This repository was archived by the owner on Jul 26, 2022. It is now read-only.
Default values.yaml for GCP Backend breaks workload identity, also polls frequently which could result in extra costs #370
Comments
saranicole
pushed a commit
to saranicole/kubernetes-external-secrets
that referenced
this issue
May 5, 2020
saranicole
pushed a commit
to saranicole/kubernetes-external-secrets
that referenced
this issue
May 5, 2020
saranicole
pushed a commit
to saranicole/kubernetes-external-secrets
that referenced
this issue
May 5, 2020
saranicole
pushed a commit
to saranicole/kubernetes-external-secrets
that referenced
this issue
May 5, 2020
saranicole
pushed a commit
to saranicole/kubernetes-external-secrets
that referenced
this issue
May 5, 2020
|
Created #371 |
|
My PR is merged and it is good |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The helm chart default values file has two settings I have a problem with - the polling frequency is set to 10 seconds - POLLER_INTERVAL_MILLISECONDS, and GOOGLE_APPLICATION_CREDENTIALS is set to /app/gcp-creds/gcp-creds.json
For POLLER_INTERVAL_MILLISECONDS, Google Secret Manager charges $.03 per 10,000 API calls so this could potentially result in unexpected costs if someone uses the default without realizing.
For GOOGLE_APPLICATION_CREDENTIALS /app/gcp-creds/gcp-creds.json does not exist out of the box and if you're using workload identity shouldn't exist. Having this set when using workload identity results in the following error:
sara-test 127m ERROR, The file at /app/gcp-creds/gcp-creds.json does not exist, or it is not a file. ENOENT: no such file or directory, lstat '/app/gcp-creds' 157mThis is hard to override because unsetting a variable that is set in helm requires setting the value to null. I'm using Terraform which uses the set syntax that doesn't permit value to be empty, which is how it interprets a null value for set. I have to pass in the values file separately, which gets merged with the default values file, so leaving out GOOGLE_APPLICATION_CREDENTIALS from my values file doesn't result in it getting purged. The only solution is to set GOOGLE_APPLICATION_CREDENTIALS to null in the values file and pass it in like this:
This is a lot of effort to override a value that would need to be changed anyways. This setting should be commented out and added if needed.
I'm unblocked as I have found a path forward overriding these values. I'm mostly looking for feedback here as to whether my suggestions make sense and I suggest it would be a good candidate for a first issue to resolve as it requires minimal changes to the code base.
** Edit **
Also saw that the doc is wrong on how to create a secret - it says to pass in gcpProjectId but the code actually takes "projectId". So working YAML looks like this:
The text was updated successfully, but these errors were encountered: