Command substitution for ADMIN_PASSWORD in jenkins helm chart
43 views
Skip to first unread message
Joey Freeland
Jan 22, 2020, 11:48:47 PM1/22/20
to Jenkins Users
Hello,
I'm attempting to use the vault agent sidecar injector https://www.vaultproject.io/docs/platform/k8s/injector/examples/ to inject my adminPassword secret into the jenkins helm chart in kubernetes. It just drops a file (/vault/secrets/adminPassword) with the secret in it in a shared volume.
I'd like to leave the helm chart as standard as possible and use the standard jenkins/jenkins:lts image, but I'm running into an issue.
I would like to be able to do something to the effect of using this in my helm values file:
adminPassword: "$(cat /vault/secrets/adminPassword)"
But when I exec into the jenkins container, I see that command substitution is not being evaluated, but rather it's being treated as a string. In the helm chart, https://github.com/helm/charts/blob/master/stable/jenkins/templates/jenkins-master-deployment.yaml#L168, substitution is happening properly to insert the value of the environment variable, but nested substitution is not occurring. It's not clear to me if this is a sh, tini, gotemplate, or some other issue.
# ps auxww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.0 1148 4 ? Ss 23:54 0:00 /sbin/tini -- /usr/local/bin/jenkins.sh --argumentsRealm.passwd.admin=$(/bin/cat /vault/secrets/adminpass) --argumentsRealm.roles.admin=admin --httpPort=8080
root 7 130 2.7 4486348 224816 ? Sl 23:54 0:13 java -Duser.home=/var/jenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 -jar /usr/share/jenkins/jenkins.war --argumentsRealm.passwd.admin=$(/bin/cat /vault/secrets/adminpass) --argumentsRealm.roles.admin=admin --httpPort=8080
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.0 1148 4 ? Ss 23:54 0:00 /sbin/tini -- /usr/local/bin/jenkins.sh --argumentsRealm.passwd.admin=$(/bin/cat /vault/secrets/adminpass) --argumentsRealm.roles.admin=admin --httpPort=8080
root 7 130 2.7 4486348 224816 ? Sl 23:54 0:13 java -Duser.home=/var/jenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 -jar /usr/share/jenkins/jenkins.war --argumentsRealm.passwd.admin=$(/bin/cat /vault/secrets/adminpass) --argumentsRealm.roles.admin=admin --httpPort=8080
I suppose it's worth nothing that logging in with the password "$(/bin/cat /vault/secrets/adminpass)" does actually work, but this is not what was intended.
I'll keep digging to try to understand where the evaluation is getting lost, but if anyone has ideas and if this can be overcome by some escapes that I'm missing or if there's an all-around better solution, I'd greatly appreciate any pointers.
Take care
Joey Freeland
Jan 22, 2020, 11:54:07 PM1/22/20
to Jenkins Users
As it turns out, this is a limitation of kubernetes expansion, https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/expansion.md#constraints-and-assumptions.
Reply all
Reply to author
Forward
0 new messages