search

zendesk / helm-secrets

DEPRECATED A helm plugin that help manage secrets with Git workflow and store them anywhere
Apache License 2.0
1.16k stars 155 forks source link

Encrypted secret values provided to helm #148

Closed youngkin closed 2 years ago

youngkin commented 4 years ago

I have a secretValues.yaml file that contains the values of the secrets needed by my application. After encoding via helm secrets enc secretValiues.yaml it contains the following:

secrets:
    dbuser: ENC[AES256_GCM,data:hoqeUpA=,iv:qwK054sQwcR7tgLf7/corXa2fZf4mxmd08+pxkOgtj8=,tag:OC8r4t4NHaB5rz4a/MpHpg==,type:str]
    dbpassword: ENC[AES256_GCM,data:BJLarQpfA9KvZg==,iv:GLP5/CUBBrVsfR3t1zb96TmiSHO8O9ljI0rWDgczwJI=,tag:s6IZ92+dR6aQmn2PZJ4UmA==,type:str]
sops:
    kms: []

After running helm secrets install . -f secretValues.yaml --namespace video --name customerd --debug the secret spec is displayed as:

# Source: customerd/templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
    name: custd-secrets
    labels:
        app: customerd
        chart: 'customerd-0.1.0'
        release: 'customerd'
        heritage: 'Tiller'
type: Opaque
data:
    dbuser: "RU5DW0FFUzI1Nl9HQ00sZGF0YTpob3FlVXBBPSxpdjpxd0swNTRzUXdjUjd0Z0xmNy9jb3JYYTJmWmY0bXhtZDA4K3B4a09ndGo4PSx0YWc6T0M4cjR0NE5IYUI1cno0YS9NcEhwZz09LHR5cGU6c3RyXQ=="
    dbpassword: "RU5DW0FFUzI1Nl9HQ00sZGF0YTpCSkxhclFwZkE5S3ZaZz09LGl2OkdMUDUvQ1VCQnJWc2ZSM3QxemI5NlRtaVNITzhPOWxqSTByV0RnY3p3Skk9LHRhZzpzNklaOTIrZFI2YVFtbjJQWko0VW1BPT0sdHlwZTpzdHJd"

Running base64 decoding against the above values renders:

echo "RU5DW0FFUzI1Nl9HQ00sZGF0YTpCSkxhclFwZkE5S3ZaZz09LGl2OkdMUDUvQ1VCQnJWc2ZSM3QxemI5NlRtaVNITzhPOWxqSTByV0RnY3p3Skk9LHRhZzpzNklaOTIrZFI2YVFtbjJQWko0VW1BPT0sdHlwZTpzdHJd" | base64 --decode
ENC[AES256_GCM,data:BJLarQpfA9KvZg==,iv:GLP5/CUBBrVsfR3t1zb96TmiSHO8O9ljI0rWDgczwJI=,tag:s6IZ92+dR6aQmn2PZJ4UmA==,type:str]

and

$ echo "RU5DW0FFUzI1Nl9HQ00sZGF0YTpob3FlVXBBPSxpdjpxd0swNTRzUXdjUjd0Z0xmNy9jb3JYYTJmWmY0bXhtZDA4K3B4a09ndGo4PSx0YWc6T0M4cjR0NE5IYUI1cno0YS9NcEhwZz09LHR5cGU6c3RyXQ==" | base64 --decode
ENC[AES256_GCM,data:hoqeUpA=,iv:qwK054sQwcR7tgLf7/corXa2fZf4mxmd08+pxkOgtj8=,tag:OC8r4t4NHaB5rz4a/MpHpg==,type:str]

The decoded values match the encrypted contents of the secretValues.yaml after encrypting via helm secrets enc secretValiues.yaml. I expected the values of dbuser and dbpassword from the secrets specification to be the original base64 encoded values, e.g., somedbuser and somedbpassword, not the helm secrets encrypted values.

I may be missing something obvious, but it's not apparent to me. Am I missing something?

youngkin commented 4 years ago

Turns out, after eventually finding #95 and #128, the problem was the name of my secrets values file. I find naming this file secrets.yaml as in the examples to be confusing as it is not the kubernetes/hem secrets specification file. So I named it secretValues.yaml thinking this was more descriptive. Turns out it needs to be named something like secrets.<something>.yaml. Granted this is somewhat of an RTFM problem on my part as I later found this in the README file:

By convention, files containing secrets are named secrets.yaml, or anything beginning with "secrets." and ending with ".yaml". E.g. secrets.test.yaml and secrets.prod.yaml.

But the examples in the documentation, coupled with the length of the README, make the above lines easy to miss. Perhaps the documentation could be changed to make this naming requirement more obvious?

Feel free to close this if you don't agree. My point was to make sure someone saw this and hopefully makes the README clearer and/or addresses #128.

znorris commented 4 years ago

This also tripped me up. Docs could use some rewording IMHO.