Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecretDecryptionException: Secret engine does not exist: k8s #72

Open
andrijaperovic opened this issue Jan 8, 2021 · 3 comments
Open

SecretDecryptionException: Secret engine does not exist: k8s #72

andrijaperovic opened this issue Jan 8, 2021 · 3 comments

Comments

@andrijaperovic
Copy link

After running the deploy.sh deployment script goes through successfully, however I am seeing error in the halyard container of spinnaker-operator pod:

2021-01-08 01:21:03.803 ERROR 1 --- [nio-8064-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is com.netflix.spinnaker.kork.secrets.SecretDecryptionException: Secret Engine does not exist: k8s] with root cause
com.netflix.spinnaker.kork.secrets.SecretDecryptionException: Secret Engine does not exist: k8s
	at com.netflix.spinnaker.kork.secrets.SecretManager.decryptAsBytes(SecretManager.java:85) ~[kork-secrets-7.68.0.jar:7.68.0]
	at com.netflix.spinnaker.kork.secrets.SecretManager.decrypt(SecretManager.java:48) ~[kork-secrets-7.68.0.jar:7.68.0]
	at com.netflix.spinnaker.kork.secrets.SecretSession.decrypt(SecretSession.java:20) ~[kork-secrets-7.68.0.jar:7.68.0]
	at com.netflix.spinnaker.halyard.core.secrets.v1.SecretSessionManager.decrypt(SecretSessionManager.java:71) ~[halyard-core-operator-c1d641c.jar:na]
	at com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.ServiceSettings.lambda$decryptSecrets$1(ServiceSettings.java:127) ~[halyard-deploy-operator-c1d641c.jar:na]
	at java.base/java.util.HashMap.replaceAll(HashMap.java:1352) ~[na:na]
	at com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.ServiceSettings.decryptSecrets(ServiceSettings.java:126) ~[halyard-deploy-operator-c1d641c.jar:na]
	at com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.SpinnakerServiceProvider.buildRuntimeSettings(SpinnakerServiceProvider.java:48) ~[halyard-deploy-operator-c1d641c.jar:na]
	at com.netflix.spinnaker.halyard.deploy.services.v1.GenerateService.generateConfig(GenerateService.java:111) ~[halyard-deploy-operator-c1d641c.jar:na]
	at com.netflix.spinnaker.halyard.deploy.deployment.v1.ManifestGenerator.generateManifestList(ManifestGenerator.java:92) ~[halyard-deploy-operator-c1d641c.jar:na]
	at com.netflix.spinnaker.halyard.controllers.v1.DeploymentController.getCombinedDeploymentManifests(DeploymentController.java:368) ~[halyard-web-operator-c1d641c.jar:na]
	at jdk.internal.reflect.GeneratedMethodAccessor1051.invoke(Unknown Source) ~[na:na]
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) ~[spring-web-5.2.7.RELEASE.jar:5.2.7.RELEASE]
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) ~[spring-web-5.2.7.RELEASE.jar:5.2.7.RELEASE]

I have specified secrets in the SpinnakerService CRD using the following convention:

encrypted:k8s!n:spin-secrets!k:aws-secret-key

Is there some limitation to what keys can be used? Or is this format incorrect?
@andrijaperovic
Copy link
Author

https://github.com/spinnaker/kork/blob/ca3f39ff3a08eba68a2c99b94581d1aa2e79fff6/kork-secrets/src/test/java/com/netflix/spinnaker/kork/secrets/EncryptedSecretTest.java
https://github.com/spinnaker/kork/blob/ca3f39ff3a08eba68a2c99b94581d1aa2e79fff6/kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/SecretManager.java

@andrijaperovic
Copy link
Author

Looks like the issue is that encrypted properties are not supported inside of service-settings.echo.env.
After adding a plaintext value for AWS_SECRET_KEY it is working as expected.

@theshabh58
Copy link

facing the same issue as well for reading encryptedFile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrijaperovic @theshabh58