error converting YAML to JSON: yaml: invalid leading UTF-8 octet Error: plugin "secrets" exited with error

yaroslav-svirida commented 1 year ago

Current Behavior

rpc error: code = Unknown desc = helm template . --name-template demo-app --namespace demo --kube-version 1.26 --values .Chart_34/templates/secrets.yaml --api-versions admissionregistration.k8s.io/v1 --api-versions admissionregistration.k8s.io/v1/MutatingWebhookConfiguration --api-versions admissionregistration.k8s.io/v1/ValidatingWebhookConfiguration --api-versions apiextensions.k8s.io/v1 --api-versions apiextensions.k8s.io/v1/CustomResourceDefinition --api-versions apiregistration.k8s.io/v1 --api-versions apiregistration.k8s.io/v1/APIService --api-versions apps/v1 --api-versions apps/v1/ControllerRevision --api-versions apps/v1/DaemonSet --api-versions apps/v1/Deployment --api-versions apps/v1/ReplicaSet --api-versions apps/v1/StatefulSet --api-versions argoproj.io/v1alpha1 --api-versions argoproj.io/v1alpha1/AppProject --api-versions argoproj.io/v1alpha1/Application --api-versions argoproj.io/v1alpha1/ApplicationSet --api-versions autoscaling/v1 --api-versions autoscaling/v1/HorizontalPodAutoscaler --api-versions autoscaling/v2 --api-versions autoscaling/v2/HorizontalPodAutoscaler --api-versions batch/v1 --api-versions batch/v1/CronJob --api-versions batch/v1/Job --api-versions certificates.k8s.io/v1 --api-versions certificates.k8s.io/v1/CertificateSigningRequest --api-versions coordination.k8s.io/v1 --api-versions coordination.k8s.io/v1/Lease --api-versions discovery.k8s.io/v1 --api-versions discovery.k8s.io/v1/EndpointSlice --api-versions events.k8s.io/v1 --api-versions events.k8s.io/v1/Event --api-versions flowcontrol.apiserver.k8s.io/v1beta2 --api-versions flowcontrol.apiserver.k8s.io/v1beta2/FlowSchema --api-versions flowcontrol.apiserver.k8s.io/v1beta2/PriorityLevelConfiguration --api-versions flowcontrol.apiserver.k8s.io/v1beta3 --api-versions flowcontrol.apiserver.k8s.io/v1beta3/FlowSchema --api-versions flowcontrol.apiserver.k8s.io/v1beta3/PriorityLevelConfiguration --api-versions networking.k8s.io/v1 --api-versions networking.k8s.io/v1/Ingress --api-versions networking.k8s.io/v1/IngressClass --api-versions networking.k8s.io/v1/NetworkPolicy --api-versions node.k8s.io/v1 --api-versions node.k8s.io/v1/RuntimeClass --api-versions policy/v1 --api-versions policy/v1/PodDisruptionBudget --api-versions rbac.authorization.k8s.io/v1 --api-versions rbac.authorization.k8s.io/v1/ClusterRole --api-versions rbac.authorization.k8s.io/v1/ClusterRoleBinding --api-versions rbac.authorization.k8s.io/v1/Role --api-versions rbac.authorization.k8s.io/v1/RoleBinding --api-versions scheduling.k8s.io/v1 --api-versions scheduling.k8s.io/v1/PriorityClass --api-versions storage.k8s.io/v1 --api-versions storage.k8s.io/v1/CSIDriver --api-versions storage.k8s.io/v1/CSINode --api-versions storage.k8s.io/v1/CSIStorageCapacity --api-versions storage.k8s.io/v1/StorageClass --api-versions storage.k8s.io/v1/VolumeAttachment --api-versions storage.k8s.io/v1beta1 --api-versions storage.k8s.io/v1beta1/CSIStorageCapacity --api-versions v1 --api-versions v1/ConfigMap --api-versions v1/Endpoints --api-versions v1/Event --api-versions v1/LimitRange --api-versions v1/Namespace --api-versions v1/Node --api-versions v1/PersistentVolume --api-versions v1/PersistentVolumeClaim --api-versions v1/Pod --api-versions v1/PodTemplate --api-versions v1/ReplicationController --api-versions v1/ResourceQuota --api-versions v1/Secret --api-versions v1/Service --api-versions v1/ServiceAccount --include-crds failed exit status 1: Error: failed to parse .Chart_34/templates/secrets.yaml: error converting YAML to JSON: yaml: invalid leading UTF-8 octet Error: plugin "secrets" exited with error

Expected Behavior

No response

Steps To Reproduce

1. add in argocd-repo-server Deployment.
repoServer:
  env:
    - name: HELM_PLUGINS
      value: /custom-tools/helm-plugins/
    - name: HELM_SECRETS_CURL_PATH
      value: /custom-tools/curl
    - name: HELM_SECRETS_SOPS_PATH
      value: /custom-tools/sops
    - name: HELM_SECRETS_VALS_PATH
      value: /custom-tools/vals
    - name: HELM_SECRETS_KUBECTL_PATH
      value: /custom-tools/kubectl
    - name: HELM_SECRETS_BACKEND
      value: sops
    # https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments
    - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
      value: "false"
    - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
      value: "true"
    - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
      value: "false"
    - name: HELM_SECRETS_WRAPPER_ENABLED
      value: "true"
    - name: HELM_SECRETS_HELM_PATH
      value: /usr/local/bin/helm

