using var_sources (vault) with global credentials manager enabled (k8s)

[allandegnan]

Hi,

I think this could be a bug, but I figured it's too obvious so I must be doing something silly.

I have the following pipeline:-

var_sources:
- name: dumb
  type: dummy
  config:
    vars:
      simple: hello!
      user:
        username: big
        password: sekrit

jobs:
- name: do bad thing
  plan:
    - task: expose secret
      config:
        platform: linux
        image_resource:
          type: docker-image
          source:
            repository: debian
            tag: latest
        params:
          FOO: yoyo
        run:
          path: /bin/sh
          args:
            - -c
            - |
                echo  ((dumb:user.username))
                env

I'm deploying with the helm chart 6.0 (tried with 5.8 too) and with kubernetes secrets management enabled globally, it fails to find the secret, appearing to be stuck checking for k8s secrets rather than checking the var_sources, despite (I think) this being explicitly defined.

I assume I'm doing something dumb, but the reason for wanting both available is we're generating client_tokens for vault and dropping them into a teams kubernetes namespace, so the hope would be a rotating secret for vault for the var_source.

concourse.web.kubernetes.enabled=true
---
failed to interpolate task config: var lookup 'dumb:user.username': unable to split kubernetes secret path into [namespace]:[secret]: concourse-main:test.dumb:user

concourse.web.kubernetes.enabled=false
---
big
USER=root
HOME=/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
FOO=yoyo
PWD=/tmp/build/3d301f53

Am I doing something wrong here? Should this work?

[allandegnan]

Responding to myself but this does work if vault is your global secrets manager, so it appears to be specifically broken with kubernetes global creds.

[allandegnan]

Error comes from here:

concourse/atc/creds/kubernetes/secrets.go

Lines 40 to 42 in 37d4934

	if len(parts) != 2 {
	return nil, nil, false, fmt.Errorf("unable to split kubernetes secret path into [namespace]:[secret]: %s", secretPath)
	}

This obviously seems wrong, as I would assume a secret with a prefix, i.e. ((prefixed:secret)) shouldn't be passed to the Global Credentials Manager.

[vito]

Yeah this looks fishy. I'll do some digging and open an issue - thanks!

You're not doing anything dumb, this is just a very experimental feature and you might be literally the first person to attempt to use it with k8s configured.

[vito]

Opened #5413 - this was pretty easy to reproduce thanks to your pipeline snippet!