Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Must double-encode secret values for Applications.Core/secretStores with an existing Kubernetes secret #8157

Open
1 task done
willdavsmith opened this issue Dec 19, 2024 · 4 comments
Labels
bug Something is broken or not working as expected important This item is a high priority Issue we intend to address as soon as possible triaged This issue has been reviewed and triaged

Comments

@willdavsmith
Copy link
Contributor

willdavsmith commented Dec 19, 2024

Steps to reproduce

Note: Files used are at end of this section

rad init
k apply -f secret.yaml
rad deploy app.bicep
❯ rad deploy app.bicep
Building app.bicep...
WARNING: The following experimental Bicep features have been enabled: Extensibility. Experimental features should be enabled for testing purposes only, as there are no guarantees about the quality or stability of these features. Do not enable these settings for any production usage, or your production environment may be subject to breaking.
Deploying template 'app.bicep' for application 'willsmith' and environment '/planes/radius/local/resourceGroups/default/providers/Applications.Core/environments/default' from workspace 'default'...

Deployment In Progress... 

Completed            azdevops        Applications.Core/secretStores
.                    recipe          Applications.Datastores/redisCaches
Completed            dv              Applications.Core/environments
Error: {
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please see the details for the specific operation that failed.",
  "target": "/planes/radius/local/resourceGroups/default/providers/Microsoft.Resources/deployments/rad-deploy-e525851f-5a0c-42c0-aa0c-a03a5ab3e208",
  "details": [
    {
      "code": "OK",
      "message": "",
      "target": "/planes/radius/local/resourceGroups/default/providers/Applications.Core/secretStores/azdevops"
    },
    {
      "code": "ResourceDeploymentFailure",
      "message": "Failed",
      "target": "/planes/radius/local/resourceGroups/default/providers/Applications.Datastores/redisCaches/recipe",
      "details": [
        {
          "code": "LoadSecretsFailed",
          "message": "failed to fetch secrets for Terraform recipe git::https://github.com/radius-project/terraform-private-modules//kubernetes-redis deployment: POST https://10.96.0.1:443/apis/api.ucp.dev/v1alpha3/planes/radius/local/resourcegroups/default/providers/Applications.Core/secretStores/azdevops/listSecrets\n--------------------------------------------------------------------------------\nRESPONSE 500: 500 Internal Server Error\nERROR CODE: Internal\n--------------------------------------------------------------------------------\n{\n  \"error\": {\n    \"code\": \"Internal\",\n    \"message\": \"pat is the invalid base64 encoded value: illegal base64 data at input byte 0\"\n  }\n}\n--------------------------------------------------------------------------------\n",
          "details": [
            {
              "code": "Internal",
              "message": "pat is the invalid base64 encoded value: illegal base64 data at input byte 0"
            }
          ]
        }
      ]
    },
    {
      "code": "OK",
      "message": "",
      "target": "/planes/radius/local/resourceGroups/default/providers/Applications.Core/environments/dv"
    }
  ]
}

TraceId:  612c496ae349a9795ab9d2e689ab7d87

app.bicep

extension radius

resource secretStoreGit 'Applications.Core/secretStores@2023-10-01-preview' = {
  name: 'azdevops'
  properties: {
    resource: 'radius-system/azdevops'
    type: 'generic'
    data: {
      pat: {}
      username: {}
    }
  }
}

resource env 'Applications.Core/environments@2023-10-01-preview' = {
  name: 'dv'
  properties: {
    compute: {
      kind: 'kubernetes'
      namespace: 'dv'
    }
    recipeConfig: {
      terraform: {
        authentication: {
          git: {
            pat: {
              'github.com': {
                secret: secretStoreGit.id
              }
            }
          }
        }
      }
    }
    recipes: {
      'Applications.Datastores/redisCaches': {
        default: {
          templateKind: 'terraform'
          templatePath:'git::https://github.com/radius-project/terraform-private-modules//kubernetes-redis'
        }
      }
    }
  }
}

resource recipe 'Applications.Datastores/redisCaches@2023-10-01-preview' = {
  name: 'recipe'
  properties: {
    environment: env.id
  }
}

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: azdevops
  namespace: radius-system
type: Opaque
data:
  username: dXNlcm5hbWU= # echo -n 'username' | base64
  pat: cGF0 # echo -n 'pat' | base64

Observed behavior

There is a failure on deployment.

Desired behavior

Deployment should succeed and Radius should be able to auth to the private Terraform registry successfully.

Workaround

Encode the secrets twice:

secret-doubleencoded.yaml

apiVersion: v1
kind: Secret
metadata:
  name: azdevops
  namespace: radius-system
type: Opaque
data:
  username: ZFhObGNtNWhiV1U9DQo= # echo -n 'username' | base64 | base64
  pat: Y0dGMA0K # echo -n 'pat' | base64 | base64

rad Version

❯ rad version
RELEASE VERSION BICEP COMMIT
edge v0.40.0-rc1-49-g6b227c8-dirty 0.31.92 6b227c8

Operating system

macOS Sequoia 15.2 - M1 ARM64

Additional context

No response

Would you like to support us?

  • Yes, I would like to support you

AB#13848

@willdavsmith willdavsmith added the bug Something is broken or not working as expected label Dec 19, 2024
@radius-triage-bot
Copy link

👋 @willdavsmith Thanks for filing this bug report.

A project maintainer will review this report and get back to you soon. If you'd like immediate help troubleshooting, please visit our Discord server.

For more information on our triage process please visit our triage overview

@brooke-hamilton
Copy link
Contributor

First step is to find the root cause of this issue. Then we can triage again to determine how to prioritize the fix.

@lakshmimsft lakshmimsft added triaged This issue has been reviewed and triaged important This item is a high priority Issue we intend to address as soon as possible labels Dec 19, 2024
@radius-triage-bot
Copy link

👍 We've reviewed this issue and have agreed to add it to our backlog. Please subscribe to this issue for notifications, we'll provide updates when we pick it up.

We also welcome community contributions! If you would like to pick this item up sooner and submit a pull request, please visit our contribution guidelines and assign this to yourself by commenting "/assign" on this issue.

For more information on our triage process please visit our triage overview

@radius-triage-bot
Copy link

We've prioritized work on this issue. Please subscribe to this issue for notifications, we'll provide updates as we make progress.

We also welcome community contributions! If you would like to pick this item up sooner and submit a pull request, please visit our contribution guidelines and assign this to yourself by commenting "/assign" on this issue.

For more information on our triage process please visit our triage overview

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something is broken or not working as expected important This item is a high priority Issue we intend to address as soon as possible triaged This issue has been reviewed and triaged
Projects
None yet
Development

No branches or pull requests

3 participants