As part of my CD deploy pipe in Google Cloud Build I would like to notify a Slack channel, but I am struggling to use the Secret Manager to supply the secret notification endpoint. This build config is failing on the "Notify" stage with:
curl: (3) URL rejected: Bad hostname
This is my simplified build config:
steps:
- name: gcr.io/cloud-builders/gcloud
id: Test # 👈 this works as expected
entrypoint: bash
args:
- -c
- |
echo $$SLACK_ENDPOINT
secretEnv: ['SLACK_ENDPOINT']
- name: curlimages/curl
id: Notify
args:
- -d
- '{ "text": "channel test" }'
- -H
- Content-type:application/json
- -X
- POST
- $$SLACK_ENDPOINT # 👈 if I replace this with the secret value, it works
secretEnv: ['SLACK_ENDPOINT']
availableSecrets:
secretManager:
- env: 'SLACK_ENDPOINT'
versionName: projects/$PROJECT_ID/secrets/SLACK_ENDPOINT/versions/2
The secret is a normal looking url which works fine if I use it straight in the config:
https://hooks.slack.com/services/T0redactedK5/B0redactedJX/67redactedMK
I have also tried wrapping the secret with single quotes and got the same error message:
- POST
- '$$SLACK_ENDPOINT'
Thanks @p13rr0m for pointing out that resolving secrets needs an entrypoint context.
The officially recommended curlimages/curl
does not support a bash entrypoint, but Cloud Builders have a dedicated image for curl that can take an entrypoint. I got this working:
# Notify
- name: 'gcr.io/gcp-runtimes/ubuntu_20_0_4'
id: Notify
entrypoint: 'bash'
args:
- -c
- 'curl -d "{ \"text\": \"✅ CMS deployed to $_SERVICE_NAME\" }" -H "Content-type:application/json" -X POST $$SLACK_ENDPOINT'
secretEnv: ['SLACK_ENDPOINT']