After sealing secrets and fresh installation getting this message no key could decrypt secret"
yahorchy opened this issue · comments
Which component:
Getting message: "no key could decrypt secret"
Describe the bug
The problem is appeared when I'm trying to create the same sealed-secret resource at the same namespace a couple of times.
To Reproduce
Steps to reproduce the behavior:
Download kubeseal on the linux machine (rhel 8.8)
Sealed secrets controller is installed on sealed-secrets namespace.
kubeseal version: 0.23.0
Sealed-secrets Controller version is
CHART APP VERSION
sealed-secrets-2.13.0 v0.24.0
- Create string and seal it.
echo -n "-----BEGIN OPENSSH PRIVATE KEY-----\n-----END OPENSSH PRIVATE KEY-----" | ./kubeseal --raw --scope namespace-wide --controller-name=sealed-secrets --controller-namespace=sealed-secrets
- Create sealedsecret resource. (kubectl create -f secret.yaml)
kind: SealedSecret
metadata:
annotations:
sealedsecrets.bitnami.com/namespace-wide: "true"
name: my-secret
spec:
template:
type: Opaque
encryptedData:
id_rsa: AgBuL2Gw8Gmyt5pfxd/zl+8b5JdYiwz+uIpIg/MgZwLZtgUBMi2caIq79/Rg+Bf44R82e1aKwYd+o8twf241Sa8hponfHL7ThGDYyipfo4+dR54t9XfYjNGsZPgFAEr8BZ8Mb2U8BNd8WULMEAvS2B9b3Pv4RxbPIzuckHUokqWlNaodSbOaTaRIMRuKj3oAI64arbjTMNQUt+RLM18NP7XBjGTMO6sH205Je7mkjoJkc7IaboRfAwZW2CJv8/0ZcNjDgxrXdwqCVzM0dTDRqdPG51JqpAPfOW9io84Ce2iwqD6TRVZblyw0BqetQbJUSfpA9u2kdLDpbdYG4ukq51CwxlgbX/0JSPOVx3hoXNit1vUtdczf9bm/nGzGWYQkpunNtjKVnbas4FSpIxf/XSuq4gnk28x/sMRTB/T71TetSwrCYOWoCl4gZa0wRnYRi19yk3/und8i1s2tA0xx4Mr8JsT4C/OGFZzQgp87AaD6Mh+89XbUbIq31QQRgbycg2D8Kta5/4K9KdB2/+p/sevrpkejlzTOHOmyTRhZ0KgmnMCNwXqSRgeNEVtZT+AXID4fVoh1RG+VK9CD2x4yezEzHS1GrD9ZcBH975YHMHk7em95eIzazzbIomH5DTlNkRyooZy88UWd1E/NVW4FzGIfNrv/e+1hGfgY+pKbLNKqJNfhriyCP+XSjfzAfK6U89vcT4nsIfCTXvZXfqwDF/6rI/zsTU5+pK1iaGXmcuIQYxi0qUxLUAM7Te6b3/dT+9JYnXChKgBsbPKVm5lLrRmlS2MMGuOYLLE3DyNd9taWXXFqye5WhhTF6bLJMe/EztKwExgaPDz/B2oL3g1K4b/dICqJF/ojkx3uwSp9vUvUCizGAWExIN9bSRE8qB//08ff6WlQqI5GH2GfcTTuMIFNlpY=
3.. Check the status of sealedsecret resource. (should be true on the first 2 attempts)
4. Delete sealedsecret resource.
5. Repeat steps 1-4 two-three times the sealedsecrets sync will be ok, starting from third-fourth attempt will failed to synchronized
The text of the issue after executing this command:
kubectl get sealedsecrets
NAME STATUS SYNCED AGE
my-secret no key could decrypt secret (id_rsa) False 3h13m
Sealed-secrets controller logs:
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"sealed-secrets", Name:"my-secret", UID:"c1ad8067-ba01-4d84-890f-bbb58f54f8d5", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1239130764", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Error updating SealedSecret sealed-secrets/my-secret status: Operation cannot be fulfilled on sealedsecrets.bitnami.com "my-secret": the object has been modified; please apply your changes to the latest version and try again
Expected behavior
The expectation is to get sealedsecrets status sync to True all the time.
