SECRET env variables seem to be broken with ssh logins

[johnsturgeon]

Expected Behavior

I expect to be able to accesss SECRET_etc... environment variables (from docker compose) in my Kestra instance to be able to log into a remote server via the ssh command plugin

Actual Behaviour

I get a auth fail error 2024-04-02 11:50:19.953 Auth fail

With the following trace:

2024-04-02 11:50:19.953com.jcraft.jsch.JSchException: Auth fail
    at com.jcraft.jsch.Session.connect(Session.java:519)
    at com.jcraft.jsch.Session.connect(Session.java:183)
    at io.kestra.plugin.fs.ssh.Command.run(Command.java:110)
    at io.kestra.plugin.fs.ssh.Command.run(Command.java:38)
    at io.kestra.core.runners.Worker$WorkerThread.run(Worker.java:710)

Steps To Reproduce

Here's my docker-compose (password changed, obv)

volumes:
  kestra-postgres-data:
    external: true
  kestra-data:
    external: true

services:
  postgres:
    image: postgres
    volumes:
      - kestra-postgres-data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: kestra
      POSTGRES_USER: kestra
      POSTGRES_PASSWORD: k3str4
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      interval: 30s
      timeout: 10s
      retries: 10

  kestra:
    image: kestra/kestra:latest-full
    pull_policy: always
    # Note that this is meant for development only. Refer to the documentation for production deployments of Kestra which runs without a root user.
    user: "root"
    command: server standalone --worker-thread=128
    volumes:
      - kestra-data:/app/storage
      - /var/run/docker.sock:/var/run/docker.sock
      - /tmp/kestra-wd:/tmp/kestra-wd
    environment:
      SECRET_IMAC_PASSWORD: UHVycG9zZWx5IE9iZnVzY2F0ZWQK
      SECRET_B2_ACCOUNT_ID: PDA1MGQyNTI4ZzZkNmFmMDAwMDAwMDAwMQo=
      SECRET_B2_ACCOUNT_KEY: QzAwNWY5UXRXTllzZXpyajhZYUFKSFRod0puYjlKTQo=
      SECRET_RESTIC_PASSWORD: ZzZzUTJQQHR4Cg==
      KESTRA_CONFIGURATION: |
        datasources:
          postgres:
            url: jdbc:postgresql://postgres:5432/kestra
            driverClassName: org.postgresql.Driver
            username: kestra
            password: k3str4
        kestra:
          server:
            basic-auth:
              enabled: false
              username: "me@example.com" # it must be a valid email address
              password: super_secret
          repository:
            type: postgres
          storage:
            type: local
            local:
              base-path: "/app/storage"
          queue:
            type: postgres
          tasks:
            tmp-dir:
              path: /tmp/kestra-wd/tmp
          url: http://localhost:8080/
    ports:
      - "8180:8080"
      - "8181:8081"
    depends_on:
      postgres:
        condition: service_started

and here's my flow:

id: paperless-export
namespace: backups
description: Exports the paperless settings and documents for backup (later)

tasks:
  # This task runs a restic backup
- id: ssh-paperless-export-backup-cmd
  type: "io.kestra.plugin.fs.ssh.Command"
  host: selfhostserver.lan
  port: "22"
  username: johnsmith
  password: "{{ secret('IMAC_PASSWORD') }}"
  commands: 
    - sudo docker exec -t paperless-ngx-webserver-1 document_exporter -d ../export

triggers:
- id: paperless-export-schedule-hourly
  type: io.kestra.core.models.triggers.types.Schedule
  cron: "15 * * * *"
  timezone: US/Pacific

Environment Information

• Kestra Version: latest
• Plugin version: latest
• Operating System (OS / Docker / Kubernetes): 6.5.0-25-generic #25~22.04.1-Ubuntu
• Java Version (If not docker):

Example flow

No response

[loicmathieu]

Hi, Secrets passed via environment variables must be base64 encoded.

It appears that SECRET_IMAC_PASSWORD: UjA5ZzZkbGwL is not a base64 string.

[johnsturgeon]

Hi, Secrets passed via environment variables must be base64 encoded.

It appears that SECRET_IMAC_PASSWORD: UjA5ZzZkbGwL is not a base64 string.

But it is. I just futzed it up for the report. I didn't want to give you the 'real' string 😊

Let's change it to this then: UHVycG9zZWx5IE9iZnVzY2F0ZWQK

(for the record the other strings are changed as well, so they might not base64 decode.. but trust me, I know what I'm doing wrt being able to encode a string via base64)

[tchiotludo]

@johnsturgeon I've just made a test and it's working well on my side with secret as base64.

I've only found this bug but it's unrealed it seems: https://github.com/kestra-io/plugin-fs/commit/86e9ba940dfc8a7c89142298fde5b986f1c70adc

Maybe a special charts in the password, or invalid base64. Are you using the -n to avoid carriage return (for example)?

echo -n  password | base64

I close the issue, reopen if you have a proper reproducer please

[johnsturgeon]

but trust me, I know what I'm doing wrt being able to encode a string via base64

Famous last words!!!

LOL, that's IT!!!

it was the -n Thank you

[johnsturgeon]

OK, I'm back!!!

I decided to give it a go again today and I'm once again having the SAME issue. (I've never gotten this to work) I am absolutely not able to get this to work.

Can we re-open? @tchiotludo ?

[johnsturgeon]

Holy cow I figured out the problem!

You CANNOT set a 'variable' to a secret!

variables:
  username: root
  password: "{{ secret('IMAC_PASSWORD') }}"
  host: goshdarnedserver.lan
  autorestic_bin: /usr/local/bin/autorestic

does NOT work

[tchiotludo]

I think you using is about recursive rendering, this must be working:

variables:
  username: root
  password: "{{ secret('IMAC_PASSWORD') }}"

tasks:
  # This task runs a restic backup
- id: ssh-paperless-export-backup-cmd
  type: "io.kestra.plugin.fs.ssh.Command"
  host: selfhostserver.lan
  port: "22"
  username: johnsmith
  password: "{{ render(vars.password) }}"
  commands: 
    - sudo docker exec -t paperless-ngx-webserver-1 document_exporter -d ../export

Reopen if not

[johnsturgeon]

Yep! That was it, thank you so much.