search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.3k stars 857 forks source link

Error- Failed to get the data key required to decrypt the SOPS file. #1119

Open kavita1205 opened 2 years ago

kavita1205 commented 2 years ago

Hi Team, I am running helm chart in a container and passing below configurations for .sops.yaml. Also, I am using age for encryption and decryption. Now when I am running below helm command in CICD pipeline then I am getting error but when I am running same command in my local linux box then it is working fine. Can someone please help me here to fix this issue.

Command:- 

"KUBECONFIG=\$KUBECONFIG helm secrets upgrade --install ${SERVICE_NAME} xperi-helm-repository/${SERVICE_NAME} \
                     -f secrets/\${NAMESPACE}/${SERVICE_NAME}/secrets.yaml \
                     -f secrets/\${NAMESPACE}/ml-common/regcred2.yaml \
                    -f environments/\${NAMESPACE}/${SERVICE_NAME}/values.yaml \
                    --version="${HELM_CHART_VERSION}" --set image.tag="${DOCKER_TAG}" -n ${NAMESPACE} --debug --dry-run --wait --timeout 20m0s"

Error :- 

18:05:04  load_plugins.go:111: [info] File (/tmp/.local/share/helm/plugins/helm-diff/completion.yaml) not provided by plugin. No plugin auto-completion possible.
18:05:04  Failed to get the data key required to decrypt the SOPS file.
18:05:04  
18:05:04  Group 0: FAILED
18:05:04    age1wv2tmu3szxlrn5gxr7yxx3c39spn9q30acdys5t2wpxsqzmd0yjs67XXXX: FAILED
18:05:04      - | no age identity found in "/tmp/.config/sops/age/keys.txt"
18:05:04        | that could decrypt the data
18:05:04  
18:05:04  Recovery failed because no master key was able to decrypt the file. In
18:05:04  order for SOPS to recover the file, at least one key has to be successful,
18:05:04  but none were.
18:05:04  [helm-secrets] Error while decrypting file: secrets/ml-datapipeline-dev/ml-search/secrets.yaml
18:05:04  Error: plugin "secrets" exited with error
18:05:04  helm.go:88: [debug] plugin "secrets" exited with error
creation_rules:
    -   path_regex: .*
        encrypted_regex: ^(data|stringData)$
        age: "age1wv2tmu3szxlrn5gxr7yxx3c39spn9q30acdys5t2wpxsqzmd0yjsfdghgsd"

Code structure:-

environment |--> all_code_files secrets |--> environment | -- > secrets.yaml Jenkinsfile |--> Jenkinsfile Dockerfile |--> Dockerfile .sops.yaml

>
labaq commented 2 years ago

i have same issue. and i fix it by adding the key on the missing path. but i think there have the official way to fix this.

mthbrown commented 1 year ago

Only the public key (age1wv2tmu3szxlrn5gxr7yxx3c39spn9q30acdys5t2wpxsqzmd0yjsfdghgsd in your case) is added to the .sops.yaml as .sops.yaml is meant to be committed to git and committing the private key would negate the use of sops. For you to be able to decrypt it, you'll have to have keys.txt on your server and the environment variable: SOPS_AGE_KEY_FILE point to it or pass it in as an environment variable SOPS_AGE_KEY

shrutichaudhary17 commented 10 months ago

i have same issue. and i fix it by adding the key on the missing path. but i think there have the official way to fix this.

can you elaborate, what is the missing path?

elisaado commented 7 months ago

thank you @mthbrown

It seems like the env vars SOPS_AGE_KEY_FILE and SOPS_AGE_KEY are not well documented in SOPS, they did however fix the issue here.