kubeseal with Secret input from -f fails silently

Question

kubeseal with Secret input from -f fails silently

deepy opened this issue 6 months ago · comments

Which component:
kubeseal CLI 0.24.5

Describe the bug
kubeseal --scope cluster-wide -f regcred-test.yaml -w sealed-secret-regcred.yaml writes an empty file, exits with 0, and gives no logs or explanation of why

To Reproduce
Steps to reproduce the behavior:

> kubectl create secret docker-registry regcred-test --docker-server=example.com --docker-username=docker-user --docker-password=docker-password
> kubectl get secret regcred-test -o yaml > regcred-test.yaml
> .\kubeseal.exe --controller-namespace sealed-secret --namespace=alextest --name=regcred --scope cluster-wide -f regcred-test.yaml -w sealed-secret-regcred.yaml
> echo $LastExitCode
0
> cat .\sealed-secret-regcred.yaml
> .\kubeseal.exe --version
kubeseal version: 0.24.5

Expected behavior
A sealed secret in sealed-secret-regcred.yaml or a message explaining what went wrong

Version of Kubernetes:
1.28.4

Additional context
Logs from kubeseal -v 15

I1219 22:26:19.360556   22116 loader.go:395] Config loaded from file:  C:\Users\deepy\.kube\config
I1219 22:26:19.361579   22116 round_trippers.go:466] curl -v -XGET  -H "Accept: application/x-pem-file, */*" -H "User-Agent: kubeseal.exe/v0.0.0 (windows/amd64) kubernetes/$Format" 'https://10.0.194.2:6443/api/v1/namespaces/sealed-secret/services/sealed-secrets-controller'
I1219 22:26:19.363083   22116 round_trippers.go:510] HTTP Trace: Dial to tcp:10.0.194.2:6443 succeed
I1219 22:26:19.371255   22116 round_trippers.go:553] GET https://10.0.194.2:6443/api/v1/namespaces/sealed-secret/services/sealed-secrets-controller 200 OK in 9 milliseconds
I1219 22:26:19.371255   22116 round_trippers.go:570] HTTP Statistics: DNSLookup 0 ms Dial 1 ms TLSHandshake 5 ms ServerProcessing 3 ms Duration 9 ms
I1219 22:26:19.371255   22116 round_trippers.go:577] Response Headers:
I1219 22:26:19.371255   22116 round_trippers.go:580]     Content-Length: 1897
I1219 22:26:19.371255   22116 round_trippers.go:580]     Date: Tue, 19 Dec 2023 21:26:18 GMT
I1219 22:26:19.371255   22116 round_trippers.go:580]     Audit-Id: 5b6f4226-5b2b-4304-a487-8a7f1f2b7ade
I1219 22:26:19.371255   22116 round_trippers.go:580]     Cache-Control: no-cache, private
I1219 22:26:19.371255   22116 round_trippers.go:580]     Content-Type: application/json
I1219 22:26:19.371255   22116 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: f66a0dc7-a866-49c9-bdbf-171c4c17124c
I1219 22:26:19.371255   22116 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: 64c0340f-5d9a-4ccc-a4c7-f210451d2f82
I1219 22:26:19.372393   22116 request.go:1212] Response Body: {"kind":"Service","apiVersion":"v1","metadata":{"name":"sealed-secrets-controller","namespace":"sealed-secret","uid":"24894636-5b9d-42d8-8d43-391844c8e375","resourceVersion":"473967361","creationTimestamp":"2022-04-16T22:08:59Z","labels":{"app.kubernetes.io/instance":"sealed-secrets-controller","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"sealed-secrets","app.kubernetes.io/part-of":"sealed-secrets","app.kubernetes.io/version":"v0.24.5","helm.sh/chart":"sealed-secrets-2.13.4","helm.toolkit.fluxcd.io/name":"sealed-secrets","helm.toolkit.fluxcd.io/namespace":"sealed-secret"},"annotations":{"meta.helm.sh/release-name":"sealed-secrets-controller","meta.helm.sh/release-namespace":"sealed-secret"},"managedFields":[{"manager":"helm-controller","operation":"Update","apiVersion":"v1","time":"2023-12-15T11:58:31Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:meta.helm.sh/release-name":{},"f:meta.helm.sh/release-namespace":{}},"f:labels":{".":{},"f:app.kubernetes.io/instance":{},"f:app.kubernetes.io/managed-by":{},"f:app.kubernetes.io/name":{},"f:app.kubernetes.io/part-of":{},"f:app.kubernetes.io/version":{},"f:helm.sh/chart":{},"f:helm.toolkit.fluxcd.io/name":{},"f:helm.toolkit.fluxcd.io/namespace":{}}},"f:spec":{"f:internalTrafficPolicy":{},"f:ports":{".":{},"k:{\"port\":8080,\"protocol\":\"TCP\"}":{".":{},"f:name":{},"f:port":{},"f:protocol":{},"f:targetPort":{}}},"f:selector":{},"f:sessionAffinity":{},"f:type":{}}}}]},"spec":{"ports":[{"name":"http","protocol":"TCP","port":8080,"targetPort":"http"}],"selector":{"app.kubernetes.io/instance":"sealed-secrets-controller","app.kubernetes.io/name":"sealed-secrets"},"clusterIP":"10.43.44.99","clusterIPs":["10.43.44.99"],"type":"ClusterIP","sessionAffinity":"None","ipFamilies":["IPv4"],"ipFamilyPolicy":"SingleStack","internalTrafficPolicy":"Cluster"},"status":{"loadBalancer":{}}}
I1219 22:26:19.373438   22116 round_trippers.go:466] curl -v -XGET  -H "Accept: application/x-pem-file, */*" -H "User-Agent: kubeseal.exe/v0.0.0 (windows/amd64) kubernetes/$Format" 'https://10.0.194.2:6443/api/v1/namespaces/sealed-secret/services/http:sealed-secrets-controller:http/proxy/v1/cert.pem'
I1219 22:26:19.380200   22116 round_trippers.go:553] GET https://10.0.194.2:6443/api/v1/namespaces/sealed-secret/services/http:sealed-secrets-controller:http/proxy/v1/cert.pem 200 OK in 6 milliseconds
I1219 22:26:19.380200   22116 round_trippers.go:570] HTTP Statistics: GetConnection 0 ms ServerProcessing 6 ms Duration 6 ms
I1219 22:26:19.380200   22116 round_trippers.go:577] Response Headers:
I1219 22:26:19.380200   22116 round_trippers.go:580]     Date: Tue, 19 Dec 2023 21:26:18 GMT
I1219 22:26:19.380200   22116 round_trippers.go:580]     Content-Length: 1724
I1219 22:26:19.380200   22116 round_trippers.go:580]     Audit-Id: 9b76615c-c7f8-480d-bc00-99343f88e773
I1219 22:26:19.380200   22116 round_trippers.go:580]     Cache-Control: no-cache, private
I1219 22:26:19.380200   22116 round_trippers.go:580]     Content-Type: application/x-pem-file

Nothing new in controller logs.

Run in Windows in Windows Terminal with PowerShell 5.1 (not cmd.exe)

Here's the content of regcred-test.yaml

apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJleGFtcGxlLmNvbSI6eyJ1c2VybmFtZSI6ImRvY2tlci11c2VyIiwicGFzc3dvcmQiOiJkb2NrZXItcGFzc3dvcmQiLCJhdXRoIjoiWkc5amEyVnlMWFZ6WlhJNlpHOWphMlZ5TFhCaGMzTjNiM0prIn19fQ==
kind: Secret
metadata:
  creationTimestamp: "2023-12-19T21:24:22Z"
  name: regcred-test
  namespace: alextest
  resourceVersion: "476521523"
  uid: e221129c-f481-462a-b5f5-f6163375d37b
type: kubernetes.io/dockerconfigjson

Alex Nordlund · Answer 1 · Wed Dec 20 2023 05:51:12 GMT+0800 (China Standard Time)

regcred-test.yaml gets saved in UTF-16LE and based on the fact that --cert mycert.pem produces error: data does not contain any valid RSA or ECDSA certificates and works fine when I convert it to UTF-8 probably confirms it

Kieran Hayes · Answer 2 · Thu Jan 25 2024 18:44:23 GMT+0800 (China Standard Time)

I encountered the same problem with Windows.

After a lot of wasted time I narrowed down the problem to my IDE was accidentally using an older version of PowerShell (powershell.exe). If I used PowerShell 7/Core (pwsh.exe) or cmd.exe then things work as expected.

Alex Nordlund · Answer 3 · Fri Jan 26 2024 00:28:10 GMT+0800 (China Standard Time)

PowerShell 6 (bundled by default in Windows 10) and older versions use UTF-16LE, and in version 7 they changed the default to UTF-8

kubectl handles this just fine though, so people are unlikely to notice

austin-synthesis · Answer 4 · Wed Feb 14 2024 17:59:46 GMT+0800 (China Standard Time)

If anyone else encounters these errors (Especially Windows) save the file with UTF-8 encoding.

Alfredo Garcia · Answer 5 · Thu Apr 04 2024 19:11:36 GMT+0800 (China Standard Time)

Since the issue seems to be related to PowerShell version, we can close the issue

Alex Nordlund · Answer 6 · Thu Apr 04 2024 21:03:53 GMT+0800 (China Standard Time)

@agarcia-oss the issue is unrelated to the PowerShell version, the issue is that kubeseal fails silently.
That it doesn't handle UTF-16LE is a different issue