Drone Helm chart v2.0.0-rc.9 (1.0.0-rc.5) issue with Vault

#1

Hi All,

I’m evaluating Drone as a CI/CD solultion for our team. I installed Drone on Kubernetes using a helm chart. What I’m trying to do is, I want to store secrets externally (in Vault) as we are already using it. Here’s what I’ve done so far:

  • On the vault side, I’ve created a custom secret path in /drone (through vault secrets enable -path /drone -version=2 kv)
  • I created a custom helm chart separately to install drone-vault. Within the values, I set the env for SECRET_KEY, VAULT_ADDR, VAULT_AUTH_TYPE, VAULT_AUTH_MOUNT_POINT and VAULT_KUBERNTES_ROLE. This chart runs perfectly in a sense that it can authenticate to Vault and get Vault secrets from this pod.
  • On the main vault chart, I added environment of DRONE_SECRET_SECRET and DRONE_SECRET_ENDPOINT (pointing to the above vault-drone service) under 'server.env

What had me confused was that on the setup tutorials I saw in docs, DRONE_SECRET_SECRET and DRONE_SECRET_ENDPOINT environments are supposed to be in drone/agent. However, in my current setup, it is agentless and jobs are created as Kubernetes jobs.

The issue I have now is the pipeline cannot retrieve secrets from Vault. There is no logs on drone-vault pods suggesting that it had been accessed.

Can anyone point me in a right direction so that the pipeline jobs/pods will have DRONE_SECRET_SECRET and DRONE_SECRET_ENDPOINT environment variables in them?

As a reference, here’s my drone helm values.yaml file (reduced to only show the necessary part):

server:
  host: 
  protocol: 
  adminUser: 
  env:
    DRONE_SECRET_SECRET: 
    DRONE_SECRET_ENDPOINT: 

my drone-vault values.yaml file:

image:
  repository: drone/vault
  tag: latest
  pullPolicy: Always

service:
  type: ClusterIP
  port: 3000

env:
  VAULT_ADDR: 
  VAULT_AUTH_TYPE: kubernetes
  VAULT_AUTH_MOUNT_POINT: kubernetes
  VAULT_KUBERNETES_ROLE: 

My .drone.yml file:

kind: pipeline
name: default

steps:
- name: validate
  image: alpine:3.9
  environment:
    FIRSTNAME:
      from_secret: firstname
    LASTNAME:
      from_secret: lastname
  commands:
    - echo $FIRSTNAME
    - printenv | grep NAME

---
kind: secret
name: firstname
get:
  path: drone/data/dummy
  name: first_name

---
kind: secret
name: lastname
get:
  path: drone/data/dummy
  name: last_name

Thanks in advanced for the help.

0 Likes

#2

The release candidate you are using is outdated. You should use drone/drone:1.0.0 instead.

0 Likes

#3

Appreciate the pointer. I wasn’t aware that image existed yet. This now works with drone/drone:1.0.0. It would be great though if drone helm chart is updated to use 1.0.0 and includes drone-vault :slight_smile:

0 Likes

#4

completely agree, however, the Drone team is not involved with the creation or maintenance of the helm chart. I believe there are a few community members of the kubernetes/drone community that are maintaining it.

0 Likes