-
|
fluxcd/tap/flux 0.13.4 Working through the examples here https://fluxcd.io/docs/guides/mozilla-sops/ The sops --in-place file shows this error after encrypting Key 'sops' is not expected here After a sync the flux logs shows this error. error validating data: ValidationError(Secret): unknown field "sops" in io.k8s.api.core.v1.Secret; Is there a reason for this that is not in the example? After recreating a cluster that was working fine I now have the following error in flux logs after applying the bootstrap again to a newly built k3d cluster. validation failed: error: error validating "ff694d6f-167b-43a7-9dac-992072371acf.yaml": error validating data: ValidationError(Secret): unknown field "sops" in io.k8s.api.core.v1.Secret; if you choose to ignore these errors, turn validation off with --validate=false I thought sops was built into 0.13.4 so why does it not validate the secrets.yaml that has a sops: element? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Found my own answer apiVersion: v1 sops: This appears in the yaml as not expected and in Intellij shows up in red but deploying the file works ok so its not really and error |
Beta Was this translation helpful? Give feedback.
-
|
If you get this error in the logs validation failed: error: error validating "ff694d6f-167b-43a7-9dac-992072371acf.yaml": error validating data: ValidationError(Secret): unknown field "sops" in io.k8s.api.core.v1.Secret; if you choose to ignore these errors, turn validation off with --validate=false My issue that I found had to do with a manual edit to gotk-sync.yaml that was overwritten on a new flux bootstrap cli spec:
interval: 10m0s
decryption:
provider: sops
secretRef:
name: sops-gpgSolution: create a sops-config.yaml apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 10m0s
decryption:
provider: sops
secretRef:
name: sops-gpgThen update kustomization.yaml like this so it will apply the decryption on subsequent bootstraps properly apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
patchesStrategicMerge:
- sops-config.yamlfor my cluster the bootstrap yamls are stored in a directory /clusters/localdev/flux-system Also make sure you have installed the matching key in sops-config.yaml with this on you local command line assuming you have already exported your key fingerprint into KEY_FP gpg --list-secret-keys < outputs a list of key FingerPrints
sec rsa4096 2020-09-06 [SC]
1F3D1CED2F865F5E59CA564553241F147E7C5FA4
export KEY_FP=1F3D1CED2F865F5E59CA564553241F147E7C5FA4Now install the secret into the cluster so flux-system can use it to decode gpg --export-secret-keys --armor "${KEY_FP}" |
kubectl create secret generic sops-gpg \
--namespace=flux-system \
--from-file=sops.asc=/dev/stdin |
Beta Was this translation helpful? Give feedback.
If you get this error in the logs
validation failed: error: error validating "ff694d6f-167b-43a7-9dac-992072371acf.yaml": error validating data: ValidationError(Secret): unknown field "sops" in io.k8s.api.core.v1.Secret; if you choose to ignore these errors, turn validation off with --validate=false
My issue that I found had to do with a manual edit to gotk-sync.yaml that was overwritten on a new flux bootstrap cli
Solution: create a sops-config.yaml