Fix/gke kubeconfig posix deploy variables#343
Merged
Conversation
Assisted-by: opencode/github-copilot/claude-opus-4.6
Assisted-by: opencode/github-copilot/claude-opus-4.6
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts the deployer’s GKE kubeconfig generation and legacy deploy-variable validation to behave more consistently across shell environments and CI variable setups.
Changes:
- Refactors
.gke-kubeconfig’sgcloud container clusters get-credentialsinvocation to avoid using a Bash array and conditionally add--dns-endpoint. - Makes
ensure_deploy_variables()always validate the legacy variable set instead of validating only when at least one legacy variable is already present.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| templates/functions/gke-kubeconfig.yml | Reworks conditional --dns-endpoint handling without a command array. |
| scripts/src/functions.bash | Makes legacy deploy-variable validation unconditional. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
66
to
70
| generate_gke_kubeconfig() { | ||
| local gcloud_cmd=( | ||
| gcloud container clusters get-credentials "${K8S_CLUSTER_NAME}" | ||
| --location "${K8S_LOCATION}" | ||
| --project "${GCP_PROJECT_ID}" | ||
| ) | ||
|
|
||
| local dns_flag="" | ||
| if [ "${K8S_USE_DNS_ENDPOINT:-0}" = "1" ]; then | ||
| gcloud_cmd+=(--dns-endpoint) | ||
| dns_flag="--dns-endpoint" | ||
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes two bugs introduced by the
gke-kubeconfigtemplate added in #342.Fix shell syntax error in non-bash images (
gke-kubeconfig)The
generate_gke_kubeconfig()function used bash-specific array syntax(
local cmd=(...),cmd+=(...),"${cmd[@]}") which caused a shell parseerror when the function block was evaluated in images running
/bin/sh(e.g. the
secret_detectionscanner imageregistry.gitlab.com/security-products/secrets:7).Because the global
before_scriptin.gitlab-ci-template.ymlinjects.gke-kubeconfiginto every job, any job running in a non-bash imagewould fail at parse time with:
syntax error: unexpected "(" (expecting "}")
The fix replaces the array-based command construction with a plain
POSIX-compatible variable flag approach.
Fix silent no-op in
ensure_deploy_variablesensure_deploy_variables()had a conditional guard that skipped allvalidation when every required variable was unset. This meant calling the
function with no variables configured was a silent no-op, allowing
create_kubeconfig()to proceed with emptyKUBE_URLandKUBE_TOKENand silently produce a broken kubeconfig.
The fix removes the outer
ifguard so the function unconditionallyvalidates all five required variables (
KUBE_NAMESPACE,KUBE_URL,KUBE_TOKEN,CI_ENVIRONMENT_SLUG,CI_ENVIRONMENT_URL) whenever itis called.
Testing
secret_detectionjob (and any other job running in a non-bashimage) no longer fails with a shell syntax error due to the inherited
before_script.ensure_deploy_variableswith missing variables now alwaysexits with an explicit error message instead of silently passing.