Kubernetes secrets plugin not working with no useful logs

6/9/2019

I deployed drone.io using the helm chart. Builds are working fine. For my secrets I folowed this docs : https://readme.drone.io/extend/secrets/kubernetes/install/

So I created a secret to hold the shared secret key between the plugin and the drone server (sorry for the ansible markups) :

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: drone-kubernetes
data:
  server: {{ server.stdout | b64encode }}
  cert: {{ cert.stdout | b64encode }}
  token: {{ token.stdout | b64encode }}
  secret: {{ secret.stdout | b64encode }}

A deployment for the kubernetes secret plugins :

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: drone
    component: secrets
    release: drone
  name: drone-drone-secrets
spec:
  selector:
    matchLabels:
      app: drone
      component: secrets
      release: drone
  template:
    metadata:
      labels:
        app: drone
        component: secrets
        release: drone
    spec:
      containers:
      - env:
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
              key: secret
              name: drone-kubernetes
        image: docker.io/drone/kubernetes-secrets:linux-arm64
        imagePullPolicy: IfNotPresent
        name: secrets
        ports:
        - containerPort: 3000
          name: secretapi
          protocol: TCP
        volumeMounts:
        - mountPath: /etc/kubernetes/config
          name: kube
      volumes:
      - name: kube
        hostPath:
          path: /etc/kubernetes/admin.conf
          type: File

And a service for that deployement :

apiVersion: v1
kind: Service
metadata:
  labels:
    app: drone
    component: secrets
    release: drone
  name: drone-secrets
spec:
  ports:
  - name: secretapi
    port: 3000
    protocol: TCP
  selector:
    app: drone
    component: secrets
    release: drone
  type: ClusterIP

I patched the drone-server deployment to set the DRONE_SECRET_SECRET and DRONE_SECRET_ENDPOINT variable.

The pods for the kubernetes-secrets plugins do see the file "/etc/kubernetes/config" as expected and have SECRET_KEY as environnement. And from the drone-server pod :

kubectl exec -i drone-drone-server-some-hash-here -- sh -c 'curl -s $DRONE_SECRET_ENDPOINT'
Invalid or Missing Signature

So far so good. Everything seems setup properly.

Here is my .drone.yml file for my test project :

kind: pipeline
name: default
steps:

- name: kubectl
  image: private-repo.local:5000/drone-kubectl
  settings:
    kubectl: "get pods"
    kubernetes_server:
      from_secret: kubernetes_server
    kubernetes_cert:
      from_secret: kubernetes_cert

image_pull_secrets:
 - kubernetes_server
 - kubernetes_cert

---
kind: secret
name: kubernetes_server
get:
  path: drone-kubernetes
  name: server
---
kind: secret
name: kubernetes_cert
get:
  path: drone-kubernetes
  name: cert
---
kind: secret
name: kubernetes_token
get:
  path: drone-kubernetes
  name: token

Currently the custom plugin drone-kubectl only run the env command to see if I'm getting my secrets, and I dont... What I am missing ?

-- sebt3
drone.io
kubernetes
kubernetes-secrets

1 Answer

6/10/2019

Ok I found my issue using the environement variable DEBUG in the drone-drone-secrets deployment. The error was :

time="2019-06-10T06:29:22Z" level=debug msg="secrets: cannot find secret cert: kubernetes api: Failure 403 secrets \"drone-kubernetes\" is forbidden: User \"system:serviceaccount:toolchain:default\" cannot get resource \"secrets\" in API group \"\" in the namespace \"toolchain\""

So I created this serviceaccount and related role :

apiVersion: v1
kind: ServiceAccount
metadata:
  name: drone-drone-secrets
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: drone-drone-secrets
rules:
- apiGroups: [""] 
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: drone-drone-secrets
subjects:
- kind: ServiceAccount
  name: drone-drone-secrets
roleRef:
  kind: Role
  name: drone-drone-secrets
  apiGroup: rbac.authorization.k8s.io

And patched the deployement to use that service account. Now everything works.

-- sebt3
Source: StackOverflow