pipecd icon indicating copy to clipboard operation
pipecd copied to clipboard
verified publisher icon pipe-cd

Error when using encryptionSecret and prometheus alertManager Template

Open ffjlabo opened this issue 1 year ago • 2 comments

What happened: When we tried to deploy kube-prometheus-stack by using PipeCD, plan preview failed like this↓

Add_kustomization_file_by_ffjlabo_·_Pull_Request__7_·_ca-dp_ffjlabo-dev

What you expected to happen:

We want to succeed to do a plan preview.

How to reproduce it:

  • Register k8s app with a helm chart kube-prometheus-stack
  • use both secret management (from PipeCD) and custom alert template in values.yaml like below↓

values.yaml

alertmanager:
...
  config:
    receivers:
    - name: 'pagerduty-notifications'
      pagerduty_configs:
      - service_key: {{.encryptedSecrets.key}}
  templateFiles:
     template_2.tmpl: |-
       {{ define "slack.custom.v2.text" }}
       {{ range .Alerts }}
         {{ if eq .Status "firing" }}{{ .Annotations.description }}{{else}}{{ .Annotations.resolved_description }}{{end}}
       {{ end }}
       {{ end }}

       {{ define "slack.custom.v2.title" }} [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }} {{ .GroupLabels.severity }}] {{ .GroupLabels.alertname }} {{ end }}

Environment:

  • piped version:
  • control-plane version:
  • Others:

ffjlabo avatar Mar 07 '24 05:03 ffjlabo

This happens because the custom alert template is parsed as Golang's text/template when parsing the encryptionSecret (from PipeCD).

ffjlabo avatar Mar 07 '24 06:03 ffjlabo

Workaround:

  1. Use a Secret resource for .encryptedSecrets.key and don't use it on a file.
  2. Surround the part of the alert templating string by {{``}}. The surrounded part is parsed as just a string in Golang's text/template ref: https://github.com/helm/helm/issues/2798#issuecomment-467319526

ffjlabo avatar Mar 07 '24 06:03 ffjlabo