Troubleshoot github_private_pem regression in v24
Categories
(Taskcluster :: Operations and Service Requests, task)
Tracking
(Not tracked)
People
(Reporter: edunham, Assigned: dustin)
Details
Taskcluster staging is currently broken on v24 with failures in the github service of the form Error: Malformed GITHUB_PRIVATE_PEM: must match /-----BEGIN RSA PRIVATE KEY-----(\n|\\n).*(\n|\\n)-----END RSA PRIVATE KEY-----(\n|\\n)?/; got a value of length 1679.
I suspect the env var json encoding changes in v24 may be relevant.
Some hints from Slack: The Helm is:
GITHUB_PRIVATE_PEM: '{{ if typeIs "<nil>" .Values.github.github_private_pem }}{{ else }}{{ if typeIs "string" .Values.github.github_private_pem }}{{ .Values.github.github_private_pem | b64enc }}{{ else }}{{ .Values.github.github_private_pem | toJson | b64enc }}{{ end }}{{ end }}'
The input YAML, with secret bits replaced by pwgen rubbish of course, is of the form:
github:
github_private_pem: |
-----BEGIN RSA PRIVATE KEY-----
es1ho3hh5ae/ghe
...
up4e/ph7wie
-----END RSA PRIVATE KEY-----
Filing this as a reminder to take a look tomorrow.
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 1•5 years ago
|
||
I used exactly that yaml in my dev env, and:
(go1.12.13) (v12.13.1) (sandbox) dustin@lamport ~/p/taskcluster [master] $ kubectl get secret taskcluster-github -oyaml
apiVersion: v1
data:
...
GITHUB_PRIVATE_PEM: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQplczFobzNoaDVhZS9naGUKLi4uCnVwNGUvcGg3d2llCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
...
(go1.12.13) (v12.13.1) (sandbox) dustin@lamport ~/p/taskcluster [master] $ echo LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQplczFobzNoaDVhZS9naGUKLi4uCnVwNGUvcGg3d2llCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== | base64 -d; echo
-----BEGIN RSA PRIVATE KEY-----
es1ho3hh5ae/ghe
...
up4e/ph7wie
-----END RSA PRIVATE KEY-----
but the github service doesn't ingest that correctly. I can reproduce in a test.
|
|
Assignee | |
Comment 2•5 years ago
|
||
|
|
Assignee | |
Comment 3•5 years ago
|
||
As a workaround, this did work for me:
github:
github_private_pem: -----BEGIN RSA PRIVATE KEY-----\nes1ho3hh5ae/ghe\n...\nup4e/ph7wie\n-----END RSA PRIVATE KEY-----
That said, once the above is merged we can ship a 24.0.1 and just deploy that -- that seems the better solution.
|
|
Assignee | |
Comment 4•5 years ago
|
||
Landed, and 24.0.1 is in the oven, so let's just plan to deploy that and not 24.0.0.
|
|
Assignee | |
Comment 5•5 years ago
|
||
24.0.1 is out. edunham, can you confirm it addresses this issue?
I'll try 24.0.1 on stage and see what it does now
|
|
Assignee | |
Updated•5 years ago
|
Description
•