Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endless loop in controller on invalid base64 encrypted data #201

Closed
catac opened this issue Jul 25, 2019 · 2 comments · Fixed by #206
Closed

Endless loop in controller on invalid base64 encrypted data #201

catac opened this issue Jul 25, 2019 · 2 comments · Fixed by #206
Assignees
@mkmik
Labels
bug
Milestone
v0.8.2

Comments

@catac
Copy link
Contributor

catac commented Jul 25, 2019

It seems that improperly encoded base64 encryptedData causes an endless loop in the controller. For example:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: brokenss
spec:
  encryptedData:
    foo: foo1foo
    bar: bar1bar

As soon as this kind of broken sealed-secret is added, controller will log each second a new message like this:

E0725 15:10:11.704525       1 reflector.go:205] github.com/bitnami-labs/sealed-secrets/cmd/controller/controller.go:155: Failed to list *v1alpha1.SealedSecret: v1alpha1.SealedSecretList.Items: []v1alpha1.SealedSecret: v1alpha1.SealedSecret.Spec: v1alpha1.SealedSecretSpec.EncryptedData: decode base64: illegal base64 data at input byte 4, error found in #10 byte of ...|:"bar1bar","foo":"fo|..., bigger context ...|0000001"},"spec":{"encryptedData":{"bar":"bar1bar","foo":"foo1foo"}}},{"apiVersion":"bitnami.com/v1a|...

Unfortunately, this blocks the processing of any other sealed-secret added afterwards. The only way to break the loop is to delete the broken sealed-secret.

I tried looking in the code for a way to catch the base64-decoding error and consider the sealed-secret broken, as when the key doesn't match. But it seems this happens too deep in the call stack. The only way I found to "fix" the problem was to change the type of the encryptedData field in the SealedSecretSpec struct to string instead of []byte so that we control the base64-decoding. You can find here the full set of changes for this.

Please let me know if this approach is ok for you and I'll be happy to adapt the code to your comments and come back with a PR. Or maybe you see a better approach?

Thanks!
@mkmik mkmik added the bug label Jul 25, 2019
@mkmik
Copy link
Collaborator

mkmik commented Jul 25, 2019

@catac thank you very much; I can't think of a better approach; accepting the PR

This was referenced Jul 25, 2019
Closed
Merged
bors bot added a commit that referenced this issue Jul 26, 2019
@bors @catac
Merge #206
42b5c46 
206: Fix endless loop when a single sealedsecret has a base64 decode error r=mkmik a=mkmik

Closes #201 

Supersedes #203, adding fixes to tests and addressing review comments (created new PR because I cannot add commits in that fork)

Co-authored-by: catac <catalin.cirstoiu@gmail.com>
Co-authored-by: Marko Mikulicic <mkm@bitnami.com>
@mkmik mkmik added this to the v0.8.2 milestone Jul 26, 2019
@mkmik mkmik self-assigned this Jul 26, 2019
@bors bors bot closed this as completed in #206 Jul 26, 2019
@catac
Copy link
Contributor Author

catac commented Jul 26, 2019

Wow, that was fast! Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mkmik mkmik

Labels
bug
Projects
None yet
Milestone
v0.8.2
2 participants
@mkmik @catac