Openshift: encrypting secrets via `rscadmin --encrypt-config-value` fails due to being non-root

[pat-s]

The command returns:

Unable to obtain root privileges: this utility must be run as root.

[tnederlof]

Hi @pat-s you may have more luck using rskey to encrypt the value. What values are you looking to encrypt? Sometimes its easier to put values unencrypted in secrets and use an external secret manager to handle that piece, then mounting the value back as an environment variable.

[pat-s]

Thanks! I'll consider bundling rskey in our images if this can invoked rootless. If this case it is the PG DB PW.

I am already using the combination of k8s secrets via env vars, however facing a strange decoding issue there. I need to use "sealed secrets" in this specific environment and my options to use something else are limited.

The env var holding the secret exists in the container but connect still complains it can't parse it, even though everything works if I c/p the value and use export to redefine it in the container and then running the command again. Still need to find out what is causing this.

Anyhow, just wanted to drop the information that the bundled rscadmin is not working. If rskey does the same and is working rootless, maybe bundling it by default might be a way to go for the future?

[pat-s]

rskey did the trick for now, thanks.

I think it might be a good idea to bundle it by default and/or highlight it more popular so that users of the chart are aware that they need to bundle a custom tool in their images to work around the mentioned issue.

[tnederlof]

Yea totally here you on that @pat-s will talk to the dev team. I am also going to dig more into the env variables not being picked up though as I see that as a more direct native approach versus needing to encrypt in the first place.