Skip to content

Commit

Permalink
List items that failed to decrypt
Browse files Browse the repository at this point in the history 
Sometimes people update existing secrets by merging the output of another kubeseal execution
(e.g. plain kubeseal or kubeseal --raw) bit by mistake they don't use the same scope, or the same name
or namespace.

Currently it's hard to figure out what's wrong, partially because all the controller says is that
a given secret failed to unseal.

This change allows the user to know which item is the culprit:

```
0s          Warning   ErrUnsealFailed   sealedsecret/mysecret   Failed to unseal: no key could decrypt secret (bar)
```
  • Loading branch information
Marko Mikulicic committed Oct 1, 2019
1 parent d1340be commit 4364012
Show file tree
Hide file tree
Showing 9 changed files with 265 additions and 1 deletion.
1 change: 1 addition & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ require (
github.com/gomodule/redigo v2.0.0+incompatible // indirect
github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf
github.com/googleapis/gnostic v0.0.0-20171211024024-933c109c13ce // indirect
github.com/mkmik/multierror v0.2.2
github.com/onsi/ginkgo v1.6.0
github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3
github.com/spf13/pflag v1.0.3
Expand Down
6 changes: 6 additions & 0 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,12 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63 h1:nTT4s92Dgz2HlrB2NaMgvlfqHH39OgMhA7z3PK7PGD4=
github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mkmik/multierror v0.2.0 h1:vO3+hXIpcpSLkW4/bgPvxcvR0cKv2VNXe1vsrs//OX8=
github.com/mkmik/multierror v0.2.0/go.mod h1:WBWyQSZyz7HrusKcf3Q0J1aj0CV2U8GkrS9ZdXvrROU=
github.com/mkmik/multierror v0.2.1 h1:72XgusjeAFnsZPfMCTXqLZmhQs25FheRkIfYDN4z7jc=
github.com/mkmik/multierror v0.2.1/go.mod h1:wjBYXRpDhh+8mIp+iLBOq0kZ3Y4ICTncojwvP8LUYLQ=
github.com/mkmik/multierror v0.2.2 h1:RhQyYRqGi7PvW+s/Hq5TMm133FF+sJ0+/oR7TeV8f0c=
github.com/mkmik/multierror v0.2.2/go.mod h1:wjBYXRpDhh+8mIp+iLBOq0kZ3Y4ICTncojwvP8LUYLQ=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
Expand Down
8 changes: 7 additions & 1 deletion pkg/apis/sealed-secrets/v1alpha1/sealedsecret_expansion.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"

"github.com/bitnami-labs/sealed-secrets/pkg/crypto"
"github.com/mkmik/multierror"
)

const (
Expand Down Expand Up @@ -254,18 +255,23 @@ func (s *SealedSecret) Unseal(codecs runtimeserializer.CodecFactory, privKeys ma
secret.Type = s.Spec.Template.Type

secret.Data = map[string][]byte{}

var errs []error
for key, value := range s.Spec.EncryptedData {
valueBytes, err := base64.StdEncoding.DecodeString(value)
if err != nil {
return nil, err
}
plaintext, err := crypto.HybridDecrypt(rand.Reader, privKeys, valueBytes, label)
if err != nil {
return nil, err
errs = append(errs, multierror.Tag(key, err))
}
secret.Data[key] = plaintext
}

if errs != nil {
return nil, multierror.Fold(multierror.Uniq(errs))
}
} else if AcceptDeprecatedV1Data { // Support decrypting old secrets for backward compatibility
plaintext, err := crypto.HybridDecrypt(rand.Reader, privKeys, s.Spec.Data, label)
if err != nil {
Expand Down
20 changes: 20 additions & 0 deletions vendor/github.com/mkmik/multierror/LICENSE
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 25 additions & 0 deletions vendor/github.com/mkmik/multierror/compat.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 17 additions & 0 deletions vendor/github.com/mkmik/multierror/compat_go113.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions vendor/github.com/mkmik/multierror/go.mod
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

184 changes: 184 additions & 0 deletions vendor/github.com/mkmik/multierror/multierror.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions vendor/modules.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@ github.com/hpcloud/tail/winfile
github.com/imdario/mergo
# github.com/json-iterator/go v1.1.6
github.com/json-iterator/go
# github.com/mkmik/multierror v0.2.2
github.com/mkmik/multierror
# github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/concurrent
# github.com/modern-go/reflect2 v1.0.1
Expand Down

0 comments on commit 4364012

Please sign in to comment.