You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to use berglas webhook with gke, kubernetes setup worked and tested with sample.yaml, it fetched the secrets, so now I have few helm charts that doesn't use command spec but I added one that shouldn't do anything than trigger berglas ["/bin/sh"]
my _deployment.tpl
{{/*Default Template for Deployment. All Sub-Charts under this Chart can include the below template.*/}}{{- define "helm-adh.deploymenttemplate" }}{{- $PROJECT_ID := .Values.global.projectId -}}apiVersion: apps/v1kind: Deploymentmetadata:
name: {{ include "helm-adh.name" . }}labels:
{{- include "helm-adh.labels" . | nindent 4 }}spec:
{{- if not .Values.autoscaling.enabled }}replicas: {{ .Values.replicaCount }}{{- end }}selector:
matchLabels:
{{- include "helm-adh.selectorLabels" . | nindent 6 }}template:
metadata:
{{- with .Values.podAnnotations }}annotations:
{{- toYaml . | nindent 8 }}{{- end }}labels:
{{- include "helm-adh.selectorLabels" . | nindent 8 }}spec:
{{- with .Values.global.imagePullSecrets }}imagePullSecrets:
{{- toYaml . | nindent 8 }}{{- end }}serviceAccountName: {{ .Values.global.serviceAccount }}securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}containers:
- name: {{ .Chart.Name }}securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}image: "gcr.io/adh-artifactory/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"imagePullPolicy: {{ .Values.image.pullPolicy }}command: {{ .Values.entryPoint }}ports:
- name: httpcontainerPort: {{ .Values.service.port }}protocol: TCP# livenessProbe:# httpGet:# path: /# port: http# readinessProbe:# httpGet:# path: /# port: httpresources:
{{- toYaml .Values.resources | nindent 12 }}{{- if .Values.configMap.enabled }}envFrom:
- configMapRef:
name: {{ include "helm-adh.name" . }}-configmap{{- end }}env:
{{- range .Values.secrets }}
- name: {{ .name }}value: sm://{{ $PROJECT_ID }}/{{ .name }}{{- end }}{{- with .Values.global.nodeSelector }}nodeSelector:
{{- toYaml . | nindent 8 }}{{- end }}{{- with .Values.global.affinity }}affinity:
{{- toYaml . | nindent 8 }}{{- end }}{{- with .Values.global.tolerations }}tolerations:
{{- toYaml . | nindent 8 }}{{- end }}{{- end }}
values.yaml of microservice that doesn't work
replicaCount: 1nameOverride: "calls-be"fullnameOverride: ""entryPoint: ["/bin/sh"]image:
repository: calls-bepullPolicy: Always# Overrides the image tag whose default is the chart appVersion.tag: "charts-latest"service:
type: ClusterIPport: 80targetPort: httpresources: {}# limits:# cpu: 100m# memory: 128Mi# requests:# cpu: 100m# memory: 128Miautoscaling:
enabled: falseminReplicas: 1maxReplicas: 2targetCPUUtilizationPercentage: 80# targetMemoryUtilizationPercentage: 80serviceAccount:
# Specifies whether a service account should be createdcreate: false# insert here envrionment variablesconfigMap:
enabled: truedata:
REDIS_HOST: "redie"secrets:
- name: EMR_PASSWORD
- name: TWILIO_ACCOUNT_SID
- name: TWILIO_API_KEY_SID
- name: TWILIO_API_KEY_SECRET
- name: TWILIO_AUTH_TOKENpodAnnotations: {}podSecurityContext: {}# fsGroup: 2000securityContext: {}# capabilities:# drop:# - ALL# readOnlyRootFilesystem: true# runAsNonRoot: true# runAsUser: 1000
by saying "this doesn't work" I mean that berglas does initiate and fetches the secrets, but the service stuck on CrashLoopBackOff and doesn't run with this settings, the Dockerfile of that container is nginx without ENTRYPOINT
Edit: the namespace that the deployment is on, does have the needed service account
The text was updated successfully, but these errors were encountered:
berglas exec will run the container command, so if the command is /bin/sh, it will resolve secrets and then start a shell. Without logs, it's very difficult to diagnose.
Context
I am trying to use berglas webhook with gke, kubernetes setup worked and tested with sample.yaml, it fetched the secrets, so now I have few helm charts that doesn't use
command
spec but I added one that shouldn't do anything than trigger berglas["/bin/sh"]
my _deployment.tpl
values.yaml of microservice that doesn't work
by saying "this doesn't work" I mean that berglas does initiate and fetches the secrets, but the service stuck on CrashLoopBackOff and doesn't run with this settings, the Dockerfile of that container is
nginx
withoutENTRYPOINT
Edit: the namespace that the deployment is on, does have the needed service account
The text was updated successfully, but these errors were encountered: