search

oracle-actions / configure-kubectl-oke

Install and configure Kubectl for the specified Oracle Engine for Kubernetes (OKE) cluster
Universal Permissive License v1.0
11 stars 9 forks source link

Error: The PEM format key (unnamed) is encrypted (password-protected), and no passphrase was provided in `options`. #16

Closed nickfortyau closed 1 year ago

nickfortyau commented 1 year ago

Hello! I'm attempting to use this github action to connect to a Kubernetes cluster. I've setup all of the required environment variables, and provided the cluster ID. However, I'm getting a failure on the "PEM format key". This cluster has a public endpoint as well.

Below is the output in github of the workflow execution: Note: ignore the fact that it's nested under uhg-actions and not oracle-actions. that's just how my company approves github actions, wrapping them in our own.

1##[debug]Evaluating condition for step: 'Configure kubectl' 
2##[debug]Evaluating: success() 
3##[debug]Evaluating success: 
4##[debug]=> true 
5##[debug]Result: true 
6##[debug]Starting: Configure kubectl 
7##[debug]Loading inputs 
8##[debug]Evaluating: secrets.OKE_CLUSTER_OCID 
9##[debug]Evaluating Index: 
10##[debug]..Evaluating secrets: 
11##[debug]..=> Object 
12##[debug]..Evaluating String: 
13##[debug]..=> 'OKE_CLUSTER_OCID' 
14##[debug]=> '***' 
15##[debug]Result: '***' 
16##[debug]Loading env 
17
Run uhg-actions/configure-kubectl-oke@v1.1 
18  with: 
19    cluster: *** 
20  env: 
21    DOCKER_IMAGE_TAG: SNAPSHOT-0.0.4 
22    OCI_CLI_USER: *** 
23    OCI_CLI_TENANCY: *** 
24    OCI_CLI_FINGERPRINT: *** 
25    OCI_CLI_KEY_CONTENT: *** 
26    OCI_CLI_REGION: *** 
27::group::Installing Oracle Cloud Infrastructure CLI 
28
Installing Oracle Cloud Infrastructure CLI 
29  /usr/bin/python -m pip install oci-cli 
30  Collecting oci-cli 
31    Downloading oci_cli-3.18.1-py3-none-any.whl (32.6 MB) 
32  Collecting oci==2.85.0 
33    Downloading oci-2.85.0-py2.py3-none-any.whl (17.7 MB) 
34  Collecting terminaltables==3.1.0 
35    Downloading terminaltables-3.1.0.tar.gz (12 kB) 
36  Collecting pytz>=2016.10 
37    Downloading pytz-2022.4-py2.py3-none-any.whl (500 kB) 
38  Collecting click==7.1.2 
39    Downloading click-7.1.2-py2.py3-none-any.whl (82 kB) 
40  Collecting six>=1.15.0 
41    Downloading six-1.16.0-py2.py3-none-any.whl (11 kB) 
42  Collecting cryptography<=37.0.2,>=3.2.1 
43    Downloading cryptography-37.0.2-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.1 MB) 
44  Collecting arrow>=1.0.0 
45    Downloading arrow-1.2.3-py3-none-any.whl (66 kB) 
46  Collecting PyYAML<6,>=5.4 
47    Downloading PyYAML-5.4.1-cp38-cp38-manylinux1_x86_64.whl (662 kB) 
48  Requirement already satisfied: certifi in /usr/lib/python3/dist-packages (from oci-cli) (2019.11.28) 
49  Collecting jmespath==0.10.0 
50    Downloading jmespath-0.10.0-py2.py3-none-any.whl (24 kB) 
51  Collecting prompt-toolkit==3.0.29 
52    Downloading prompt_toolkit-3.0.29-py3-none-any.whl (381 kB) 
53  Collecting python-dateutil<3.0.0,>=2.5.3 
54    Downloading python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB) 
55  Requirement already satisfied: pyOpenSSL<=22.0.0,>=17.5.0 in /usr/lib/python3/dist-packages (from oci-cli) (19.0.0) 
56  Collecting circuitbreaker<2.0.0,>=1.3.1 
57    Downloading circuitbreaker-1.4.0.tar.gz (9.7 kB) 
58  Collecting cffi>=1.12 
59    Downloading cffi-1.15.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (442 kB) 
60  Collecting wcwidth 
61    Downloading wcwidth-0.2.5-py2.py3-none-any.whl (30 kB) 
62  Collecting pycparser 
63    Downloading pycparser-2.21-py2.py3-none-any.whl (118 kB) 
64  Building wheels for collected packages: terminaltables, circuitbreaker 
65    Building wheel for terminaltables (setup.py): started 
66    Building wheel for terminaltables (setup.py): finished with status 'done' 
67    Created wheel for terminaltables: filename=terminaltables-3.1.0-py3-none-any.whl size=15354 sha256=f5f7dc4c23f403c340898473bba50c6345ca795a1e1b5663991a7727da72afeb 
68    Stored in directory: /home/runner/.cache/pip/wheels/08/8f/5f/253d0105a55bd84ee61ef0d37dbf70421e61e0cd70cef7c5e1 
69    Building wheel for circuitbreaker (setup.py): started 
70    Building wheel for circuitbreaker (setup.py): finished with status 'done' 
71    Created wheel for circuitbreaker: filename=circuitbreaker-1.4.0-py3-none-any.whl size=7503 sha256=d25c5d8b63c1547880d21c8de8da7cf443194e62968c93d3a5087b9adb502dbb 
72    Stored in directory: /home/runner/.cache/pip/wheels/52/06/a4/3f1cdbebf72c6da0c6e0074d5f4f54bebfa6c479ca6cb56e9d 
73  Successfully built terminaltables circuitbreaker 
74  ERROR: launchpadlib 1.10.13 requires testresources, which is not installed. 
75  Installing collected packages: pytz, pycparser, cffi, cryptography, circuitbreaker, six, python-dateutil, oci, terminaltables, click, arrow, PyYAML, jmespath, wcwidth, prompt-toolkit, oci-cli 
76  Successfully installed PyYAML-5.4.1 arrow-1.2.3 cffi-1.15.1 circuitbreaker-1.4.0 click-7.1.2 cryptography-37.0.2 jmespath-0.10.0 oci-2.85.0 oci-cli-3.18.1 prompt-toolkit-3.0.29 pycparser-2.21 python-dateutil-2.8.2 pytz-2022.4 six-1.16.0 terminaltables-3.1.0 wcwidth-0.2.5 
77  ::endgroup:: 
78Error: The PEM format key (unnamed) is encrypted (password-protected), and no passphrase was provided in `options` 
79##[debug]Node Action run completed with exit code 1 
80##[debug]Finishing: Configure kubectl
Djelibeybi commented 1 year ago

