New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: side-effect on r.SecretsFiles when having multiple successive call #575
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, thanks for your contribution. I think this in fact a bug and your solution would work but, unless I'm missing anything, wouldn't it be better to just continue
if the secret is already decrypted?
Something like:
for i := 0; i < len(r.SecretsFiles); i++ {
if isOfType(r.SecretsFiles[i], []string{".dec"}) {
// if .dec extension is added before to the secret filename, don't add it again.
// This happens at upgrade time (where diff and upgrade both call this function)
// and we don't need to decrypt the file again
continue
}
if err := decryptSecret(r.SecretsFiles[i]); err != nil {
log.Fatal(err.Error())
}
r.SecretsFiles[i] = r.SecretsFiles[i] + ".dec"
}
What do you think?
Hi @luisdavim thanks for the review. Well if it works and it fixes my issue I'm ok with your proposition 😄 I don't have the big picture 😅 , but I don't think that is a good idea to modify the Tell me if you need more time for investigation otherwise I can push your proposal Thanks |
The reason for my suggestion is that, unless the decoded secrets are deleted between actions in the plan, it would be more efficient to just decode the secrets once and then re-use the decrypted files. I think that was the original intent of that code, the problem was that it was trying to call the helm secrets plugin with the decoded files which caused the problem you're trying to fix. If you could run a test in your scenario with the change I'm proposing, that would be much appreciated. Thanks |
…ll (diff, upgrade, ...) In the case there is several successive action called in the same run (diff, upgrade, ...) the field r.SecretsFiles is overwritten during the first call. Therefore the field r.SecretsFiles is different between the first call and the following ones. One side effect of that can be seen by doing helmsman -show-diff with the secretFiles enabled (helm-secrets plugin + vault driver): helmsman will try do decrypt a file already decrypted.
4359f0f
to
91c977a
Compare
Regarding the test are you mentioning that folder : https://github.com/Praqma/helmsman/tree/master/tests ? |
(proposal has been pushed) |
Ok ok for the test I think I got it Or maybe I have to play with sops (the other driver of helm-secrets) ... never use it |
Sorry, I just meant running a build with these changes in the same scenario that you described in the initial post, where you found the bug. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Ok cool 👍 (I tried it and it worked) @luisdavim do you know more or less when will be the next release of helmsman ? |
I'll try to cut a release today. |
fix: side-effect on r.SecretsFiles when having multiple successive call
Hey folks 👋
I'm using helm-secrets with the vault driver and I'm facing that issue:
By doing a bit of investigation I came to that conclusion:
In the case there is several successive action called in the same run (diff, upgrade, ...) the field r.SecretsFiles is overwritten during the first call. Therefore the field r.SecretsFiles is different between the first call and the following ones.
One side effect of that can be seen by doing helmsman -show-diff with the secretFiles enabled (helm-secrets plugin + vault driver): helmsman will try do decrypt a file already decrypted because the list of secretFiles changed.
Don't hesitate to ask more details if needed
Cheers 😉