I deployed drone.io using the helm chart. Builds are working fine. For my secrets I folowed this docs : https://readme.drone.io/extend/secrets/kubernetes/install/
So I created a secret to hold the shared secret key between the plugin and the drone server (sorry for the ansible markups) :
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: drone-kubernetes
data:
server: {{ server.stdout | b64encode }}
cert: {{ cert.stdout | b64encode }}
token: {{ token.stdout | b64encode }}
secret: {{ secret.stdout | b64encode }}
A deployment for the kubernetes secret plugins :
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: drone
component: secrets
release: drone
name: drone-drone-secrets
spec:
selector:
matchLabels:
app: drone
component: secrets
release: drone
template:
metadata:
labels:
app: drone
component: secrets
release: drone
spec:
containers:
- env:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
key: secret
name: drone-kubernetes
image: docker.io/drone/kubernetes-secrets:linux-arm64
imagePullPolicy: IfNotPresent
name: secrets
ports:
- containerPort: 3000
name: secretapi
protocol: TCP
volumeMounts:
- mountPath: /etc/kubernetes/config
name: kube
volumes:
- name: kube
hostPath:
path: /etc/kubernetes/admin.conf
type: File
And a service for that deployement :
apiVersion: v1
kind: Service
metadata:
labels:
app: drone
component: secrets
release: drone
name: drone-secrets
spec:
ports:
- name: secretapi
port: 3000
protocol: TCP
selector:
app: drone
component: secrets
release: drone
type: ClusterIP
I patched the drone-server deployment to set the DRONE_SECRET_SECRET and DRONE_SECRET_ENDPOINT variable.
The pods for the kubernetes-secrets plugins do see the file "/etc/kubernetes/config" as expected and have SECRET_KEY as environnement. And from the drone-server pod :
kubectl exec -i drone-drone-server-some-hash-here -- sh -c 'curl -s $DRONE_SECRET_ENDPOINT'
Invalid or Missing Signature
So far so good. Everything seems setup properly.
Here is my .drone.yml file for my test project :
kind: pipeline
name: default
steps:
- name: kubectl
image: private-repo.local:5000/drone-kubectl
settings:
kubectl: "get pods"
kubernetes_server:
from_secret: kubernetes_server
kubernetes_cert:
from_secret: kubernetes_cert
image_pull_secrets:
- kubernetes_server
- kubernetes_cert
---
kind: secret
name: kubernetes_server
get:
path: drone-kubernetes
name: server
---
kind: secret
name: kubernetes_cert
get:
path: drone-kubernetes
name: cert
---
kind: secret
name: kubernetes_token
get:
path: drone-kubernetes
name: token
Currently the custom plugin drone-kubectl only run the env command to see if I'm getting my secrets, and I dont... What I am missing ?
Ok I found my issue using the environement variable DEBUG in the drone-drone-secrets deployment. The error was :
time="2019-06-10T06:29:22Z" level=debug msg="secrets: cannot find secret cert: kubernetes api: Failure 403 secrets \"drone-kubernetes\" is forbidden: User \"system:serviceaccount:toolchain:default\" cannot get resource \"secrets\" in API group \"\" in the namespace \"toolchain\""
So I created this serviceaccount and related role :
apiVersion: v1
kind: ServiceAccount
metadata:
name: drone-drone-secrets
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: drone-drone-secrets
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: drone-drone-secrets
subjects:
- kind: ServiceAccount
name: drone-drone-secrets
roleRef:
kind: Role
name: drone-drone-secrets
apiGroup: rbac.authorization.k8s.io
And patched the deployement to use that service account. Now everything works.