Sealed Secrets sealed from UI can't be decrypted in cluster

[sebastian-lind-stratsys]

I have injected my own cert into my sealed secret controller and verified that I can encrypt and decrypt secrets. However the secrets encrypted from the UI can not be decrypted.

Furthermore have I verified that the certificate which is copied to '/kubeseal-webgui/cert/kubeseal-cert.pem' is the same as the latest kubeseal-secert-key secret. So the fetch part works.

I have installed it using helm chart, this is the argo application yaml file

---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: sealed-secrets-gui
  namespace: argocd
spec:
  destination:
    namespace: kube-system
    server: https://kubernetes.default.svc
  project: default
  source:
    chart: kubeseal-webgui
    repoURL: https://jaydee94.github.io/kubeseal-webgui/
    targetRevision: 5.0.0
    helm:
      parameters:
        - name: ingress.ingressClass
          value: "nginx"
        - name: api.loglevel
          value: "DEBUG"
        - name: ingress.hostname
          value: "kubeseal-webgui.domain"
        - name: ingress.tls.secretName
          value: kubeseal-webgui-tls
        - name: ingress.tls.enabled
          value: "true"
        - name: serviceaccount.create
          value: "true"
        - name: api.url
          value: ""
        - name: sealedSecrets.autoFetchCert
          value: "true"
        - name: ingress.enabled
          value: "true" 
      values: |-
        ingress:
          annotations:
            kubernetes.io/tls-acme: "true"
            cert-manager.io/cluster-issuer: letsencrypt
            nginx.ingress.kubernetes.io/auth-url: ""
            nginx.ingress.kubernetes.io/auth-signin:  ""
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
...

Any insight would be nice :)

[Jaydee94]

Hey @sebastian-lind-stratsys have you verified that you used the correct secret name while encrypting?

Which Version of kubeseal-webgui did you use?

What Kind of insight Do you expect?

[sebastian-lind-stratsys]

I'm getting this error messages when describing the sealedsecret object. I meant unsealed that's my bad, and I'm using the 5.0.0 helm chart version so that version it points to. I'm copying the yaml file that the web gui is producing

Error message:

  Warning  ErrUnsealFailed  6s (x12 over 8s)  sealed-secrets  Failed to unseal: no key could decrypt secret (foo)

why this error is occurring

[Jaydee94]

This error usually occurs when the sealed secrets controller can't decrypt the sealed secret object.

I'm guessing the public certificate that you configured in kubeseal-webgui is wrong or maybe wrong formatted.

Have you configured the certificate by yourself in the value of the Helm chart?

Maybe you can try to use the autofetch certificate functionality. The api container will then fetch the certificate directly from the sealed secrets controller.

Let me know if this solves your issue.

[sebastian-lind-stratsys]

As seen in the OP I've provided the configured file this is the values that is set

helm:
      parameters:
        - name: ingress.ingressClass
          value: "nginx"
        - name: api.loglevel
          value: "DEBUG"
        - name: ingress.hostname
          value: "kubeseal-webgui.domain"
        - name: ingress.tls.secretName
          value: kubeseal-webgui-tls
        - name: ingress.tls.enabled
          value: "true"
        - name: serviceaccount.create
          value: "true"
        - name: api.url
          value: ""
        - name: sealedSecrets.autoFetchCert
          value: "true" #set to true 
        - name: ingress.enabled
          value: "true" 

So It's enabled, and the cert if fetches and puts into /kubeseal-webgui/cert/kubeseal-cert.pem is the correct cert

[Jaydee94]

As i said before. The error that you are seeing comes from the sealed secret controller. Have you had a look into the logs of sealed-secrets?

[sebastian-lind-stratsys]

It gives the same error, failed to unseal: no key could decrypt secret (secret name)

[sebastian-lind-stratsys]

It just started to work no idea why, but thanks for the help :)