Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

backup of my SealedSecrets doesn't work #923

Closed
Aman1994 opened this issue Aug 24, 2022 · 6 comments
Closed

backup of my SealedSecrets doesn't work #923

Aman1994 opened this issue Aug 24, 2022 · 6 comments
Labels
Stale

Comments

@Aman1994
Copy link

Aman1994 commented Aug 24, 2022
edited
Loading

Which component:
controller

Describe the bug
We did the backup of sealedsecrets keys of one cluster using

kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >main.key

And then applied it to another

kubectl apply -f main.key

Did restart the controller too. But the secrets were not able to unseal - it kept complaining no key could decrypt secret

I did try to decrypt manually and that worked

kubeseal --recovery-unseal --recovery-private-key main.key -o yaml < sealedsecret.json

We also saw issues where it was decrypting few secrets fine while for others it gave errors

Expected behavior
Sealedsecrets should have been unsealed
@github-actions github-actions bot added the triage Issues/PRs that need to be reviewed label Aug 24, 2022
@alemorcuq
Copy link
Collaborator

Could you share your controller logs?

@alvneiayu alvneiayu removed the triage Issues/PRs that need to be reviewed label Sep 15, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Oct 1, 2022

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the Stale label Oct 1, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Oct 9, 2022

Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Oct 9, 2022
@kevinyangI
Copy link

kevinyangI commented Oct 14, 2022
edited
Loading

@alemorcuq can reopen this issue?we are facing the same problem, log is here. The secret sealed-secrets-key4gj4d is from old cluster, then i import it into the new cluster. It looks like the sealedsecrets have not been unsealed successfully.

2022/10/14 07:52:55 Starting sealed-secrets controller version: v0.12.5+dirty
2022/10/14 07:52:55 Searching for existing private keys
controller version: v0.12.5+dirty
2022/10/14 07:52:55 ----- sealed-secrets-key4gt79
2022/10/14 07:52:55 ----- sealed-secrets-key4gj4d
2022/10/14 07:52:55 HTTP server serving on :8080
2022/10/14 07:52:55 Updating in-app-communication/in-app-marketing-3.3.12-secret
2022/10/14 07:52:56 Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"in-app-communication", Name:"in-app-marketing-3.3.12-secret", UID:"1fd68af7-efb8-459a-978f-4b8bb0073971", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"14029484", FieldPath:""}): type: 'Warning' reason: 'ErrUnsealFailed' Failed to unseal: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:52:56 Error updating SealedSecret in-app-communication/in-app-marketing-3.3.12-secret status: sealedsecrets.bitnami.com "in-app-marketing-3.3.12-secret" not found
2022/10/14 07:52:56 Error updating in-app-communication/in-app-marketing-3.3.12-secret, will retry: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:52:56 Updating in-app-communication/in-app-marketing-3.3.12-secret
2022/10/14 07:52:57 Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"in-app-communication", Name:"in-app-marketing-3.3.12-secret", UID:"1fd68af7-efb8-459a-978f-4b8bb0073971", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"14029484", FieldPath:""}): type: 'Warning' reason: 'ErrUnsealFailed' Failed to unseal: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:52:57 Error updating SealedSecret in-app-communication/in-app-marketing-3.3.12-secret status: sealedsecrets.bitnami.com "in-app-marketing-3.3.12-secret" not found
2022/10/14 07:52:57 Error updating in-app-communication/in-app-marketing-3.3.12-secret, will retry: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:52:57 Updating in-app-communication/in-app-marketing-3.3.12-secret
2022/10/14 07:52:58 Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"in-app-communication", Name:"in-app-marketing-3.3.12-secret", UID:"1fd68af7-efb8-459a-978f-4b8bb0073971", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"14029484", FieldPath:""}): type: 'Warning' reason: 'ErrUnsealFailed' Failed to unseal: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:52:58 Error updating SealedSecret in-app-communication/in-app-marketing-3.3.12-secret status: sealedsecrets.bitnami.com "in-app-marketing-3.3.12-secret" not found
2022/10/14 07:52:58 Error updating in-app-communication/in-app-marketing-3.3.12-secret, will retry: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:52:58 Updating in-app-communication/in-app-marketing-3.3.12-secret
2022/10/14 07:52:58 Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"in-app-communication", Name:"in-app-marketing-3.3.12-secret", UID:"1fd68af7-efb8-459a-978f-4b8bb0073971", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"14029484", FieldPath:""}): type: 'Warning' reason: 'ErrUnsealFailed' Failed to unseal: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:52:58 Error updating SealedSecret in-app-communication/in-app-marketing-3.3.12-secret status: sealedsecrets.bitnami.com "in-app-marketing-3.3.12-secret" not found
2022/10/14 07:52:58 Error updating in-app-communication/in-app-marketing-3.3.12-secret, will retry: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:52:58 Updating in-app-communication/in-app-marketing-3.3.12-secret
2022/10/14 07:52:59 Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"in-app-communication", Name:"in-app-marketing-3.3.12-secret", UID:"1fd68af7-efb8-459a-978f-4b8bb0073971", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"14029484", FieldPath:""}): type: 'Warning' reason: 'ErrUnsealFailed' Failed to unseal: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:52:59 Error updating SealedSecret in-app-communication/in-app-marketing-3.3.12-secret status: sealedsecrets.bitnami.com "in-app-marketing-3.3.12-secret" not found
2022/10/14 07:52:59 Error updating in-app-communication/in-app-marketing-3.3.12-secret, will retry: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:52:59 Updating in-app-communication/in-app-marketing-3.3.12-secret
2022/10/14 07:53:00 Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"in-app-communication", Name:"in-app-marketing-3.3.12-secret", UID:"1fd68af7-efb8-459a-978f-4b8bb0073971", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"14029484", FieldPath:""}): type: 'Warning' reason: 'ErrUnsealFailed' Failed to unseal: no key could decrypt secret (application-secret.yaml)
2022/10/14 07:53:00 Error updating SealedSecret in-app-communication/in-app-marketing-3.3.12-secret status: sealedsecrets.bitnami.com "in-app-marketing-3.3.12-secret" not found
2022/10/14 07:53:00 Error updating in-app-communication/in-app-marketing-3.3.12-secret, giving up: no key could decrypt secret (application-secret.yaml)
E1014 07:53:00.079999 1 controller.go:200] no key could decrypt secret (application-secret.yaml)

@kevinyangI
Copy link

sorry,the problem is solved. After i has imported all secret key from the old cluster into the new cluster, sealedsecrets have been unsealed successfully.

@MaxWinterstein
Copy link
Contributor

This might be related to #1260

@MaxWinterstein MaxWinterstein mentioned this issue Jul 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alvneiayu @MaxWinterstein @Aman1994 @kevinyangI @alemorcuq