As it turns out, this is a limitation of kubernetes expansion, https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/expansion.md#constraints-and-assumptions.
On Wednesday, January 22, 2020 at 8:48:47 PM UTC-8, Joey Freeland wrote: > > Hello, > > I'm attempting to use the vault agent sidecar injector > https://www.vaultproject.io/docs/platform/k8s/injector/examples/ to > inject my adminPassword secret into the jenkins helm chart in kubernetes. > It just drops a file (/vault/secrets/adminPassword) with the secret in it > in a shared volume. > > I'd like to leave the helm chart as standard as possible and use the > standard jenkins/jenkins:lts image, but I'm running into an issue. > > I would like to be able to do something to the effect of using this in my > helm values file: > > adminPassword: "$(cat /vault/secrets/adminPassword)" > > But when I exec into the jenkins container, I see that command > substitution is not being evaluated, but rather it's being treated as a > string. In the helm chart, > https://github.com/helm/charts/blob/master/stable/jenkins/templates/jenkins-master-deployment.yaml#L168, > > substitution is happening properly to insert the value of the environment > variable, but nested substitution is not occurring. It's not clear to me > if this is a sh, tini, gotemplate, or some other issue. > > # ps auxww > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 1 0.1 0.0 1148 4 ? Ss 23:54 0:00 > /sbin/tini -- /usr/local/bin/jenkins.sh > --argumentsRealm.passwd.admin=$(/bin/cat /vault/secrets/adminpass) > --argumentsRealm.roles.admin=admin --httpPort=8080 > root 7 130 2.7 4486348 224816 ? Sl 23:54 0:13 java > -Duser.home=/var/jenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 > -jar /usr/share/jenkins/jenkins.war > --argumentsRealm.passwd.admin=$(/bin/cat /vault/secrets/adminpass) > --argumentsRealm.roles.admin=admin --httpPort=8080 > > I suppose it's worth nothing that logging in with the password "$(/bin/cat > /vault/secrets/adminpass)" does actually work, but this is not what was > intended. > > I'll keep digging to try to understand where the evaluation is getting > lost, but if anyone has ideas and if this can be overcome by some escapes > that I'm missing or if there's an all-around better solution, I'd greatly > appreciate any pointers. > > Take care > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ea38ab81-b698-4216-b177-c0f7c0faa05d%40googlegroups.com.
