SecretDecryptionException: Secret engine does not exist: k8s

[andrijaperovic]

After running the deploy.sh deployment script goes through successfully, however I am seeing error in the halyard container of spinnaker-operator pod:

2021-01-08 01:21:03.803 ERROR 1 --- [nio-8064-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is com.netflix.spinnaker.kork.secrets.SecretDecryptionException: Secret Engine does not exist: k8s] with root cause
com.netflix.spinnaker.kork.secrets.SecretDecryptionException: Secret Engine does not exist: k8s
    at com.netflix.spinnaker.kork.secrets.SecretManager.decryptAsBytes(SecretManager.java:85) ~[kork-secrets-7.68.0.jar:7.68.0]
    at com.netflix.spinnaker.kork.secrets.SecretManager.decrypt(SecretManager.java:48) ~[kork-secrets-7.68.0.jar:7.68.0]
    at com.netflix.spinnaker.kork.secrets.SecretSession.decrypt(SecretSession.java:20) ~[kork-secrets-7.68.0.jar:7.68.0]
    at com.netflix.spinnaker.halyard.core.secrets.v1.SecretSessionManager.decrypt(SecretSessionManager.java:71) ~[halyard-core-operator-c1d641c.jar:na]
    at com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.ServiceSettings.lambda$decryptSecrets$1(ServiceSettings.java:127) ~[halyard-deploy-operator-c1d641c.jar:na]
    at java.base/java.util.HashMap.replaceAll(HashMap.java:1352) ~[na:na]
    at com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.ServiceSettings.decryptSecrets(ServiceSettings.java:126) ~[halyard-deploy-operator-c1d641c.jar:na]
    at com.netflix.spinnaker.halyard.deploy.spinnaker.v1.service.SpinnakerServiceProvider.buildRuntimeSettings(SpinnakerServiceProvider.java:48) ~[halyard-deploy-operator-c1d641c.jar:na]
    at com.netflix.spinnaker.halyard.deploy.services.v1.GenerateService.generateConfig(GenerateService.java:111) ~[halyard-deploy-operator-c1d641c.jar:na]
    at com.netflix.spinnaker.halyard.deploy.deployment.v1.ManifestGenerator.generateManifestList(ManifestGenerator.java:92) ~[halyard-deploy-operator-c1d641c.jar:na]
    at com.netflix.spinnaker.halyard.controllers.v1.DeploymentController.getCombinedDeploymentManifests(DeploymentController.java:368) ~[halyard-web-operator-c1d641c.jar:na]
    at jdk.internal.reflect.GeneratedMethodAccessor1051.invoke(Unknown Source) ~[na:na]
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) ~[spring-web-5.2.7.RELEASE.jar:5.2.7.RELEASE]
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) ~[spring-web-5.2.7.RELEASE.jar:5.2.7.RELEASE]

I have specified secrets in the SpinnakerService CRD using the following convention:

encrypted:k8s!n:spin-secrets!k:aws-secret-key

Is there some limitation to what keys can be used? Or is this format incorrect?

[andrijaperovic]

https://github.com/spinnaker/kork/blob/ca3f39ff3a08eba68a2c99b94581d1aa2e79fff6/kork-secrets/src/test/java/com/netflix/spinnaker/kork/secrets/EncryptedSecretTest.java https://github.com/spinnaker/kork/blob/ca3f39ff3a08eba68a2c99b94581d1aa2e79fff6/kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/SecretManager.java

[andrijaperovic]

Looks like the issue is that encrypted properties are not supported inside of service-settings.echo.env. After adding a plaintext value for AWS_SECRET_KEY it is working as expected.

[theshabh58]

facing the same issue as well for reading encryptedFile