Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make secrets available for notification templates #3455

Open
eroznik opened this issue Mar 20, 2024 · 4 comments
Open

Make secrets available for notification templates #3455

eroznik opened this issue Mar 20, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@eroznik
Copy link
Contributor

eroznik commented Mar 20, 2024

Summary

I'd like to expose secret data in notification templates, this would have to be done here. I'd suggest we do it similar to what I did on ArgoCD and if needed, we can add a feature flag to include secrets just conditionally.

Use Cases

This was already done on ArgoCD and it is useful to trigger webhooks that require auth data in payloads.

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritize the issues with the most 👍.
@eroznik eroznik added the enhancement New feature or request label Mar 20, 2024
eroznik added a commit to eroznik/argo-rollouts that referenced this issue Mar 23, 2024
@eroznik
feat: expose secrets for notification templates (argoproj#3455)
07584df
zachaller pushed a commit that referenced this issue Mar 28, 2024
@eroznik
feat: expose secrets for notification templates (#3455) (#3466)
86a2df6 
* feat: expose secrets for notification templates

Signed-off-by: Etien Roznik <[email protected]>

* feat: expose secrets for notification templates

Signed-off-by: Etien Roznik <[email protected]>

---------

Signed-off-by: Etien Roznik <[email protected]>
@oliverkuntze
Copy link

Hey,

unfortunately this is not working even in the latest release for webhooks.

Given the following secret:

apiVersion: v1
kind: Secret
metadata:
    name: argo-rollouts-notification-secret
    namespace: argo-rollouts
    labels:
        app.kubernetes.io/part-of: argo-rollouts
stringData:
    webhookurl: ENC[AES256_GCM,data:xa/eLqYLZUjYtfra2IJUr1UczzoUGPxeaTW8Vuo/APqJAg1yFRMMNbSkDMVlRSBThVo6uHjQ/ZEin3qS3PQnduXCyOxGmhMOwosaCyaKlJq/Do1UV1HDTklSN2HjSZLyf9YP3LbO,iv:HTAbIhXyYgHdZYCn0KqU4HIviKsz6WhOYnroYhJ85e0=,tag:UgTc8X0mkpy4FkAEeHfDAw==,type:str]
sops:
...

and the following notification:

...
  template.app-config-webhook: |
    webhook:
      app-config:
        method: POST
        path: $webhookurl
...

I am still getting the following controller log:

[DEBUG] POST https://my.ommitted.gitlab.host/$webhookurl

So $webhookurl is not substituted with the value from the secret.

The MR linked in this issue suggests that the enhancement is included in the latest release.

Any help would be greatly appreciated.

Cheers

Oliver

@oliverkuntze
Copy link

oliverkuntze commented Jul 16, 2024
edited
Loading

@eroznik , @zachaller , do you have any ideas what I am doing wrong?

@oliverkuntze
Copy link

OK, I guess I cannot use the secret substitution in templates.
Switched from the gitlab pipeline trigger api to the pipeline api where I can set the access token in the header.
Everything is working as expected now.

@eroznik
Copy link
Contributor Author

eroznik commented Jul 26, 2024

Hey @oliverkuntze , afaik the path template should work.. but you have to use the parameter a bit differently:

  template.app-config-webhook: |
    webhook:
      app-config:
        method: POST
        path: $webhookurl

should be

  template.app-config-webhook: |
    webhook:
      app-config:
        method: POST
        path: `{{ printf "%s" .secrets.webhookurl }}`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oliverkuntze @eroznik