0

As part of my CD deploy pipe in Google Cloud Build I would like to notify a Slack channel, but I am struggling to use the Secret Manager to supply the secret notification endpoint. This build config is failing on the "Notify" stage with:

curl: (3) URL rejected: Bad hostname

This is my simplified build config:

steps:
  - name: gcr.io/cloud-builders/gcloud
    id: Test # 👈 this works as expected
    entrypoint: bash
    args:
      - -c
      - |
        echo $$SLACK_ENDPOINT
    secretEnv: ['SLACK_ENDPOINT']

  - name: curlimages/curl
    id: Notify
    args:
      - -d
      - '{ "text": "channel test" }'
      - -H
      - Content-type:application/json
      - -X
      - POST
      - $$SLACK_ENDPOINT # 👈 if I replace this with the secret value, it works
    secretEnv: ['SLACK_ENDPOINT']

availableSecrets:
  secretManager:
    - env: 'SLACK_ENDPOINT'
      versionName: projects/$PROJECT_ID/secrets/SLACK_ENDPOINT/versions/2

The secret is a normal looking url which works fine if I use it straight in the config:

https://hooks.slack.com/services/T0redactedK5/B0redactedJX/67redactedMK

I have also tried wrapping the secret with single quotes and got the same error message:

   - POST
   - '$$SLACK_ENDPOINT'
Improve this question
4
  • 1
    I believe the entrypoint might be the problem here. I think the variable doesn't get expanded when using curl directly. From the docs: "Add an entrypoint field pointing to bash to use the bash tool in the build step. This is required to refer to the environment variable for the secret." > cloud.google.com/build/docs/securing-builds/… Commented Sep 24, 2024 at 13:50
  • We just got an issue with curl not working in our build as well. We are using a secret, though I have not tested without it yet. We're using curl from bash in the gcr.io/cloud-builders/gcloud builder though. Commented Sep 24, 2024 at 13:53
  • 1
    @ptf curl was removed from cloud-builders/gcloud recently Commented Sep 24, 2024 at 17:35
  • @JannieTheunissen Ah that explains it, thanks! Commented Sep 27, 2024 at 7:29

1 Answer 1

Reset to default
1

Thanks @p13rr0m for pointing out that resolving secrets needs an entrypoint context.

The officially recommended curlimages/curl does not support a bash entrypoint, but Cloud Builders have a dedicated image for curl that can take an entrypoint. I got this working:

  # Notify
  - name: 'gcr.io/gcp-runtimes/ubuntu_20_0_4'
    id: Notify
    entrypoint: 'bash'
    args:
      - -c
      - 'curl -d "{ \"text\": \"✅ CMS deployed to $_SERVICE_NAME\" }" -H "Content-type:application/json" -X POST $$SLACK_ENDPOINT'
    secretEnv: ['SLACK_ENDPOINT']
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.