SOPS cannot decrypt AGE-encrypted files inside CloudControl containers

[ardentalliance]

When running SOPS inside the CloudControl Tanzu image (tested using both latest and older versions) on macOS v.26, SOPS is unable to decrypt any AGE-encrypted files. This is despite the AGE-SECRET-KEY variable being in the environment (and being echoed correctly when using the env command inside the container). The key works outside of the container and decrypts as expected there. It always fails inside CloudControl with the following error message:

age1xxxxxxxxxxxxxxxx: FAILED - | failed to create reader for decrypting sops data key with | age: no identity matched any of the recipients. Did not find | keys in locations 'SOPS_AGE_SSH_PRIVATE_KEY_FILE', | '/home/cloudcontrol/.ssh/id_ed25519', | '/home/cloudcontrol/.ssh/id_rsa', 'SOPS_AGE_KEY_FILE', and | 'SOPS_AGE_KEY_CMD'.

My AGE public key is confirmed correct on the sops.age recipient list.

[dploeger]

I believe the environment variable should be SOPS_AGE_KEY, not AGE-SECRET-KEY. Are you using that?