google-cloud-platformcurlcontinuous-deploymentgoogle-cloud-build

curl failing in Google Cloud Build when using a secret


As part of my CD deploy pipe in Google Cloud Build I would like to notify a Slack channel, but I am struggling to use the Secret Manager to supply the secret notification endpoint. This build config is failing on the "Notify" stage with:

curl: (3) URL rejected: Bad hostname

This is my simplified build config:

steps:
  - name: gcr.io/cloud-builders/gcloud
    id: Test # 👈 this works as expected
    entrypoint: bash
    args:
      - -c
      - |
        echo $$SLACK_ENDPOINT
    secretEnv: ['SLACK_ENDPOINT']

  - name: curlimages/curl
    id: Notify
    args:
      - -d
      - '{ "text": "channel test" }'
      - -H
      - Content-type:application/json
      - -X
      - POST
      - $$SLACK_ENDPOINT # 👈 if I replace this with the secret value, it works
    secretEnv: ['SLACK_ENDPOINT']

availableSecrets:
  secretManager:
    - env: 'SLACK_ENDPOINT'
      versionName: projects/$PROJECT_ID/secrets/SLACK_ENDPOINT/versions/2

The secret is a normal looking url which works fine if I use it straight in the config:

https://hooks.slack.com/services/T0redactedK5/B0redactedJX/67redactedMK

I have also tried wrapping the secret with single quotes and got the same error message:

   - POST
   - '$$SLACK_ENDPOINT'

Solution

  • Thanks @p13rr0m for pointing out that resolving secrets needs an entrypoint context.

    The officially recommended curlimages/curl does not support a bash entrypoint, but Cloud Builders have a dedicated image for curl that can take an entrypoint. I got this working:

      # Notify
      - name: 'gcr.io/gcp-runtimes/ubuntu_20_0_4'
        id: Notify
        entrypoint: 'bash'
        args:
          - -c
          - 'curl -d "{ \"text\": \"✅ CMS deployed to $_SERVICE_NAME\" }" -H "Content-type:application/json" -X POST $$SLACK_ENDPOINT'
        secretEnv: ['SLACK_ENDPOINT']