0

I'm having some issues when trying to use Hashicorp vault template (kubernetes with Google Kubernetes Engine) with to.be.continuous.

Actually when I use it with Google Docker Kaniko layer I got an error message: ... wget: bad address 'vault-secrets-provider'.

It seems that Kaniko doesn't recognize the vault-secrets-provider layer. Would you please help me with this? Or perhaps, where I can ask for some help?

This is a summary of .gitlab-ci.yml


  # Kubernetes template
  - project: 'to-be-continuous/kubernetes'
    ref: '2.0.4'
    file: '/templates/gitlab-ci-k8s.yml'
  - project: "to-be-continuous/kubernetes"
    ref: "2.0.4"
    file: "templates/gitlab-ci-k8s-vault.yml"
...

  K8S_DEFAULT_KUBE_CONFIG: "@url@http://vault-secrets-provider/api/secrets/noprod?field=kube_config"


  VAULT_BASE_URL: "http://myvault.myserver.com/v1"

Error Message:

[ERROR] Failed getting secret K8S_DEFAULT_KUBE_CONFIG:
... wget: bad address 'vault-secrets-provider'

I tried many times directly without Vault layer and Kaniko works ok, I mean without Vault secrets.

How I can accomplish this? I tried modifying the kaniko template but without success.

I will appreciate any help with this.

carlos.albarran
  • 1
  • 1

1 Answers1

0

To fix your issue, first upgrade the docker template to its latest version (2.3.0 at the time this response was written).

Then depending on your case you have 2 options:

  1. Docker needs to handle some of your secrets managed by Vault: then you shall also activate the Vault variant for Docker,
  2. Docker doesn't needs to handle any secret managed by Vault: don't use the Vault variant for Docker, you'll have a warning message from Docker not being able to decode the secret (basically the same as the one you had, but not failing the build),

You shall simply use it in your .gitlab-ci.yml file:

include:
  # Docker template
  - project: 'to-be-continuous/docker'
    ref: '2.3.0'
    file: '/templates/gitlab-ci-docker.yml'
  # Vault variant for Docker (depending on your above case)
  - project: 'to-be-continuous/docker'
    ref: '2.3.0'
    file: '/templates/gitlab-ci-docker-vault.yml'
  # Kubernetes template
  - project: 'to-be-continuous/kubernetes'
    ref: '2.0.4'
    file: '/templates/gitlab-ci-k8s.yml'
  - project: "to-be-continuous/kubernetes"
    ref: "2.0.4"
    file: "/templates/gitlab-ci-k8s-vault.yml"

  K8S_DEFAULT_KUBE_CONFIG: "@url@http://vault-secrets-provider/api/secrets/noprod?field=kube_config"


  VAULT_BASE_URL: "http://myvault.myserver.com/v1"
pismy
  • 733
  • 5
  • 12