Version of Kubernetes:
- Output of
kubectl version
:
Client Version: 4.10.46
Server Version: 4.12.29
Kubernetes Version: v1.25.11+1485cc9
Hi @agarcia-oss ,
I have updated the controller to the version 0.24.3 and downloaded the latest kubeseal utility (0.24.3 version).
After playing in the console and installing/uninstalling the same sealedsecret resource it does not show Failed
sync status anymore.
But, there is another case, when I used it in the helm chart templates files:
Steps to reproduce(fresh install):
- I have 7 sealedsecrets in templates/secrets.yaml file.
- I'm encrypting all these secrets with the same
kubeseal
utility in the same way, which mentioned in the description. - Placed sealed value into values.yaml
- Then installing helm charts with
helm install app . -f values.yaml
What is the output:
- on the first attempt the first 6 secrets was created successfully (sync True), only the last secret from list was with sync status false.
- at the second attempt the last 6 secrets was created successfully (sync True), only the first one was with sync status false.
- at the third attempt 5 secrets from 7 was created with sync True, 2 remaining had status false.
In addition in all above output scenarios allsecrets
was created fromsealed-secrets
and application is up and running.
To fix this status issue:
- perform the seal of the string again
- modify the values.yaml file with the new sealed value
- make an upgrade
helm upgrade app . -f values.yaml
. You will see syncTrue
.
Any idea how to avoid to seal secrets a couple of times to make sync status True
?
Hi @yahorchy we cannot reproduce the issue you're commenting on. Could you please provide more detailed logs of the controller to verify it?
Hi @agarcia-oss ,
By the way, yesterday I have upgraded sealed-secrets controller to the latest version (0.24.4).
Scenario:
I was able to reproduce problem without helm.
Steps:
- I took 7 sealed-secrets which needs to be created and separately placed them in sealed-secrets.yaml file.
- I run the command
oc create -f sealed-secrets.yaml
- Got Sync status False for fifth sealedsecret.
- But the usual secret has been created for fifth sealedsecret.
Let me attach sealed-secrets.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
sealedsecrets.bitnami.com/namespace-wide: "true"
name: first-secret
spec:
template:
type: Opaque
encryptedData:
