using var_sources (vault) with global credentials manager enabled (k8s) #5408
-
Hi, I think this could be a bug, but I figured it's too obvious so I must be doing something silly. I have the following pipeline:-
I'm deploying with the helm chart 6.0 (tried with 5.8 too) and with kubernetes secrets management enabled globally, it fails to find the secret, appearing to be stuck checking for k8s secrets rather than checking the var_sources, despite (I think) this being explicitly defined. I assume I'm doing something dumb, but the reason for wanting both available is we're generating client_tokens for vault and dropping them into a teams kubernetes namespace, so the hope would be a rotating secret for vault for the var_source.
Am I doing something wrong here? Should this work? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
Responding to myself but this does work if vault is your global secrets manager, so it appears to be specifically broken with kubernetes global creds. |
Beta Was this translation helpful? Give feedback.
-
Error comes from here: concourse/atc/creds/kubernetes/secrets.go Lines 40 to 42 in 37d4934 This obviously seems wrong, as I would assume a secret with a prefix, i.e. ((prefixed:secret)) shouldn't be passed to the Global Credentials Manager. |
Beta Was this translation helpful? Give feedback.
-
Yeah this looks fishy. I'll do some digging and open an issue - thanks! You're not doing anything dumb, this is just a very experimental feature and you might be literally the first person to attempt to use it with k8s configured. |
Beta Was this translation helpful? Give feedback.
-
Opened #5413 - this was pretty easy to reproduce thanks to your pipeline snippet! |
Beta Was this translation helpful? Give feedback.
Opened #5413 - this was pretty easy to reproduce thanks to your pipeline snippet!