Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using secrets from GCP Secret Manager in Helm GCP Cloud Builder #579

Open
jasiu001 opened this issue Jun 9, 2022 · 1 comment
Open

Using secrets from GCP Secret Manager in Helm GCP Cloud Builder #579

jasiu001 opened this issue Jun 9, 2022 · 1 comment

Comments

@jasiu001
Copy link

jasiu001 commented Jun 9, 2022

Affected builder image

gcr.io/cloud-builders-community/helm

Expected Behavior

When I want to inject secret variables from GCP Secret Manager in helm step then injected values should have proper values which are hide under their names:

steps:
  - name: gcr.io/$PROJECT_ID/helm
    args:
      - upgrade
      - "$_NAME"
      - "./deployment/charts/$_NAME"
      - "--namespace"
      - "$_NAMESPACE"
      - "--set"
      - "secret.var3=$$VAR3"
    env:
      - "CLOUDSDK_COMPUTE_ZONE=$_GKE_LOCATION"
      - "CLOUDSDK_CONTAINER_CLUSTER=$_GKE_CLUSTER"
    secretEnv: ['VAR3']
    id: Apply deploy
substitutions:
  _GKE_LOCATION: europe-west3-b
  _GKE_CLUSTER: cluster-name
  _NAME: "test"
  _NAMESPACE: "test"
availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/test-var-3/versions/latest
      env: 'VAR3'
options:
  substitution_option: 'ALLOW_LOOSE'

Actual Behavior

Now injected value is equal to "$VAR3" not the value what is behind those name.

Additional Info

According to documentation and example in docker to inject values properly I can use "bash" entrypoint from the image but when I try do this with helm image as example below:

steps:
  - name: gcr.io/$PROJECT_ID/helm
    entrypoint: 'bash'
    args:
      - |
        helm upgrade $_NAME ./deployment/charts/$_NAME --namespace $_NAMESPACE --set secret.var3="$$VAR3"
    env:
      - "CLOUDSDK_COMPUTE_ZONE=$_GKE_LOCATION"
      - "CLOUDSDK_CONTAINER_CLUSTER=$_GKE_CLUSTER"
    secretEnv: ['VAR3']
    id: Apply deploy
substitutions:
  _GKE_LOCATION: europe-west3-b
  _GKE_CLUSTER: cluster-name
  _NAME: "test"
  _NAMESPACE: "test"
availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/test-var-3/versions/latest
      env: 'VAR3'
options:
  substitution_option: 'ALLOW_LOOSE'

I got an error:

UPGRADE FAILED: Kubernetes cluster unreachable: Get "http://localhost:8080/version?timeout=32s": dial tcp 127.0.0.1:8080: connect: connection refused

which is understandable because helm first need to as I understand connect with cluster.

Is it possible inject some how values from secret manager properly in traditional way or use 'bash' option?
@wyardley
Copy link
Contributor

@jasiu001 I struggled with something similar (though not secret-related) recently -- because the entrypoint for the regular container vs. helm itself, if you want the magic behavior of connecting to the cluster first, when you're using bash as the entrypoint, you have to do:

    entrypoint: bash
    args:
      - |
        /builder/helm.bash upgrade $_NAME ./deployment/charts/$_NAME --namespace $_NAMESPACE --set secret.var3="$$VAR3"

Running helm upgrade bypasses the entrypoint in the script that handles setting up the kube context etc. for you.

With the entrypoint, maybe the issue is that it's using $@ vs $* -- not sure. I'm guessing it might be possible to make this work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jasiu001 @wyardley