seed: AgARBuLJxZ/lRjtlDoxj+HjtP7ndPz/12cMzegJl/hNOpLQuxHean/SBxbzeMq2H8NUo/N1B6vx1onTQeo3tZWhwl+5gXKZq1022uU4JJsJcccjlN7td4Qt4AMlTOgm6o8ksGuNjHzmGmDe/s6gZ6n1o2S6RqUczEybry8Gxr19LHFoz4S25PrK2aroxXZeFBSURCdrEW6jXG4yduzgcJozXYZiPslzu0CfDfgZSanSOyRZM/IGVCw8tneckDCh87WYz/6lW3nZ3AzT2xGJsVZ80GXBicBqrxCJBNd+q1MhWITVgoI1zI5vbvJP7jjutKhI77++MPMKH+L1VLI+ZVpAGVlqGYzHPbkUdYultjwsGcBky/msPXYl76m44X/xU/H04d6gTFzTpVHgSdHM5Z+ZKxmg5HrPWsFQE/NpmOrECqc9olhpiP+yh3whafmQ799TD0nXcUO+UVe6PkiUexK+g+XJPkBSP/L6ngpZCVMtXS3U7+2WL23SpfAGQG+95gyn/uOANVhu91MMspTLKUfqZ06PTBiU//rNMnkSGrgtWQgoZYPEQBlicIbNCT5X/X0b9Pj2qROgIQWarElcUFpT9/rsIG9ceuiI/DC44n3Pi3LizQVF+s3ifn/jCAXfQgH8xp7pS36EGb9Rk2BJyO7LKgzHwamsYMDuNcgLyt5y7CjVclvLvcxz0gkED9x37YKC7o5QYSXZ83Z2sR7t31TucCBL9u+a9yLrKslCA1jP7oCu0PC6V++BeS12zCxY0sVDyrbTCJaVKufu1jJx/b8B2Tx0QCtlhWrAbsokTQWyoJOiqWhRKtV4gdydvWHbrN/CS0o7jYx3daBfVkwtS3Qb3AoSLCrNBAF/QqyEuV0lm
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
sealedsecrets.bitnami.com/namespace-wide: "true"
name: second-secret
spec:
template:
type: Opaque
encryptedData:
secret: AgCx7vpVNJstvuhYdMUtSXtjlQFVzZWxCRDQL1zuiyg4fEZ0puJemncwvKWsPjY0hBjsDqTc0ETsYdEX4i1CQ2VxsCXwjqm/DLqyCnrM3O6sYrflrTdOjirCZem58jvCbPNv4wXQrOICYnCR1yCu+JPLl/UdpbXLSuafLcgMH7PUvTo1Eem3CqzBDJRnIdxVz94b07atvgdZNTsS0FGn6z9NmlZza+jzpUvy8cErxzJ/q4MFJg69PbUIKaKx1EeABf7ae+0+OELLnlCvTYuibsj06v9s+1pwXJFwRMiqysQLCuX0qP5s3RgNVf9C8MAD7D3jk9mzDGQAnXPfwT6FA+BtDEOT5OFnvoJsXAmoNUNwpj3mYl0Uwx/UpdvsNLvAgtD+9x20wrvTTOYFy4lk9s7O07MUt1+cgAQ/IfhuGjPWffb8Zlsct0qA2wgDNjkp+ZAN/I0dT4OEfNEYKHSvcQJYR7mizp7RIwvdVpNmVCSDUiWbx7vCwWbKRDQA6swj8IoOWGVQDNFJ3cjd+7itQR+tilNk6Qwj+PhofNnFFPp8pLIpehlhSctTrybW8rx8jMUu4vkju7vy3ka/aWwaGgbH4YsaF6usRBuio/zh7wlGnYC70Vq5jrqloe0dTTK5XAYu+kfL7EjhVe0jXuRGIZ1MNFuzYZ+YZYRZOnAO6PNz5bdFOtLihXm3whhgRTXiJXTHjhgNzZEoiVaspThhSCfZcz8mUgceFTx00Hql+dYYA0B81m/m9NWd07BUntJ3DXN/ZtedQFhObZyx6ZPNhGTDktNBRlpADADnhxMqfhglZnnW7ecuiAI9d0PoT+EDHW+WPNZHI+o9TPr5z4f9WQnpHiyvMflkv1325RtXP16p
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
sealedsecrets.bitnami.com/namespace-wide: "true"
name: third-secret
spec:
template:
type: Opaque
encryptedData:
root-password: AgB5QxM1itW1b9hO7bEJ4qcJMICrnwktYsPG4ofeqVXTy+P/4OSupXahaDhEEEjNt736EzCV2p+k2n+lfW8MF4rZacYEdRgNzk18Pmm2lpWzZunloxrzp5SWnpo6IHZwmKDpC1wnphHFnUxUmzhtqVLaDdP1YiH0tnEuqoSQ0fIWQMUby7guuAq5cD859y6C84f21nK5K7AgVIfRG4AK3zEl4b3rUoCXL8BiBh9yq99ZUEAraEzCIcBzYmeOpA70lAgckfHuLbBweUdjXMqOFz3J/gyVYPp8owJDQVKimYnNK1iQgcPMy4FIWJoS0SPXI8f8Nsybs5AcSCydNns2sf+4pHbuRZW+vBBK7Jha04apbdp4Bhi1JOhUfCh9/mTewXu814UhYgY3rz9zeN4Eh9wsQzQGWR6PokVUMPScMNK4IJ6gZHpVnm23x+Gw0v4WsPHsLIZshTABOXjeptfc9Q4nDa1vFRkPN+P2LuWjBz6hHSc48P54kkYcOq1B3DUYmE2hSn2Z93dNCawe6MDem0tBzIQU3PhWZ29UwakQER7ZAn7C503GdNCVgnGxExYThFzbmc3tLI4eqXjN5ufnDchjKqaKxq1KOdMpssr6r77pXOlV1ksa90CinY1hrxyji4ZQcKuIfsFsSRqEMbFIURYFU7umXPqm3QImcEOPO5qU5/FU18pco5HKu0tCz5kt5A1ZmJZ189VHuw9urJfQtQXkqoCJYionTXT4EEgNyM7Y
replication-password: AgArtEFLx1miL2jMKTHhcrPZddz/hoqGGudcn6ViCSB8IoSdWJL7RkA3gurBxBJtte+aXCIdnHetCwbdCb0OEMVdaJs3htg8NnFBiy//hVJQPFvr2nb8hVOg0R0uFNswaNScBjw0FE8gQDqnYR2ldnsC4rDhQqDw6yEVRjfa5ver7IQmmDuwPGi5hxEoy0JvGxwclfTybMlXd3cAXvavBvXyb5n3Ycx9l5MQcqXXqvBqh2iBOdxZ7AnGBzHFufOwx8k7aH982AG6hwum4T+8OB4mmQmOd+Ft1uJ4JYaUWX36pOp7xs70yecE2y3jbOpOzzwij7+dxBQ1KOnsThqg2NZQfjFtci5dUeSYFCbFTKi/lcTCy0pMrDgqJIRs2PmGZnjnbA2MY93CMhn9Im0QUOiLDVaPoNnS1itjgekFoBJfeumbmwlSswQ2CIw3ZEpVD78a3xJy4skuUMua2fJKUYN3eLUdP/Ku5PZxoKYXyYPc6odkS7QFjJg+q/Ya7mhqTxrZLtGIbl4jUPtxJDwBJ3xalNQJyZdr8b+pVqg8iLwmW3nOl+mefy/Ix2O9WnnOFUzN41SsoppWQ0XwU2UzYU1w0i88naUHwV9Dg2tdBqidCv71sQQEwetEGEEzGMLeiLuTVDj0MhypA1A05z0YFansoHGTyyHLMxhbfvSikcCbrU/VDQBJuU7fPAtHirLwqntn7ROnOjIlN7gwnXCXtA4lmB8AVQeDTRBmLdnpNOCK
password: AgBbzzKbE+AJfhYCuXsdRrcSWqFvcDMt4BKBMV+ncfzc98N83g8Rd6T55SIzbxqEND1heUhGjLbz6G8paGJENxxv+wUCdQSb0le9E/NqiVkrwmNTIlhJiBqC+wwjYFgFYNumZ6rEs8a8nXml0/tAbUYFNx0Ltj6t932neoNKFwznZQXwrupXyA3fxPSSnSqcSe6h0pHG6p5sWfsqOb39cSjKnrVeFlfi4zbDEV5AoApiFh3fBws8AAiifqam1yMkkgzjQusJRMvCGIzNKNRDBpaU33nCVvIn0bC6PF1w5g/5+tnppa5P1EBwbKgVb/ypSHk3STox4LJfh0U4hmlSaIDZkL6MjiYZ+UYudBBn3z8ZPeDJDGpOn6YlNUA/FAYkLg76dlTgoBOAlKWWhXOfh11pUqrxa+03O5GnixzB0BbnHViWUzmZ4D2mlHphpYYLxuWdso5SQO11UaObLI/g72PbE8bvu9VUeOGyEfg02jr6nzOWivpQ8CyPoNVmnZHpu826cyz3R1Taj3NW0tqFmqf0kpfQVjjMPqChu8jSyXdSpukFs2nRZqX9IfvQbTQB0wp6Z1U61G71rCoaCdTfmM1udWAGm1Sifu91aHuu4tra8RblUh95R0V5whtar6T7RZej70leqIDZdrU+8uFFhBT1b48kRJv9NaGF3eKi4Eu+QI3VaQPdBP9j0qCHlSLcpMtReTy0EP7wucjEWUBsVCqj2ibeKqc+syANqV7ptDVy
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
sealedsecrets.bitnami.com/namespace-wide: "true"
name: fourth-secret
spec:
template:
type: Opaque
encryptedData:
auth: AgDFOJZyAivQdxcK9Y9m5BVxat3KePHCM9Lrw1pDfeJsPjH14TA67Fm3HLddR2+TrViTiscX8rGVvGUFgbe/AFQNGjGvU0gHmiE6SSVXkbGeWkK1Xd7HO32M88LQ5FPZvaQFADmhx9wy7B/Q5HcQ3ZKl+g4R9ssVuX3SYZWHyUVgTBviux9+zpQ8tyHUxkTlQ1h19yOuhz7JpK2BMgO+YQeksxHR9quCeaCtQ2QfaiCoOaoCXlMhMDA2nwqydM6nh/b7QNzfFnRqAgMLSoFkN89AQ/rR3Yk46MhPmU9Vnra5UOMe1KlxNk2pqORn/pS4xWtqt5hzpgnNODTMD+lUMOGbFV4cQzIn6jfaUpWGu8h/noflDE2MH+xI9JFpBJtre9oC4Nd1z1xQO/4VzpTId03evfxxhLPQ5Sk3njAGOicFNlqQwiLtHnqS4xI8ceWdoza8yLXCYPIafQTtjG0y16peyDWsibKflYZtBjV/ZIvfuuqKhlSWOyKFIgWTNgs7O2k2JIuBtnuOPRQaT+P4eI1zxCSHYkzG6DokFMIMiGKPhQq4J/lRAc+7leZ6bec+oD32LYPbx/MXK+hJog7AKdaRxiEPO9Yy55G04Wc7tH+LNrEVkka9Pdh65UH3eVEMRi7C4w+jUvpxvjZXhb/B52x47NXOZQ3u4+HU1CJ2oNJkjQ1x0ierRqDVKTwyskDNKAZPMy9BjH+0+i95QG4Pm+VnBG6fUWnmdz11XRfKQ4AFuYbqOLSCgmQHO4am0c8w2FAIBn46fbgrFDYUb3zxJDtk4O9uoY66XA7IRr5nyR/7OUL1/ft+qd3hGX6KJ7YuPQC5V26JbQbKBJe4MqyH92JPpixNpubIkN8dNliQO8WO
