Native TLS key is not base64-encoded #67
Description
From https://github.com/tigerpeng2001/graylog-helm/blob/main/evaluation.txt
When TLS is enabled, GRAYLOG_HTTP_TLS_KEY_PASSWORD is emitted under data: as a quoted string, not base64.
graylog-helm/charts/graylog/templates/config/secret/secrets.yaml
Lines 75 to 77 in 5ffb072
How to reproduce?
- Install normally
helm upgrade --install mongodb-kubernetes-operator mongodb-kubernetes \
--repo https://mongodb.github.io/helm-charts --version "1.6.1" \
--set operator.watchNamespace="*" --reuse-values \
--namespace operators --create-namespace
helm install graylog graylog/graylog -n graylog --create-namespace --set graylog.service.type=LoadBalancer- Add
my-graylog.localto your/etc/hosts - Generate a new encrypted cert-key pair
mkdir encrypted-cert
cd encrypted-cert
openssl req -newkey rsa:2048 -keyout tls.key -x509 -days 7 -out tls.crt \
-subj "/CN=my-graylog.local" -addext "subjectAltName = DNS:*.graylog-svc.graylog.svc.cluster.local"- Create a new secret
kubectl create secret generic my-tls -n graylog --from-file=tls.key --from-file=tls.crt- Attempt to upgrade
helm upgrade graylog graylog/graylog -n graylog --reuse-values \
--set graylog.config.tls.enabled=true \
--set graylog.config.tls.secretName=my-key \
--set graylog.config.tls.updateKeyStore=true \
--set graylog.config.tls.keyPassword=hunter2An error message similar to this should show up:
Error: UPGRADE FAILED: cannot patch "graylog-secrets" with kind Secret: "" is invalid: patch: Invalid value: "{"apiVersion":"v1","data":{"GRAYLOG_HTTP_TLS_KEY_PASSWORD":"hunter2","GRAYLOG_MONGODB_URI":"","GRAYLOG_PASSWORD_SECRET":"","GRAYLOG_ROOT_PASSWORD_SHA2":"","GRAYLOG_ROOT_USERNAME":""},"kind":"Secret","metadata":{"annotations":{"meta.helm.sh/release-name":"graylog","meta.helm.sh/release-namespace":"graylog"},"creationTimestamp":"2025-12-23T10:20:37Z","labels":{"app.kubernetes.io/instance":"graylog","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"graylog","app.kubernetes.io/version":"7.0","helm.sh/chart":"graylog-1.0.0"},"managedFields":[{"manager":"helm","operation":"Update","apiVersion":"v1","time":"2025-12-23T10:28:25Z","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:GRAYLOG_MONGODB_URI":{},"f:GRAYLOG_PASSWORD_SECRET":{},"f:GRAYLOG_ROOT_PASSWORD_SHA2":{},"f:GRAYLOG_ROOT_USERNAME":{}},"f:metadata":{"f:annotations":{".":{},"f:meta.helm.sh/release-name":{},"f:meta.helm.sh/release-namespace":{}},"f:labels":{".":{},"f:app.kubernetes.io/instance":{},"f:app.kubernetes.io/managed-by":{},"f:app.kubernetes.io/name":{},"f:app.kubernetes.io/version":{},"f:helm.sh/chart":{}}},"f:type":{}}}],"name":"graylog-secrets","namespace":"graylog","resourceVersion":"3311","uid":"b0de52b2-f8d9-4f2e-b22d-004332fe142b"},"type":"Opaque"}": illegal base64 data at input byte 4
While graylog-0 should fall into a CrashLoopBackOff state due to the main container failing to decode the key:
2025-12-23 10:55:12,600 ERROR: org.graylog2.bootstrap.ServerBootstrap - Graylog startup failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {FAILED=[JerseyService [FAILED]]}
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:765)
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:586)
at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:300)
at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:370)
at org.graylog2.bootstrap.CmdLineTool.doRun(CmdLineTool.java:382)
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:287)
at org.graylog2.bootstrap.Main.main(Main.java:57)
Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
Caused by: java.security.GeneralSecurityException: java.security.spec.InvalidKeySpecException: Neither RSA, DSA nor EC worked
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:88)
at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:374)
at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:196)
at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:162)
at com.google.common.util.concurrent.AbstractIdleService$DelegateService.lambda$doStart$0(AbstractIdleService.java:65)
at com.google.common.util.concurrent.Callables.lambda$threadRenaming$1(Callables.java:104)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.security.spec.InvalidKeySpecException: Neither RSA, DSA nor EC worked
at org.graylog2.shared.security.tls.PemKeyStore.doBuildKeyStore(PemKeyStore.java:111)
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:85)
... 6 more
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Unable to decode key
at jdk.crypto.ec/sun.security.ec.ECKeyFactory.engineGeneratePrivate(Unknown Source)
at java.base/java.security.KeyFactory.generatePrivate(Unknown Source)
at org.graylog2.shared.security.tls.PemKeyStore.doBuildKeyStore(PemKeyStore.java:109)
... 7 more
Caused by: java.security.InvalidKeyException: Unable to decode key
at java.base/sun.security.pkcs.PKCS8Key.decode(Unknown Source)
at java.base/sun.security.pkcs.PKCS8Key.(Unknown Source)
at jdk.crypto.ec/sun.security.ec.ECPrivateKeyImpl.(Unknown Source)
at jdk.crypto.ec/sun.security.ec.ECKeyFactory.implGeneratePrivate(Unknown Source)
... 10 more
Caused by: java.io.IOException: DerValue.getBigIntegerInternal, not expected 48
at java.base/sun.security.util.DerValue.getBigIntegerInternal(Unknown Source)
at java.base/sun.security.util.DerValue.getIntegerInternal(Unknown Source)
at java.base/sun.security.util.DerValue.getInteger(Unknown Source)
at java.base/sun.security.util.DerInputStream.getInteger(Unknown Source)
... 14 more