Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing secretmanager.admin permissions on tekton-bot #193

Open
sadym opened this issue Apr 19, 2021 · 3 comments
Open

Missing secretmanager.admin permissions on tekton-bot #193

sadym opened this issue Apr 19, 2021 · 3 comments

Comments

@sadym
Copy link

sadym commented Apr 19, 2021

Initial jx-git-operator boot job populates all secrets correctly as it uses boot serviceaccount which has storagemanager.admin, but externalsecrets are not populated in PR jobs as tekton-bot is missing any kind of secretmanager permissions.
@sadym
Copy link
Author

sadym commented Apr 19, 2021

Error is undetected as secret populate exit code is ignored in make-pr task. Log from a fresh jx3 install with terraform/gke/gsm/dns/tls

VAULT_ADDR=https://vault.jx-vault:8200 VAULT_NAMESPACE=jx-vault jx secret populate --source filesystem --secret-namespace jx-vault
WARNING: failed to find secret nexus in namespace jx so cannot resolve template
WARNING: failed to find secret nexus in namespace jx so cannot resolve template
Error: failed to populate secrets: failed to save properties key: tf-jx-heroic-hamster-jx-maven-settings properties: settingsXml, securityXml on ExternalSecret jenkins-maven-settings: error getting GCP secrets manager secret value for secret name tf-jx-heroic-hamster-jx-maven-settings in project test2-adrian-jx: error getting secret value for secret tf-jx-heroic-hamster-jx-maven-settings for GCP secrets manager project test2-adrian-jx: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/test2-adrian-jx/secrets/tf-jx-heroic-hamster-jx-maven-settings/versions/latest' (or it may not exist).
Usage:
  populate [flags]
Examples:
  jx-secret populate
Flags:
  -b, --batch-mode                     Runs in batch mode without prompting for user input
      --boot-secret-namespace string   the namespace to that contains the boot secret used to populate git secrets from
  -d, --dir string                     the directory to look for the .jx/secret/mapping/secret-mappings.yaml file (default ".")
  -f, --filter string                  the filter to filter on ExternalSecret names
      --helm-secrets-dir string        the directory where the helm secrets live with a folder per namespace and a file with a '.yaml' extension for each secret name. Defaults to $JX_HELM_SECRET_FOLDER
  -h, --help                           help for populate
      --log-level string               Sets the logging level. If not specified defaults to $JX_LOG_LEVEL
      --no-wait                        disables waiting for the secret store (e.g. vault) to be available
  -n, --ns string                      the namespace to filter the ExternalSecret resources
      --secret-namespace string        the namespace in which secret infrastructure resides such as Hashicorp Vault (default "jx-vault")
  -s, --source string                  the source location for the ExternalSecrets, valid values include filesystem or kubernetes (default "kubernetes")
      --verbose                        Enables verbose output. The environment variable JX_LOG_LEVEL has precedence over this flag and allows setting the logging level to any value of: panic, fatal, error, warn, info, debug, trace
  -w, --wait duration                  the maximum time period to wait for the vault pod to be ready if using the vault backendType (default 2h0m0s)
error: failed to populate secrets: failed to save properties key: tf-jx-heroic-hamster-jx-maven-settings properties: settingsXml, securityXml on ExternalSecret jenkins-maven-settings: error getting GCP secrets manager secret value for secret name tf-jx-heroic-hamster-jx-maven-settings in project test2-adrian-jx: error getting secret value for secret tf-jx-heroic-hamster-jx-maven-settings for GCP secrets manager project test2-adrian-jx: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/test2-adrian-jx/secrets/tf-jx-heroic-hamster-jx-maven-settings/versions/latest' (or it may not exist).
make[1]: [versionStream/src/Makefile.mk:122: fetch] Error 1 (ignored)

jstrachan added a commit to jstrachan/terraform-google-jx that referenced this issue Apr 20, 2021
@jstrachan
fix: add secretmanager.admin to tekton-bot
a993b63 
so that we can create missing external secrets on PRs to the dev cluster repo

fixes jenkins-x#193
@jstrachan jstrachan mentioned this issue Apr 20, 2021
Closed
@jstrachan
Copy link
Member

on reflection, letting any PR have admin on all secrets is probably a tad unsafe; so its probably better to disable populating external secrets on the PRs and doing that on the merge to master - so lets try fix it that way instead: jenkins-x/jx3-versions#2405

@sadym
Copy link
Author

sadym commented Apr 21, 2021
edited
Loading

Indeed. On PRs I would be much more relaxed If I knew it just updates git branch. If I close it, there's nothing left behind.
I was actually considering to add secret admin rights when I know the PR will generate new secrets.

jstrachan added a commit to jstrachan/terraform-google-jx that referenced this issue Jul 5, 2021
@jstrachan
fix: add secretmanager.admin to tekton-bot
fa15221 
so that we can create missing external secrets on PRs to the dev cluster repo

fixes jenkins-x#193
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add secretmanager.admin to tekton-bot jstrachan/terraform-google-jx
2 participants
@jstrachan @sadym