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
sealedsecrets.bitnami.com/namespace-wide: "true"
name: fifth-secret
spec:
template:
type: kubernetes.io/dockerconfigjson
encryptedData:
.dockerconfigjson: AgCkdnSR/zGgfhfeUfcHJ6+aPY7DpSNbh0qjPkI8Dur8HVWCI2Y8HrIMeSDA7nd98Sc/BsnPT+5paoM6cbzvF03zifuoc2o2WH4QeJTUofVQP3Zvb0tZfeUZ7lu7IfrKNdwFGZqzIGwvfCSdT9UuGR/CegZ7J7hgL8ptdWiBegB1M9MEH31p4d4/995W7nru6WOn97FpM8oJJrkBcTCPedFkyiZwTjDe0Na5sQ3KV3gHjO0lALYthx6wu40kfJX0IkX6+aPQmbCYcmxM89QW9KySq+tWy+L7DXc1bRQUpZ5a8in6j9mHgQ6Gkn9kCuir//uVapyR0MoybJkRwhTpY9DZ5y7MSZsh6L88fkKII1Uyu4ZFpg0IfXZDk67msmHoq7ZxxYpyMRAegs4yChfiNGNlJQG3OayR+Mxa3BJrvb0QT6fKZ12q/6z9LGk8z/xW6+orCCaqj3bDsfYhxJqpBXsCqruoOo8QURnm0KPyIDOpWUv+zqvIWEeK5nskRw+MhMyyS0ULiXcC464IqGksOQwEouJMCctd4u4acc3GTbUeXMj1oizgfQUZmayT23KNw1+5ZKBCJtReaBKm0akDXlDOiPSNH0RVMvzL9b5PJIs7y8OYXWeX7GxrwoMGaAgwUNzK4fAWTt/u9Sc1UUDjuytj0X8q5Ji+/L61J3vODkNmytvalxYtwByuJOebApmg32oDUSGrCS7lZry2KC/BxAFGzbe3oOr/LrHX/0rFQpTTGcNQ2q5QHJ4+HswJfinZY94VRbyu341vS6KRX1wZVfd0lvlWow5mobGXv23xXxv+pSAXhimcfe7x3tZMjXUBCSP1PTfDlLdqWszit9p5VnVvnCxIeUpioeeKFH4fl8pehGNfrrc9VmHgcKMBsNMasDgb6anfg+uBY0w5wtGSBOiKghw=
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
sealedsecrets.bitnami.com/namespace-wide: "true"
name: sixth-secret
spec:
template:
type: Opaque
encryptedData:
client: AgAnnTv6ZvrAo+Iw9CkbcfKtkdscXat/CEu+q5ggrBRJk3Kmp5p+aSbbL1rtg/iNSFey9TpAynv+FhH+M3tsJ8bggKQU3hK5QFwbFUlLkvCZlA05gssrZ5aVwT3ZRasaf/BRNF7lWkw+VEqtxQKTBcfOP/8zgI5UD6EROu0Fkz55FHeRBK0Ol9douGu79Wlz/tlvmvwcuJEKGdjHwWGNYQk2oko0Kpm9of8eJkIHxbNdPn9hUtXMKTD3MGQCjitxjEF8Qvnc/IgWw4jGvkpV7anTP9K7aMb8vmGyI/+trwMqMzbCuLn5MHw+fz5RaOWl+OMQx8iNlyH+Fdo0fryR6k30r3ayZ/NcpGpKZUnWM7x/MQLZptHXxyu1xiDtMqBUo55a/EBJiCIfz33VzUnjdK0p4lJfP3I4qIBCiqKSg80mFcRzJSMIiHgQRTVps/OHMc8I7uyU2ViXE+a4WhJ60w6ERSkTV+1PYWYLCBn+P7BumD4fsCoEm8KaTainmmIOPz0ItWk4s3u8LWD5YXc4fx3/XWr+NuIQUkLYDJpEziYqVz9qRjMIAX+4GM4nvGDocd0aSIpTIm1pLo6zcAt48mJbmdiQ3Tn2aeb0ZILYaiR0Doc2ZSdGyK+GJlNtmnrV8JceqrweQkq6kzX8ptOXvfquCM+b6WoAcVuJGePxl6OIUV4tJbE5fWjFVCqc4RHV9XkxOYLjLxOOFP7Ha6O7NZS1Nq8DeA==
secret: AgCa0AGPs/sFTLufJ2Iy44QuQ4hRXFCvf76IMLSajsOO0ihNhikWtCXCBwQWV0pbjXha1LEm6cSvixo8UsMZJ5FJdSClvai77GAK4ljP9f/4hI9zj+GgFBfhtybgGc14sOcFNLc6DShtsmz0I3HeVJtusCnoz+7oOl4DyQwyRDizKUegd0GhcgWzfC8k99SayffLF4KOK7Dpnsc9SRZfRJsl/z041o3ndtijnSj23xBVi3Q/iH7HLknzAJJ9JtnijxV7AcVwlVJiDov7RpasPxkxDBasm2IFwzK/SYMxWH+TRQYqqouxWyNrqgNkz1lFr0SVCcXaHVdgPdkvEKtpsggmeu1wIjH/mxAvemPDvUTQgSLbFm0kqypFP3kQzLw6xvnFlCC9JNKTtTIRonNBuIUK3gv1wrnU1Dby5bkN9L9RP7Yggst9UbNz9Jf+nvaVHdFxaxrlIt5G3fBipDX6cBsfP7haZWZDLXAa/cia4My32heV9wYJhnqJ9/oAvDD1WzjkXyfIPUYctf2J+UL6mkplB2cNejWElfp00WGa74fXstyMI2MMw9T6YEgxxd0rvaTUTK8Yf8bGoDD5iIeczTXGAsOTg1cwoBvnpE/f73JbVNzFjWgjjVhajaIYwIY8+/RXoDQxFEotgQI/TL/Onh1L2Lnl1FonRHYUVIWc023cTJjvtKw2j8xq5MSTDNAFeriONjJFnTei44hc+GkqzdVITnDZqJoHil2LETAKOML7UYy3/7E/T79SkQfpOLXQwttog4eRJYuO1IrPQq8BiAXN
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
sealedsecrets.bitnami.com/namespace-wide: "true"
name: seventh-secret
spec:
template:
type: Opaque
encryptedData:
id: AgC9TCxlfnpL9cu80/VelBBd36dmiKKJmgTX24CBPA7ItXahaujZPuITlOReP3NNaOnWi76B3EnRbLMrWbk+Bl3QuAIiIstt+wqIzyjoAUZRPP4COp+jc8HhWfOnW7GWg8GQ6GXxzwUFjbKm+XjfmHk0DxdSd8eEKmuQ2ELWsqqc7SOsZsjTt40ZrBzDLwIy7j+qqs20z88Wsabxba02a93qC6oUofVwn28/FmJ9ykNMhMzXAo1/j7i0rzhV1cMfDsjIT4HXKZfQatNizpZ150xhEe8mbFSwXF/rAQlbB7rsYpghXsPjnhsqlWG7YrTTDcaHTJcLeoIX7LxE/mitEWhKY2ar5e8EboFgpldFbfunV/uyeDGOn4d42yOujXngg0ojuk44t2R7RaTJixWqx75sScbFAS/OMH91RLYtmomuPBDysj348bq8gnUEnjntVPgSjkeHP1Sqj5sKcy40j4wGABYdQ3VPmBndTJvuu6tns41YQkL7mEnsoD9e5DufUsYdF+5tjR29YB3/gHbmAbRk+++QaVmwhcz0WlfjFei6V1j1RN7ZBm8xewpn/eVMUegsBzEpSzLxN72pxXWPweSIjLjmfklVwTlkfij+q2pgOCF/Wz1z0J9SSUhCEDMB57V+dHrUCFq7MmcBHNQOJC6cMooSkI8OKOXIGoxp0qMdkCg2HZSGk27H3uKyePscJTs5H3U9eBJKSaZ18WpMyQYMO+OYUUCk5tw5dt28kkVXED9y1mq59/pxuOIpOQ+z61PgRjWi5svR2qdqgkf70dhHjQKtLK3P
Here is the all logs output for sealed-secrets-controller during the creation:
Updating next-xray-scan/first-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"first-secret", UID:"e3674f24-4822-483a-84f9-50e3e0aeb646", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674451", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Updating next-xray-scan/second-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/first-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"second-secret", UID:"7e194f2d-3757-42c8-accb-3f22c95fcbe8", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674452", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
update suppressed, no changes in sealed secret spec of next-xray-scan/second-secret
Updating next-xray-scan/third-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"third-secret", UID:"62cc9fde-0ab5-4589-b9d1-f3d406e60a99", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674454", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Updating next-xray-scan/fourth-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/third-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"fourth-secret", UID:"343d9078-3147-4de4-9fed-ef41831ddc09", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674456", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
update suppressed, no changes in sealed secret spec of next-xray-scan/fourth-secret
Updating next-xray-scan/fifth-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/fifth-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/sixth-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/seventh-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"fifth-secret", UID:"27634e4e-2fb2-441f-8ebc-58caaadf7697", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674457", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Error updating SealedSecret next-xray-scan/fifth-secret status: Operation cannot be fulfilled on sealedsecrets.bitnami.com "fifth-secret": the object has been modified; please apply your changes to the latest version and try again
Updating next-xray-scan/sixth-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"sixth-secret", UID:"48686c7f-c80b-4ec3-9be6-1915f4bd9c9a", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674497", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Updating next-xray-scan/seventh-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/sixth-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"seventh-secret", UID:"be773ff0-0e2b-44c5-a5bd-374de96efb59", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674498", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
update suppressed, no changes in sealed secret spec of next-xray-scan/seventh-secret
Here is the output of sealed-secrets:
[yahor@test02 sealed-secrets]$ oc get sealedsecrets
NAME STATUS SYNCED AGE
fifth-secret no key could decrypt secret (.dockerconfigjson) False 9m32s
first-secret True 9m32s
fourth-secret True 9m32s
second-secret True 9m32s
seventh-secret True 9m32s
sixth-secret True 9m32s
third-secret True 9m32s
Here is the output of secrets:
[yahor@test022 sealed-secrets]$ oc get secrets
NAME TYPE DATA AGE
fifth-secret kubernetes.io/dockerconfigjson 1 10m
first-secret Opaque 1 10m
fourth-secret Opaque 1 10m
second-secret Opaque 1 10m
seventh-secret Opaque 1 10m
sixth-secret Opaque 2 10m
third-secret Opaque 3 10m
Also, I have tried to extend the logs for controller by setting this option logInfoStdout: true
. Does the controller have more options to extend the verbosity of the logs?