dosubot[bot] commented on issue #36139: URL: https://github.com/apache/superset/issues/36139#issuecomment-3542919038
<!-- Greeting --> Hi @TobSchwa94! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> The "invalid decryption key" error during secret key rotation in Kubernetes usually means Superset can't decrypt existing secrets with the provided PREVIOUS_SECRET_KEY. Here are the most common pitfalls and how to address them: - For Superset 5.0.0, set the new key using SUPERSET_SECRET_KEY (not just SECRET_KEY) in your environment or Helm values. The config reads SECRET_KEY from SUPERSET_SECRET_KEY in the environment, so using only SECRET_KEY may not work as expected [reference](https://github.com/apache/superset/discussions/23598). - Make sure PREVIOUS_SECRET_KEY is exactly the key that was used to encrypt secrets in your metadata DB. If you originally set up with Docker Compose, double-check that you are using the same value as before. - Only use a single configOverrides block in your Helm values.yaml. Multiple blocks can cause config issues and pod crashes [reference](https://github.com/apache/superset/discussions/33941). - After updating the keys, ensure all Superset pods are restarted so they pick up the new environment variables. - You can also pass the previous key directly to the re-encrypt command: `superset re-encrypt-secrets --previous_secret_key=your_previous_secret_key` [reference](https://github.com/apache/superset/issues/33595). - If you still get errors, exec into the pod and run `env` to confirm the environment variables are set as expected. Also, check pod logs for any stack traces or permission errors. If you confirm all of the above and still see the error, please share the exact way you're setting these keys in your Helm values or manifests, and any relevant pod logs. This will help pinpoint if it's a config propagation issue or something else. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/cc3612b2-40a7-4c25-a82b-ee27662fdfbf?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/cc3612b2-40a7-4c25-a82b-ee27662fdfbf?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/cc3612b2-40a7-4c25-a82b-ee27662fdfbf?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/cc3612b2-40a7-4c25-a82b-ee27662fdfbf?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/cc3612b2-40a7-4c25-a82b-ee27662fdfbf?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/cc3612b2-40a7-4c25-a82b-ee27662fdfbf?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/cc3612b2-40a7-4c25-a82b-ee27662fdfbf?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36139) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
