search

GoogleCloudPlatform / cloud-builders-community

Community-contributed images for Google Cloud Build
https://cloud.google.com/cloud-build/
Apache License 2.0
1.25k stars 851 forks source link

Using secrets from GCP Secret Manager in Helm GCP Cloud Builder #579

Open jasiu001 opened 2 years ago

jasiu001 commented 2 years ago

Affected builder image

gcr.io/cloud-builders-community/helm

Expected Behavior

When I want to inject secret variables from GCP Secret Manager in helm step then injected values should have proper values which are hide under their names:

steps:
  - name: gcr.io/$PROJECT_ID/helm
    args:
      - upgrade
      - "$_NAME"
      - "./deployment/charts/$_NAME"
      - "--namespace"
      - "$_NAMESPACE"
      - "--set"
      - "secret.var3=$$VAR3"
    env:
      - "CLOUDSDK_COMPUTE_ZONE=$_GKE_LOCATION"
      - "CLOUDSDK_CONTAINER_CLUSTER=$_GKE_CLUSTER"
    secretEnv: ['VAR3']
    id: Apply deploy
substitutions:
  _GKE_LOCATION: europe-west3-b
  _GKE_CLUSTER: cluster-name
  _NAME: "test"
  _NAMESPACE: "test"
availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/test-var-3/versions/latest
      env: 'VAR3'
options:
  substitution_option: 'ALLOW_LOOSE'

Actual Behavior

Now injected value is equal to "$VAR3" not the value what is behind those name.

Additional Info

According to documentation and example in docker to inject values properly I can use "bash" entrypoint from the image but when I try do this with helm image as example below:

steps:
  - name: gcr.io/$PROJECT_ID/helm
    entrypoint: 'bash'
    args:
      - |
        helm upgrade $_NAME ./deployment/charts/$_NAME --namespace $_NAMESPACE --set secret.var3="$$VAR3"
    env:
      - "CLOUDSDK_COMPUTE_ZONE=$_GKE_LOCATION"
      - "CLOUDSDK_CONTAINER_CLUSTER=$_GKE_CLUSTER"
    secretEnv: ['VAR3']
    id: Apply deploy
substitutions:
  _GKE_LOCATION: europe-west3-b
  _GKE_CLUSTER: cluster-name
  _NAME: "test"
  _NAMESPACE: "test"
availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/test-var-3/versions/latest
      env: 'VAR3'
options:
  substitution_option: 'ALLOW_LOOSE'

I got an error:

UPGRADE FAILED: Kubernetes cluster unreachable: Get "http://localhost:8080/version?timeout=32s": dial tcp 127.0.0.1:8080: connect: connection refused

which is understandable because helm first need to as I understand connect with cluster.

Is it possible inject some how values from secret manager properly in traditional way or use 'bash' option?

wyardley commented 1 year ago

@jasiu001 I struggled with something similar (though not secret-related) recently -- because the entrypoint for the regular container vs. helm itself, if you want the magic behavior of connecting to the cluster first, when you're using bash as the entrypoint, you have to do:

    entrypoint: bash
    args:
      - |
        /builder/helm.bash upgrade $_NAME ./deployment/charts/$_NAME --namespace $_NAMESPACE --set secret.var3="$$VAR3"

Running helm upgrade bypasses the entrypoint in the script that handles setting up the kube context etc. for you.

With the entrypoint, maybe the issue is that it's using $@ vs $* -- not sure. I'm guessing it might be possible to make this work.