    - name: HELM_SECRETS_LOAD_GPG_KEYS
      # Multiple keys can be separated by space
      value: /helm-secrets-private-keys/key.asc
  volumes:
    - name: custom-tools
      emptyDir: {}
    # kubectl create secret generic helm-secrets-private-keys --from-file=key.asc=assets/gpg/private2.gpg
    - name: helm-secrets-private-keys
      secret:
        secretName: helm-secrets-private-keys
  volumeMounts:
    - mountPath: /custom-tools
      name: custom-tools
    - mountPath: /usr/local/sbin/helm
      subPath: helm
      name: custom-tools
    - mountPath: /helm-secrets-private-keys/
      name: helm-secrets-private-keys
  initContainers:
    - name: download-tools
      image: alpine:latest
      imagePullPolicy: IfNotPresent
      command: [sh, -ec]
      env:
        - name: HELM_SECRETS_VERSION
          value: "4.4.2"
        - name: KUBECTL_VERSION
          value: "1.26.1"
        - name: VALS_VERSION
          value: "0.24.0"
        - name: SOPS_VERSION
          value: "3.7.3"
      args:
        - |
          mkdir -p /custom-tools/helm-plugins
          wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;

          wget -qO /custom-tools/curl https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64
          wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux
          wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl

          wget -qO- https://github.com/helmfile/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz | tar -xzf- -C /custom-tools/ vals;

          cp /custom-tools/helm-plugins/helm-secrets/scripts/wrapper/helm.sh /custom-tools/helm

          chmod +x /custom-tools/*
      volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools
2.added to the argocd-cm ConfigMap:
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
data:
  helm.valuesFileSchemes: >-
    secrets+gpg-import, secrets+gpg-import-kubernetes,
    secrets+age-import, secrets+age-import-kubernetes,
    secrets,secrets+literal,
    https
3.add in  values.yaml:
server:
  config:
    helm.valuesFileSchemes: >-
      secrets+gpg-import, secrets+gpg-import-kubernetes,
      secrets+age-import, secrets+age-import-kubernetes,
      secrets,secrets+literal,
      https
4.gpg --full-generate-key --rfc4880
5.gpg --armor --export-secret-keys <key-id> > key.asc
6.kubectl -n argocd create secret generic helm-secrets-private-keys --from-file=key.asc
7.add 
 helm:
      valueFiles:
        # Method 1: Use gpg key defined in HELM_SECRETS_LOAD_GPG_KEYS
        - templates/secrets.yaml
https://github.com/yaroslav-svirida/task34_argocd/blob/main/demo-app.yaml
8.gpg --recipient q --encrypt secrets.yaml
9. git commit + git push

Environment

Helm Version: v3.12.0"
Helm Secrets Version: latest
ArgoCD Version v2.6.5
OS: Ubuntu 22.04.2 LTS
Shell: bash

Anything else?

all code here https://github.com/yaroslav-svirida/task34_argocd

please tell me what is wrong?((

jkroepke commented 1 year ago

the https://github.com/yaroslav-svirida/task34_argocd/blob/main/Chart_34/templates/secrets.yaml isnt a YAML file.

yaroslav-svirida commented 1 year ago

this file is encoded with the help of gpg key. I did like that gpg --recipient q --encrypt secrets.yaml. This file keep encoded information (��N��l�Nd�n�5ڽ�+��f��"c��L+'Hg(��Pgfkr9��c�p&��|�k�'��1m��v}-��e<o�C��]�Qي��w(��%w� oS1]w��w��@&�[��u�iQ=수��q W�wW��T+Bo�tR��L`��m�w6t1g��a��/��o��2��oRT��z� P�\��4�[��b�T��K�2�0�&�;�ka��~y��*�� 秎��Żf�c�`��X�b��2��@Na�#��J|�~��-�BB��"=�J�5��J-�a�V� �,6.�73B�}��9K$}>\̆�Dz�� a>��I��%c�KS4�p��;C��h�.��h�R@g\�2 �'Kg�o�rȅ) I couldn't find the way in your article and searched in google( Сould you tell me how to do it better?

yaroslav-svirida commented 1 year ago

I changed the encription. I created .sops.yaml and encrypted like this helm secrets encrypt secrets.yaml > templates/secrets.yaml. Now I have this mistake: ............failed exit status 1: No keys found in file [helm-secrets] Error while decrypting file: .Chart_34/templates/secrets.yaml Error: plugin "secrets" exited with error.

please tell me what is wrong?((

jkroepke commented 1 year ago

just dont do that.

dont encrypt files in templates/ dir. Only encrypting value files are support. create a secrets.yaml next to you values.yaml and pass the secret file to helm template . -f secrets://secrets.yaml

jkroepke commented 1 year ago

follow the guide from https://medium.com/@mprzygrodzki/argocd-with-helm-secrets-and-kms-encryption-1f0944728873

he is not encrypt files from template dir

yaroslav-svirida commented 1 year ago

create file .sops.yaml
create file with sensitive content secret10.yaml
encrypt helm secrets encrypt secret10.yaml > secrets.yaml
helm template . -f secrets://secrets.yaml
No keys found in file [helm-secrets] Error while decrypting file: secrets.yaml Error: plugin "scripts/run.sh downloader" exited with error

please tell me what is wrong?((

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

jkroepke / helm-secrets