After sealing secrets and fresh installation getting this message no key could decrypt secret"

Question

After sealing secrets and fresh installation getting this message no key could decrypt secret"

yahorchy opened this issue 7 months ago · comments

Which component:
Getting message: "no key could decrypt secret"

Describe the bug
The problem is appeared when I'm trying to create the same sealed-secret resource at the same namespace a couple of times.

To Reproduce
Steps to reproduce the behavior:

Download kubeseal on the linux machine (rhel 8.8)
Sealed secrets controller is installed on sealed-secrets namespace.

kubeseal version: 0.23.0
Sealed-secrets Controller version is

CHART                         APP VERSION
sealed-secrets-2.13.0   v0.24.0

Create string and seal it.

echo -n "-----BEGIN OPENSSH PRIVATE KEY-----\n-----END OPENSSH PRIVATE KEY-----" | ./kubeseal --raw --scope namespace-wide --controller-name=sealed-secrets --controller-namespace=sealed-secrets

Create sealedsecret resource. (kubectl create -f secret.yaml)

kind: SealedSecret
metadata:
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"
  name: my-secret
spec:
  template:
    type: Opaque
  encryptedData:
    id_rsa: AgBuL2Gw8Gmyt5pfxd/zl+8b5JdYiwz+uIpIg/MgZwLZtgUBMi2caIq79/Rg+Bf44R82e1aKwYd+o8twf241Sa8hponfHL7ThGDYyipfo4+dR54t9XfYjNGsZPgFAEr8BZ8Mb2U8BNd8WULMEAvS2B9b3Pv4RxbPIzuckHUokqWlNaodSbOaTaRIMRuKj3oAI64arbjTMNQUt+RLM18NP7XBjGTMO6sH205Je7mkjoJkc7IaboRfAwZW2CJv8/0ZcNjDgxrXdwqCVzM0dTDRqdPG51JqpAPfOW9io84Ce2iwqD6TRVZblyw0BqetQbJUSfpA9u2kdLDpbdYG4ukq51CwxlgbX/0JSPOVx3hoXNit1vUtdczf9bm/nGzGWYQkpunNtjKVnbas4FSpIxf/XSuq4gnk28x/sMRTB/T71TetSwrCYOWoCl4gZa0wRnYRi19yk3/und8i1s2tA0xx4Mr8JsT4C/OGFZzQgp87AaD6Mh+89XbUbIq31QQRgbycg2D8Kta5/4K9KdB2/+p/sevrpkejlzTOHOmyTRhZ0KgmnMCNwXqSRgeNEVtZT+AXID4fVoh1RG+VK9CD2x4yezEzHS1GrD9ZcBH975YHMHk7em95eIzazzbIomH5DTlNkRyooZy88UWd1E/NVW4FzGIfNrv/e+1hGfgY+pKbLNKqJNfhriyCP+XSjfzAfK6U89vcT4nsIfCTXvZXfqwDF/6rI/zsTU5+pK1iaGXmcuIQYxi0qUxLUAM7Te6b3/dT+9JYnXChKgBsbPKVm5lLrRmlS2MMGuOYLLE3DyNd9taWXXFqye5WhhTF6bLJMe/EztKwExgaPDz/B2oL3g1K4b/dICqJF/ojkx3uwSp9vUvUCizGAWExIN9bSRE8qB//08ff6WlQqI5GH2GfcTTuMIFNlpY=

3.. Check the status of sealedsecret resource. (should be true on the first 2 attempts)
4. Delete sealedsecret resource.
5. Repeat steps 1-4 two-three times the sealedsecrets sync will be ok, starting from third-fourth attempt will failed to synchronized

The text of the issue after executing this command:
kubectl get sealedsecrets

NAME                   STATUS                                                       SYNCED   AGE
my-secret             no key could decrypt secret (id_rsa)          False         3h13m

Sealed-secrets controller logs:

Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"sealed-secrets", Name:"my-secret", UID:"c1ad8067-ba01-4d84-890f-bbb58f54f8d5", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1239130764", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Error updating SealedSecret sealed-secrets/my-secret status: Operation cannot be fulfilled on sealedsecrets.bitnami.com "my-secret": the object has been modified; please apply your changes to the latest version and try again

Expected behavior
The expectation is to get sealedsecrets status sync to True all the time.

Version of Kubernetes:

Output of kubectl version:

Client Version: 4.10.46
Server Version: 4.12.29
Kubernetes Version: v1.25.11+1485cc9

Alfredo Garcia · Answer 1 · Wed Nov 08 2023 23:34:43 GMT+0800 (China Standard Time)

Hi @yahorchy thanks for the feedback. We recently fixed the STATUS behavior in the controller and that might explain the issues you're finding. Could you please check again using the 0.24.3 version?

yahorchy · Answer 2 · Thu Nov 09 2023 23:12:39 GMT+0800 (China Standard Time)

Hi @agarcia-oss ,
I have updated the controller to the version 0.24.3 and downloaded the latest kubeseal utility (0.24.3 version).

After playing in the console and installing/uninstalling the same sealedsecret resource it does not show Failed sync status anymore.

But, there is another case, when I used it in the helm chart templates files:

Steps to reproduce(fresh install):

I have 7 sealedsecrets in templates/secrets.yaml file.
I'm encrypting all these secrets with the same kubeseal utility in the same way, which mentioned in the description.
Placed sealed value into values.yaml
Then installing helm charts with helm install app . -f values.yaml

What is the output:

on the first attempt the first 6 secrets was created successfully (sync True), only the last secret from list was with sync status false.
at the second attempt the last 6 secrets was created successfully (sync True), only the first one was with sync status false.
at the third attempt 5 secrets from 7 was created with sync True, 2 remaining had status false.
In addition in all above output scenarios all secrets was created from sealed-secrets and application is up and running.

To fix this status issue:

perform the seal of the string again
modify the values.yaml file with the new sealed value
make an upgrade helm upgrade app . -f values.yaml. You will see sync True.

Any idea how to avoid to seal secrets a couple of times to make sync status True?

Alfredo Garcia · Answer 3 · Thu Nov 23 2023 18:42:01 GMT+0800 (China Standard Time)

Hi @yahorchy we cannot reproduce the issue you're commenting on. Could you please provide more detailed logs of the controller to verify it?

yahorchy · Answer 4 · Fri Nov 24 2023 17:32:11 GMT+0800 (China Standard Time)

Hi @agarcia-oss ,

By the way, yesterday I have upgraded sealed-secrets controller to the latest version (0.24.4).

Scenario:

I was able to reproduce problem without helm.

Steps:

I took 7 sealed-secrets which needs to be created and separately placed them in sealed-secrets.yaml file.
I run the command oc create -f sealed-secrets.yaml
Got Sync status False for fifth sealedsecret.
But the usual secret has been created for fifth sealedsecret.

Let me attach sealed-secrets.yaml

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"
  name: first-secret
spec:
  template:
    type: Opaque
  encryptedData:
    seed: AgARBuLJxZ/lRjtlDoxj+HjtP7ndPz/12cMzegJl/hNOpLQuxHean/SBxbzeMq2H8NUo/N1B6vx1onTQeo3tZWhwl+5gXKZq1022uU4JJsJcccjlN7td4Qt4AMlTOgm6o8ksGuNjHzmGmDe/s6gZ6n1o2S6RqUczEybry8Gxr19LHFoz4S25PrK2aroxXZeFBSURCdrEW6jXG4yduzgcJozXYZiPslzu0CfDfgZSanSOyRZM/IGVCw8tneckDCh87WYz/6lW3nZ3AzT2xGJsVZ80GXBicBqrxCJBNd+q1MhWITVgoI1zI5vbvJP7jjutKhI77++MPMKH+L1VLI+ZVpAGVlqGYzHPbkUdYultjwsGcBky/msPXYl76m44X/xU/H04d6gTFzTpVHgSdHM5Z+ZKxmg5HrPWsFQE/NpmOrECqc9olhpiP+yh3whafmQ799TD0nXcUO+UVe6PkiUexK+g+XJPkBSP/L6ngpZCVMtXS3U7+2WL23SpfAGQG+95gyn/uOANVhu91MMspTLKUfqZ06PTBiU//rNMnkSGrgtWQgoZYPEQBlicIbNCT5X/X0b9Pj2qROgIQWarElcUFpT9/rsIG9ceuiI/DC44n3Pi3LizQVF+s3ifn/jCAXfQgH8xp7pS36EGb9Rk2BJyO7LKgzHwamsYMDuNcgLyt5y7CjVclvLvcxz0gkED9x37YKC7o5QYSXZ83Z2sR7t31TucCBL9u+a9yLrKslCA1jP7oCu0PC6V++BeS12zCxY0sVDyrbTCJaVKufu1jJx/b8B2Tx0QCtlhWrAbsokTQWyoJOiqWhRKtV4gdydvWHbrN/CS0o7jYx3daBfVkwtS3Qb3AoSLCrNBAF/QqyEuV0lm
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"
  name: second-secret
spec:
  template:
    type: Opaque
  encryptedData:
    secret: AgCx7vpVNJstvuhYdMUtSXtjlQFVzZWxCRDQL1zuiyg4fEZ0puJemncwvKWsPjY0hBjsDqTc0ETsYdEX4i1CQ2VxsCXwjqm/DLqyCnrM3O6sYrflrTdOjirCZem58jvCbPNv4wXQrOICYnCR1yCu+JPLl/UdpbXLSuafLcgMH7PUvTo1Eem3CqzBDJRnIdxVz94b07atvgdZNTsS0FGn6z9NmlZza+jzpUvy8cErxzJ/q4MFJg69PbUIKaKx1EeABf7ae+0+OELLnlCvTYuibsj06v9s+1pwXJFwRMiqysQLCuX0qP5s3RgNVf9C8MAD7D3jk9mzDGQAnXPfwT6FA+BtDEOT5OFnvoJsXAmoNUNwpj3mYl0Uwx/UpdvsNLvAgtD+9x20wrvTTOYFy4lk9s7O07MUt1+cgAQ/IfhuGjPWffb8Zlsct0qA2wgDNjkp+ZAN/I0dT4OEfNEYKHSvcQJYR7mizp7RIwvdVpNmVCSDUiWbx7vCwWbKRDQA6swj8IoOWGVQDNFJ3cjd+7itQR+tilNk6Qwj+PhofNnFFPp8pLIpehlhSctTrybW8rx8jMUu4vkju7vy3ka/aWwaGgbH4YsaF6usRBuio/zh7wlGnYC70Vq5jrqloe0dTTK5XAYu+kfL7EjhVe0jXuRGIZ1MNFuzYZ+YZYRZOnAO6PNz5bdFOtLihXm3whhgRTXiJXTHjhgNzZEoiVaspThhSCfZcz8mUgceFTx00Hql+dYYA0B81m/m9NWd07BUntJ3DXN/ZtedQFhObZyx6ZPNhGTDktNBRlpADADnhxMqfhglZnnW7ecuiAI9d0PoT+EDHW+WPNZHI+o9TPr5z4f9WQnpHiyvMflkv1325RtXP16p
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"
  name: third-secret
spec:
  template:
    type: Opaque
  encryptedData:
    root-password: AgB5QxM1itW1b9hO7bEJ4qcJMICrnwktYsPG4ofeqVXTy+P/4OSupXahaDhEEEjNt736EzCV2p+k2n+lfW8MF4rZacYEdRgNzk18Pmm2lpWzZunloxrzp5SWnpo6IHZwmKDpC1wnphHFnUxUmzhtqVLaDdP1YiH0tnEuqoSQ0fIWQMUby7guuAq5cD859y6C84f21nK5K7AgVIfRG4AK3zEl4b3rUoCXL8BiBh9yq99ZUEAraEzCIcBzYmeOpA70lAgckfHuLbBweUdjXMqOFz3J/gyVYPp8owJDQVKimYnNK1iQgcPMy4FIWJoS0SPXI8f8Nsybs5AcSCydNns2sf+4pHbuRZW+vBBK7Jha04apbdp4Bhi1JOhUfCh9/mTewXu814UhYgY3rz9zeN4Eh9wsQzQGWR6PokVUMPScMNK4IJ6gZHpVnm23x+Gw0v4WsPHsLIZshTABOXjeptfc9Q4nDa1vFRkPN+P2LuWjBz6hHSc48P54kkYcOq1B3DUYmE2hSn2Z93dNCawe6MDem0tBzIQU3PhWZ29UwakQER7ZAn7C503GdNCVgnGxExYThFzbmc3tLI4eqXjN5ufnDchjKqaKxq1KOdMpssr6r77pXOlV1ksa90CinY1hrxyji4ZQcKuIfsFsSRqEMbFIURYFU7umXPqm3QImcEOPO5qU5/FU18pco5HKu0tCz5kt5A1ZmJZ189VHuw9urJfQtQXkqoCJYionTXT4EEgNyM7Y
    replication-password: AgArtEFLx1miL2jMKTHhcrPZddz/hoqGGudcn6ViCSB8IoSdWJL7RkA3gurBxBJtte+aXCIdnHetCwbdCb0OEMVdaJs3htg8NnFBiy//hVJQPFvr2nb8hVOg0R0uFNswaNScBjw0FE8gQDqnYR2ldnsC4rDhQqDw6yEVRjfa5ver7IQmmDuwPGi5hxEoy0JvGxwclfTybMlXd3cAXvavBvXyb5n3Ycx9l5MQcqXXqvBqh2iBOdxZ7AnGBzHFufOwx8k7aH982AG6hwum4T+8OB4mmQmOd+Ft1uJ4JYaUWX36pOp7xs70yecE2y3jbOpOzzwij7+dxBQ1KOnsThqg2NZQfjFtci5dUeSYFCbFTKi/lcTCy0pMrDgqJIRs2PmGZnjnbA2MY93CMhn9Im0QUOiLDVaPoNnS1itjgekFoBJfeumbmwlSswQ2CIw3ZEpVD78a3xJy4skuUMua2fJKUYN3eLUdP/Ku5PZxoKYXyYPc6odkS7QFjJg+q/Ya7mhqTxrZLtGIbl4jUPtxJDwBJ3xalNQJyZdr8b+pVqg8iLwmW3nOl+mefy/Ix2O9WnnOFUzN41SsoppWQ0XwU2UzYU1w0i88naUHwV9Dg2tdBqidCv71sQQEwetEGEEzGMLeiLuTVDj0MhypA1A05z0YFansoHGTyyHLMxhbfvSikcCbrU/VDQBJuU7fPAtHirLwqntn7ROnOjIlN7gwnXCXtA4lmB8AVQeDTRBmLdnpNOCK
    password: AgBbzzKbE+AJfhYCuXsdRrcSWqFvcDMt4BKBMV+ncfzc98N83g8Rd6T55SIzbxqEND1heUhGjLbz6G8paGJENxxv+wUCdQSb0le9E/NqiVkrwmNTIlhJiBqC+wwjYFgFYNumZ6rEs8a8nXml0/tAbUYFNx0Ltj6t932neoNKFwznZQXwrupXyA3fxPSSnSqcSe6h0pHG6p5sWfsqOb39cSjKnrVeFlfi4zbDEV5AoApiFh3fBws8AAiifqam1yMkkgzjQusJRMvCGIzNKNRDBpaU33nCVvIn0bC6PF1w5g/5+tnppa5P1EBwbKgVb/ypSHk3STox4LJfh0U4hmlSaIDZkL6MjiYZ+UYudBBn3z8ZPeDJDGpOn6YlNUA/FAYkLg76dlTgoBOAlKWWhXOfh11pUqrxa+03O5GnixzB0BbnHViWUzmZ4D2mlHphpYYLxuWdso5SQO11UaObLI/g72PbE8bvu9VUeOGyEfg02jr6nzOWivpQ8CyPoNVmnZHpu826cyz3R1Taj3NW0tqFmqf0kpfQVjjMPqChu8jSyXdSpukFs2nRZqX9IfvQbTQB0wp6Z1U61G71rCoaCdTfmM1udWAGm1Sifu91aHuu4tra8RblUh95R0V5whtar6T7RZej70leqIDZdrU+8uFFhBT1b48kRJv9NaGF3eKi4Eu+QI3VaQPdBP9j0qCHlSLcpMtReTy0EP7wucjEWUBsVCqj2ibeKqc+syANqV7ptDVy
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"
  name: fourth-secret
spec:
  template:
    type: Opaque
  encryptedData:
    auth: AgDFOJZyAivQdxcK9Y9m5BVxat3KePHCM9Lrw1pDfeJsPjH14TA67Fm3HLddR2+TrViTiscX8rGVvGUFgbe/AFQNGjGvU0gHmiE6SSVXkbGeWkK1Xd7HO32M88LQ5FPZvaQFADmhx9wy7B/Q5HcQ3ZKl+g4R9ssVuX3SYZWHyUVgTBviux9+zpQ8tyHUxkTlQ1h19yOuhz7JpK2BMgO+YQeksxHR9quCeaCtQ2QfaiCoOaoCXlMhMDA2nwqydM6nh/b7QNzfFnRqAgMLSoFkN89AQ/rR3Yk46MhPmU9Vnra5UOMe1KlxNk2pqORn/pS4xWtqt5hzpgnNODTMD+lUMOGbFV4cQzIn6jfaUpWGu8h/noflDE2MH+xI9JFpBJtre9oC4Nd1z1xQO/4VzpTId03evfxxhLPQ5Sk3njAGOicFNlqQwiLtHnqS4xI8ceWdoza8yLXCYPIafQTtjG0y16peyDWsibKflYZtBjV/ZIvfuuqKhlSWOyKFIgWTNgs7O2k2JIuBtnuOPRQaT+P4eI1zxCSHYkzG6DokFMIMiGKPhQq4J/lRAc+7leZ6bec+oD32LYPbx/MXK+hJog7AKdaRxiEPO9Yy55G04Wc7tH+LNrEVkka9Pdh65UH3eVEMRi7C4w+jUvpxvjZXhb/B52x47NXOZQ3u4+HU1CJ2oNJkjQ1x0ierRqDVKTwyskDNKAZPMy9BjH+0+i95QG4Pm+VnBG6fUWnmdz11XRfKQ4AFuYbqOLSCgmQHO4am0c8w2FAIBn46fbgrFDYUb3zxJDtk4O9uoY66XA7IRr5nyR/7OUL1/ft+qd3hGX6KJ7YuPQC5V26JbQbKBJe4MqyH92JPpixNpubIkN8dNliQO8WO
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"
  name: fifth-secret
spec:
  template:
    type: kubernetes.io/dockerconfigjson
  encryptedData:
    .dockerconfigjson: AgCkdnSR/zGgfhfeUfcHJ6+aPY7DpSNbh0qjPkI8Dur8HVWCI2Y8HrIMeSDA7nd98Sc/BsnPT+5paoM6cbzvF03zifuoc2o2WH4QeJTUofVQP3Zvb0tZfeUZ7lu7IfrKNdwFGZqzIGwvfCSdT9UuGR/CegZ7J7hgL8ptdWiBegB1M9MEH31p4d4/995W7nru6WOn97FpM8oJJrkBcTCPedFkyiZwTjDe0Na5sQ3KV3gHjO0lALYthx6wu40kfJX0IkX6+aPQmbCYcmxM89QW9KySq+tWy+L7DXc1bRQUpZ5a8in6j9mHgQ6Gkn9kCuir//uVapyR0MoybJkRwhTpY9DZ5y7MSZsh6L88fkKII1Uyu4ZFpg0IfXZDk67msmHoq7ZxxYpyMRAegs4yChfiNGNlJQG3OayR+Mxa3BJrvb0QT6fKZ12q/6z9LGk8z/xW6+orCCaqj3bDsfYhxJqpBXsCqruoOo8QURnm0KPyIDOpWUv+zqvIWEeK5nskRw+MhMyyS0ULiXcC464IqGksOQwEouJMCctd4u4acc3GTbUeXMj1oizgfQUZmayT23KNw1+5ZKBCJtReaBKm0akDXlDOiPSNH0RVMvzL9b5PJIs7y8OYXWeX7GxrwoMGaAgwUNzK4fAWTt/u9Sc1UUDjuytj0X8q5Ji+/L61J3vODkNmytvalxYtwByuJOebApmg32oDUSGrCS7lZry2KC/BxAFGzbe3oOr/LrHX/0rFQpTTGcNQ2q5QHJ4+HswJfinZY94VRbyu341vS6KRX1wZVfd0lvlWow5mobGXv23xXxv+pSAXhimcfe7x3tZMjXUBCSP1PTfDlLdqWszit9p5VnVvnCxIeUpioeeKFH4fl8pehGNfrrc9VmHgcKMBsNMasDgb6anfg+uBY0w5wtGSBOiKghw=
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"
  name: sixth-secret
spec:
  template:
    type: Opaque
  encryptedData:
    client: AgAnnTv6ZvrAo+Iw9CkbcfKtkdscXat/CEu+q5ggrBRJk3Kmp5p+aSbbL1rtg/iNSFey9TpAynv+FhH+M3tsJ8bggKQU3hK5QFwbFUlLkvCZlA05gssrZ5aVwT3ZRasaf/BRNF7lWkw+VEqtxQKTBcfOP/8zgI5UD6EROu0Fkz55FHeRBK0Ol9douGu79Wlz/tlvmvwcuJEKGdjHwWGNYQk2oko0Kpm9of8eJkIHxbNdPn9hUtXMKTD3MGQCjitxjEF8Qvnc/IgWw4jGvkpV7anTP9K7aMb8vmGyI/+trwMqMzbCuLn5MHw+fz5RaOWl+OMQx8iNlyH+Fdo0fryR6k30r3ayZ/NcpGpKZUnWM7x/MQLZptHXxyu1xiDtMqBUo55a/EBJiCIfz33VzUnjdK0p4lJfP3I4qIBCiqKSg80mFcRzJSMIiHgQRTVps/OHMc8I7uyU2ViXE+a4WhJ60w6ERSkTV+1PYWYLCBn+P7BumD4fsCoEm8KaTainmmIOPz0ItWk4s3u8LWD5YXc4fx3/XWr+NuIQUkLYDJpEziYqVz9qRjMIAX+4GM4nvGDocd0aSIpTIm1pLo6zcAt48mJbmdiQ3Tn2aeb0ZILYaiR0Doc2ZSdGyK+GJlNtmnrV8JceqrweQkq6kzX8ptOXvfquCM+b6WoAcVuJGePxl6OIUV4tJbE5fWjFVCqc4RHV9XkxOYLjLxOOFP7Ha6O7NZS1Nq8DeA==
    secret: AgCa0AGPs/sFTLufJ2Iy44QuQ4hRXFCvf76IMLSajsOO0ihNhikWtCXCBwQWV0pbjXha1LEm6cSvixo8UsMZJ5FJdSClvai77GAK4ljP9f/4hI9zj+GgFBfhtybgGc14sOcFNLc6DShtsmz0I3HeVJtusCnoz+7oOl4DyQwyRDizKUegd0GhcgWzfC8k99SayffLF4KOK7Dpnsc9SRZfRJsl/z041o3ndtijnSj23xBVi3Q/iH7HLknzAJJ9JtnijxV7AcVwlVJiDov7RpasPxkxDBasm2IFwzK/SYMxWH+TRQYqqouxWyNrqgNkz1lFr0SVCcXaHVdgPdkvEKtpsggmeu1wIjH/mxAvemPDvUTQgSLbFm0kqypFP3kQzLw6xvnFlCC9JNKTtTIRonNBuIUK3gv1wrnU1Dby5bkN9L9RP7Yggst9UbNz9Jf+nvaVHdFxaxrlIt5G3fBipDX6cBsfP7haZWZDLXAa/cia4My32heV9wYJhnqJ9/oAvDD1WzjkXyfIPUYctf2J+UL6mkplB2cNejWElfp00WGa74fXstyMI2MMw9T6YEgxxd0rvaTUTK8Yf8bGoDD5iIeczTXGAsOTg1cwoBvnpE/f73JbVNzFjWgjjVhajaIYwIY8+/RXoDQxFEotgQI/TL/Onh1L2Lnl1FonRHYUVIWc023cTJjvtKw2j8xq5MSTDNAFeriONjJFnTei44hc+GkqzdVITnDZqJoHil2LETAKOML7UYy3/7E/T79SkQfpOLXQwttog4eRJYuO1IrPQq8BiAXN
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"
  name: seventh-secret
spec:
  template:
    type: Opaque
  encryptedData:
    id:  AgC9TCxlfnpL9cu80/VelBBd36dmiKKJmgTX24CBPA7ItXahaujZPuITlOReP3NNaOnWi76B3EnRbLMrWbk+Bl3QuAIiIstt+wqIzyjoAUZRPP4COp+jc8HhWfOnW7GWg8GQ6GXxzwUFjbKm+XjfmHk0DxdSd8eEKmuQ2ELWsqqc7SOsZsjTt40ZrBzDLwIy7j+qqs20z88Wsabxba02a93qC6oUofVwn28/FmJ9ykNMhMzXAo1/j7i0rzhV1cMfDsjIT4HXKZfQatNizpZ150xhEe8mbFSwXF/rAQlbB7rsYpghXsPjnhsqlWG7YrTTDcaHTJcLeoIX7LxE/mitEWhKY2ar5e8EboFgpldFbfunV/uyeDGOn4d42yOujXngg0ojuk44t2R7RaTJixWqx75sScbFAS/OMH91RLYtmomuPBDysj348bq8gnUEnjntVPgSjkeHP1Sqj5sKcy40j4wGABYdQ3VPmBndTJvuu6tns41YQkL7mEnsoD9e5DufUsYdF+5tjR29YB3/gHbmAbRk+++QaVmwhcz0WlfjFei6V1j1RN7ZBm8xewpn/eVMUegsBzEpSzLxN72pxXWPweSIjLjmfklVwTlkfij+q2pgOCF/Wz1z0J9SSUhCEDMB57V+dHrUCFq7MmcBHNQOJC6cMooSkI8OKOXIGoxp0qMdkCg2HZSGk27H3uKyePscJTs5H3U9eBJKSaZ18WpMyQYMO+OYUUCk5tw5dt28kkVXED9y1mq59/pxuOIpOQ+z61PgRjWi5svR2qdqgkf70dhHjQKtLK3P

Here is the all logs output for sealed-secrets-controller during the creation:

Updating next-xray-scan/first-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"first-secret", UID:"e3674f24-4822-483a-84f9-50e3e0aeb646", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674451", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Updating next-xray-scan/second-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/first-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"second-secret", UID:"7e194f2d-3757-42c8-accb-3f22c95fcbe8", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674452", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
update suppressed, no changes in sealed secret spec of next-xray-scan/second-secret
Updating next-xray-scan/third-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"third-secret", UID:"62cc9fde-0ab5-4589-b9d1-f3d406e60a99", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674454", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Updating next-xray-scan/fourth-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/third-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"fourth-secret", UID:"343d9078-3147-4de4-9fed-ef41831ddc09", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674456", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
update suppressed, no changes in sealed secret spec of next-xray-scan/fourth-secret
Updating next-xray-scan/fifth-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/fifth-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/sixth-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/seventh-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"fifth-secret", UID:"27634e4e-2fb2-441f-8ebc-58caaadf7697", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674457", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Error updating SealedSecret next-xray-scan/fifth-secret status: Operation cannot be fulfilled on sealedsecrets.bitnami.com "fifth-secret": the object has been modified; please apply your changes to the latest version and try again
Updating next-xray-scan/sixth-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"sixth-secret", UID:"48686c7f-c80b-4ec3-9be6-1915f4bd9c9a", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674497", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
Updating next-xray-scan/seventh-secret
update suppressed, no changes in sealed secret spec of next-xray-scan/sixth-secret
Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"next-xray-scan", Name:"seventh-secret", UID:"be773ff0-0e2b-44c5-a5bd-374de96efb59", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"1283674498", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
update suppressed, no changes in sealed secret spec of next-xray-scan/seventh-secret

Here is the output of sealed-secrets:

[yahor@test02 sealed-secrets]$ oc get sealedsecrets
NAME             STATUS                                            SYNCED   AGE
fifth-secret     no key could decrypt secret (.dockerconfigjson)   False    9m32s
first-secret                                                       True     9m32s
fourth-secret                                                      True     9m32s
second-secret                                                      True     9m32s
seventh-secret                                                     True     9m32s
sixth-secret                                                       True     9m32s
third-secret                                                       True     9m32s

Here is the output of secrets:

[yahor@test022 sealed-secrets]$ oc get secrets
NAME                       TYPE                                  DATA   AGE
fifth-secret               kubernetes.io/dockerconfigjson        1      10m
first-secret               Opaque                                1      10m
fourth-secret              Opaque                                1      10m
second-secret              Opaque                                1      10m
seventh-secret             Opaque                                1      10m
sixth-secret               Opaque                                2      10m
third-secret               Opaque                                3      10m

Also, I have tried to extend the logs for controller by setting this option logInfoStdout: true. Does the controller have more options to extend the verbosity of the logs?