Open sadym opened 3 years ago
Error is undetected as secret populate exit code is ignored in make-pr task. Log from a fresh jx3 install with terraform/gke/gsm/dns/tls
VAULT_ADDR=https://vault.jx-vault:8200 VAULT_NAMESPACE=jx-vault jx secret populate --source filesystem --secret-namespace jx-vault
WARNING: failed to find secret nexus in namespace jx so cannot resolve template
WARNING: failed to find secret nexus in namespace jx so cannot resolve template
Error: failed to populate secrets: failed to save properties key: tf-jx-heroic-hamster-jx-maven-settings properties: settingsXml, securityXml on ExternalSecret jenkins-maven-settings: error getting GCP secrets manager secret value for secret name tf-jx-heroic-hamster-jx-maven-settings in project test2-adrian-jx: error getting secret value for secret tf-jx-heroic-hamster-jx-maven-settings for GCP secrets manager project test2-adrian-jx: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/test2-adrian-jx/secrets/tf-jx-heroic-hamster-jx-maven-settings/versions/latest' (or it may not exist).
Usage:
populate [flags]
Examples:
jx-secret populate
Flags:
-b, --batch-mode Runs in batch mode without prompting for user input
--boot-secret-namespace string the namespace to that contains the boot secret used to populate git secrets from
-d, --dir string the directory to look for the .jx/secret/mapping/secret-mappings.yaml file (default ".")
-f, --filter string the filter to filter on ExternalSecret names
--helm-secrets-dir string the directory where the helm secrets live with a folder per namespace and a file with a '.yaml' extension for each secret name. Defaults to $JX_HELM_SECRET_FOLDER
-h, --help help for populate
--log-level string Sets the logging level. If not specified defaults to $JX_LOG_LEVEL
--no-wait disables waiting for the secret store (e.g. vault) to be available
-n, --ns string the namespace to filter the ExternalSecret resources
--secret-namespace string the namespace in which secret infrastructure resides such as Hashicorp Vault (default "jx-vault")
-s, --source string the source location for the ExternalSecrets, valid values include filesystem or kubernetes (default "kubernetes")
--verbose Enables verbose output. The environment variable JX_LOG_LEVEL has precedence over this flag and allows setting the logging level to any value of: panic, fatal, error, warn, info, debug, trace
-w, --wait duration the maximum time period to wait for the vault pod to be ready if using the vault backendType (default 2h0m0s)
error: failed to populate secrets: failed to save properties key: tf-jx-heroic-hamster-jx-maven-settings properties: settingsXml, securityXml on ExternalSecret jenkins-maven-settings: error getting GCP secrets manager secret value for secret name tf-jx-heroic-hamster-jx-maven-settings in project test2-adrian-jx: error getting secret value for secret tf-jx-heroic-hamster-jx-maven-settings for GCP secrets manager project test2-adrian-jx: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/test2-adrian-jx/secrets/tf-jx-heroic-hamster-jx-maven-settings/versions/latest' (or it may not exist).
make[1]: [versionStream/src/Makefile.mk:122: fetch] Error 1 (ignored)
on reflection, letting any PR have admin on all secrets is probably a tad unsafe; so its probably better to disable populating external secrets on the PRs and doing that on the merge to master - so lets try fix it that way instead: https://github.com/jenkins-x/jx3-versions/issues/2405
Indeed. On PRs I would be much more relaxed If I knew it just updates git branch. If I close it, there's nothing left behind. I was actually considering to add secret admin rights when I know the PR will generate new secrets.
Initial jx-git-operator boot job populates all secrets correctly as it uses boot serviceaccount which has
storagemanager.admin
, but externalsecrets are not populated in PR jobs astekton-bot
is missing any kind of secretmanager permissions.