cloud-builders-community
cloud-builders-community copied to clipboard
Using secrets from GCP Secret Manager in Helm GCP Cloud Builder
Affected builder image
gcr.io/cloud-builders-community/helm
Expected Behavior
When I want to inject secret variables from GCP Secret Manager in helm step then injected values should have proper values which are hide under their names:
steps:
- name: gcr.io/$PROJECT_ID/helm
args:
- upgrade
- "$_NAME"
- "./deployment/charts/$_NAME"
- "--namespace"
- "$_NAMESPACE"
- "--set"
- "secret.var3=$$VAR3"
env:
- "CLOUDSDK_COMPUTE_ZONE=$_GKE_LOCATION"
- "CLOUDSDK_CONTAINER_CLUSTER=$_GKE_CLUSTER"
secretEnv: ['VAR3']
id: Apply deploy
substitutions:
_GKE_LOCATION: europe-west3-b
_GKE_CLUSTER: cluster-name
_NAME: "test"
_NAMESPACE: "test"
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/test-var-3/versions/latest
env: 'VAR3'
options:
substitution_option: 'ALLOW_LOOSE'
Actual Behavior
Now injected value is equal to "$VAR3" not the value what is behind those name.
Additional Info
According to documentation and example in docker to inject values properly I can use "bash" entrypoint from the image but when I try do this with helm image as example below:
steps:
- name: gcr.io/$PROJECT_ID/helm
entrypoint: 'bash'
args:
- |
helm upgrade $_NAME ./deployment/charts/$_NAME --namespace $_NAMESPACE --set secret.var3="$$VAR3"
env:
- "CLOUDSDK_COMPUTE_ZONE=$_GKE_LOCATION"
- "CLOUDSDK_CONTAINER_CLUSTER=$_GKE_CLUSTER"
secretEnv: ['VAR3']
id: Apply deploy
substitutions:
_GKE_LOCATION: europe-west3-b
_GKE_CLUSTER: cluster-name
_NAME: "test"
_NAMESPACE: "test"
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/test-var-3/versions/latest
env: 'VAR3'
options:
substitution_option: 'ALLOW_LOOSE'
I got an error:
UPGRADE FAILED: Kubernetes cluster unreachable: Get "http://localhost:8080/version?timeout=32s": dial tcp 127.0.0.1:8080: connect: connection refused
which is understandable because helm first need to as I understand connect with cluster.
Is it possible inject some how values from secret manager properly in traditional way or use 'bash' option?
@jasiu001 I struggled with something similar (though not secret-related) recently -- because the entrypoint for the regular container vs. helm
itself, if you want the magic behavior of connecting to the cluster first, when you're using bash as the entrypoint, you have to do:
entrypoint: bash
args:
- |
/builder/helm.bash upgrade $_NAME ./deployment/charts/$_NAME --namespace $_NAMESPACE --set secret.var3="$$VAR3"
Running helm upgrade
bypasses the entrypoint in the script that handles setting up the kube context etc. for you.
With the entrypoint, maybe the issue is that it's using $@
vs $*
-- not sure. I'm guessing it might be possible to make this work.