG helm secrets upgrade --install ${SERVICE_NAME} helm-repository/${SERVICE_NAME} \
                     -f secrets/\${NAMESPACE}/${SERVICE_NAME}/secrets.yaml \
                     -f environments/\${NAMESPACE}/${SERVICE_NAME}/values.yaml \
                    --version=${HELM_CHART_VERSION} --set image.tag=${DOCKER_TAG} -n ${NAMESPACE} --debug --username "${USER}" --wait --timeout 20m0s')