Skip to content
This repository has been archived by the owner on Nov 23, 2024. It is now read-only.

Encrypted secret values provided to helm #148

Closed
youngkin opened this issue Feb 13, 2020 · 2 comments
Closed

Encrypted secret values provided to helm #148

youngkin opened this issue Feb 13, 2020 · 2 comments

Comments

@youngkin
Copy link

I have a secretValues.yaml file that contains the values of the secrets needed by my application. After encoding via helm secrets enc secretValiues.yaml it contains the following:

secrets:
    dbuser: ENC[AES256_GCM,data:hoqeUpA=,iv:qwK054sQwcR7tgLf7/corXa2fZf4mxmd08+pxkOgtj8=,tag:OC8r4t4NHaB5rz4a/MpHpg==,type:str]
    dbpassword: ENC[AES256_GCM,data:BJLarQpfA9KvZg==,iv:GLP5/CUBBrVsfR3t1zb96TmiSHO8O9ljI0rWDgczwJI=,tag:s6IZ92+dR6aQmn2PZJ4UmA==,type:str]
sops:
    kms: []

After running helm secrets install . -f secretValues.yaml --namespace video --name customerd --debug the secret spec is displayed as:

# Source: customerd/templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
    name: custd-secrets
    labels:
        app: customerd
        chart: 'customerd-0.1.0'
        release: 'customerd'
        heritage: 'Tiller'
type: Opaque
data:
    dbuser: "RU5DW0FFUzI1Nl9HQ00sZGF0YTpob3FlVXBBPSxpdjpxd0swNTRzUXdjUjd0Z0xmNy9jb3JYYTJmWmY0bXhtZDA4K3B4a09ndGo4PSx0YWc6T0M4cjR0NE5IYUI1cno0YS9NcEhwZz09LHR5cGU6c3RyXQ=="
    dbpassword: "RU5DW0FFUzI1Nl9HQ00sZGF0YTpCSkxhclFwZkE5S3ZaZz09LGl2OkdMUDUvQ1VCQnJWc2ZSM3QxemI5NlRtaVNITzhPOWxqSTByV0RnY3p3Skk9LHRhZzpzNklaOTIrZFI2YVFtbjJQWko0VW1BPT0sdHlwZTpzdHJd"

Running base64 decoding against the above values renders:

echo "RU5DW0FFUzI1Nl9HQ00sZGF0YTpCSkxhclFwZkE5S3ZaZz09LGl2OkdMUDUvQ1VCQnJWc2ZSM3QxemI5NlRtaVNITzhPOWxqSTByV0RnY3p3Skk9LHRhZzpzNklaOTIrZFI2YVFtbjJQWko0VW1BPT0sdHlwZTpzdHJd" | base64 --decode
ENC[AES256_GCM,data:BJLarQpfA9KvZg==,iv:GLP5/CUBBrVsfR3t1zb96TmiSHO8O9ljI0rWDgczwJI=,tag:s6IZ92+dR6aQmn2PZJ4UmA==,type:str]

and

$ echo "RU5DW0FFUzI1Nl9HQ00sZGF0YTpob3FlVXBBPSxpdjpxd0swNTRzUXdjUjd0Z0xmNy9jb3JYYTJmWmY0bXhtZDA4K3B4a09ndGo4PSx0YWc6T0M4cjR0NE5IYUI1cno0YS9NcEhwZz09LHR5cGU6c3RyXQ==" | base64 --decode
ENC[AES256_GCM,data:hoqeUpA=,iv:qwK054sQwcR7tgLf7/corXa2fZf4mxmd08+pxkOgtj8=,tag:OC8r4t4NHaB5rz4a/MpHpg==,type:str]

The decoded values match the encrypted contents of the secretValues.yaml after encrypting via helm secrets enc secretValiues.yaml. I expected the values of dbuser and dbpassword from the secrets specification to be the original base64 encoded values, e.g., somedbuser and somedbpassword, not the helm secrets encrypted values.

I may be missing something obvious, but it's not apparent to me. Am I missing something?

@youngkin
Copy link
Author

Turns out, after eventually finding #95 and #128, the problem was the name of my secrets values file. I find naming this file secrets.yaml as in the examples to be confusing as it is not the kubernetes/hem secrets specification file. So I named it secretValues.yaml thinking this was more descriptive. Turns out it needs to be named something like secrets.<something>.yaml. Granted this is somewhat of an RTFM problem on my part as I later found this in the README file:

By convention, files containing secrets are named secrets.yaml, or anything beginning with "secrets." and ending with ".yaml". E.g. secrets.test.yaml and secrets.prod.yaml.

But the examples in the documentation, coupled with the length of the README, make the above lines easy to miss. Perhaps the documentation could be changed to make this naming requirement more obvious?

Feel free to close this if you don't agree. My point was to make sure someone saw this and hopefully makes the README clearer and/or addresses #128.

@znorris
Copy link

znorris commented May 19, 2020

This also tripped me up. Docs could use some rewording IMHO.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants