2

When I deploy the new release of the Kubernetes app I got that error

Error: secret "env" not found

enter image description here

even I have env in Custom Resource Definitions --> sealedsecrets.bitnami.com

enter image description here

env.yaml

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: env
  namespace: api
spec:
  encryptedData:
    AUTH_COGNITO: AgCIxZX0Zv6gcK2p ----
template:
    metadata:
      creationTimestamp: null
      name: env
      namespace: api
    type: Opaque

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Release.Name }}
  labels:
    app: {{ .Release.Name }}
spec:
  revisionHistoryLimit: 2
  replicas: {{ .Values.replicas }}
  selector:
    matchLabels:
      app: {{ .Release.Name }}
  template:
    metadata:
      labels:
        app: {{ .Release.Name }}
    spec:
      containers:
        - name: {{ .Release.Name }}
          image: "{{ .Values.imageRepository }}:{{ .Values.tag }}"
          env:
            {{- include "api.env" . | nindent 12 }}
          resources:
            limits:
              memory: {{ .Values.memoryLimit }}
              cpu: {{ .Values.cpuLimit }}
            requests:
              memory: {{ .Values.memoryRequest }}
              cpu: {{ .Values.cpuRequest }}
          {{- if .Values.healthCheck }}
          livenessProbe:
            httpGet:
              path: /healthcheck
              port: 4000
            initialDelaySeconds: 3
            periodSeconds: 3
            timeoutSeconds: 3
          {{- end }}
      imagePullSecrets:
        - name: {{ .Values.imagePullSecret }}      
      {{- if .Values.tolerations }}
      tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
      {{- end }}
      {{- if .Values.nodeSelector }}
      nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
      {{- end }}

UPDATE to my question my secrets I don't have secret called env

plus that error in regcred inside Sealedsecrets.bitnami.com

Failed to unseal: no key could decrypt secret (.dockerconfigjson)

enter image description here

Mina Fawzy
  • 20,852
  • 17
  • 133
  • 156
  • Do you have the "Secret" object named `env` in the cluster (not the sealedsecret object). Is your sealedsecrets controller actually "un-sealing" the sealedsecret and creating the secret ? Can you share logs from the sealed secrets controller ? – Hazim May 31 '21 at 23:31
  • no I dont have secret with env name , and sorry I dont know if my sealedsecrets controller "un-sealing" my object or not – Mina Fawzy May 31 '21 at 23:36
  • The sealed secrets controller is supposed to un-seal/decrypt the sealedsecrets object and then create a "secret" object with that data. Check the logs of the sealed secrets controller. – Hazim May 31 '21 at 23:39
  • yea I see he cant with that error Failed to unseal: no key could decrypt secret (.dockerconfigjson) – Mina Fawzy May 31 '21 at 23:43
  • Did you encrypt the secret ".dockerconfigjson" from the key that sealedsecrets is using ? Seems like an issue with sealed secrets key settings and encryption https://github.com/bitnami-labs/sealed-secrets/blob/main/docs/bring-your-own-certificates.md – Hazim Jun 01 '21 at 07:56
  • Thanks, Hazim for the help the issue was I encrypt with wrong namespace – Mina Fawzy Jun 02 '21 at 01:12

2 Answers2

3

You ran kubeseal against the wrong Kubernetes cluster or you tried to edit the name or namespace after encrypting without enabling those in the encryption mode. More likely the first.

coderanger
  • 52,400
  • 4
  • 52
  • 75
1

even @coderanger answer it I would like to add more details

I made a mistake I was running the kubeSeal command with the wrong namespace( api instead of api2) then change it in the converted file

KubeSeal < input.yaml > env.yaml -o yaml

input.yaml

apiVersion: v1
kind: Secret
metadata:
  name: env
  namespace: api
type: Opaque
stringData:
  DB_USER: "userName"
  DB_PASSWORD: "password"
Mina Fawzy
  • 20,852
  • 17
  • 133
  • 156