search

kapicorp / kapitan

Generic templated configuration management for Kubernetes, Terraform and other things
https://kapitan.dev
Apache License 2.0
1.83k stars 199 forks source link

Secrets: Dependency problem when creating a RSA key pair in Kapitan inventory #749

Open siku4 opened 3 years ago

siku4 commented 3 years ago

Describe the bug/feature We try to generate the RSA pub key via Kapitan (||reveal:path/to/encrypted_private_key|publickey) from a private key that should also be created by Kapitan (||rsa) in the same run.

It is not possible to make Kapitan generate both keys in a single kapitan compile run: It seems that Kapitan always tries to create the pub key first (independent of the order in the inventory or of the components that access the parameter). This behavior leads to the error, that the |publickey function cannot find the referenced private key.

To Reproduce

  1. In the inventory add: 
    node:
node_privkey: "?{awskms:${target}/aws/node_ssh_privkey||rsa:4096}"
node_pubkey: "?{awskms:${target}/aws/node_ssh_pubkey||reveal:${target}/aws/node_ssh_privkey|publickey}"
  2. In a component add: 
    ssh_keys:
private_key: {{ inventory.parameters.node.node_privkey }}
public_key: {{ inventory.parameters.node.node_pubkey }}
  3. Run kapitan compile --target target1

Everything works fine if you set node_pubkey to a random string (remove the function call), run kapitan compile --target target1 so that privkey is generated, then add the function call to node_pubkey again and run kapitan compile --target target1 once again.

Expected behavior Kapitan resolves the dependencies automatically or there is any possibility to influence the order of the function calls, so that the priv key can be created first.

If it's a bug (please complete the following information):

Additional context

Thank you!

ademariag commented 3 years ago

Hello @siku4 ,

thank you for reporting this issue.

I confirm I also observe this behaviour, with the error message being:

|reveal function error: targets/XXX/token_private_key file in gkms:targets/XXX/token_private_key_encoded|reveal:targets/XXX/token_private_key does not exist

Please feel free to also join our community at the #kapitan channel of the kubernetes slack.

github-actions[bot] commented 3 months ago

This issue is stale because it has been open for 1 year with no activity. Remove the stale label or comment if this issue is still relevant for you. If not, please close it yourself.