(Oracle restricts GitHub Actions too, so I understand the issue well).

On your actual issue: unfortunately the GitHub Actions don't support encrypted private keys. You will either have to remove the pass phrase from your key, or create a new key or a new service account with its own key.

Alternatively, you could spin up an OCI instance to run a self-hosted GitHub Runner that uses instance principal authentication instead of keys.

nickfortyau commented 1 year ago

Okay, that makes sense. Do you know what private key in particular? Would it be for the OCI CLI or kubectl CLI? I'm having trouble finding a .pem key.

On Fri, Oct 7, 2022 at 9:09 PM Avi Miller @.***> wrote:

(Oracle restricts GitHub Actions too, so I understand the issue well).

On your actual issue: unfortunately the GitHub Actions don't support encrypted private keys. You will either have to remove the pass phrase from your key, or create a new key or a new service account with its own key.

Alternatively, you could spin up an OCI instance to run a self-hosted GitHub Runner that uses instance principal authentication instead of keys.

— Reply to this email directly, view it on GitHub https://github.com/oracle-actions/configure-kubectl-oke/issues/16#issuecomment-1272185933, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZC2HE7OJKXOSPORWL3Z7FLWCDCS5ANCNFSM6AAAAAAQ7ZXROM . You are receiving this because you authored the thread.Message ID: @.***>

Djelibeybi commented 1 year ago

It's the OCI API/CLI key stored in the OCI_CLI_KEY_CONTENT secret.

nickfortyau commented 1 year ago

Aha, of course. Thanks!

On Fri, Oct 7, 2022 at 11:27 PM Avi Miller @.***> wrote:

It's the OCI API/CLI key stored in the OCI_CLI_KEY_CONTENT secret.

— Reply to this email directly, view it on GitHub https://github.com/oracle-actions/configure-kubectl-oke/issues/16#issuecomment-1272212850, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZC2HE53PI4XFEHESRCGALLWCDSYLANCNFSM6AAAAAAQ7ZXROM . You are receiving this because you authored the thread.Message ID: @.***>

Djelibeybi commented 1 year ago

You're welcome.

nickfortyau commented 1 year ago

Closing as @Djelibeybi proposed the solution above.