I run drone on GKE on a cluster with Workload Identity enabled: it’s a very neat way to avoid having to handle service account keys and would make drone just work without configuring secrets (at least from the gcloud side of things)
So far however, I have not been successful in configuring it, so I wonder if you intend to support it.
What I have done:
- Enabled Workload Identity as in the documentation
- Assign my GKE service account to the K8S “default” service account in the default namespace (used by the drone jobs) (and test it works)
- On drone, test that it works by running:
--- kind: pipeline type: kubernetes name: Kapitan Compile steps: - name: Configure Docker image: google/cloud-sdk:slim commands: - gcloud auth configure-docker - name: pull private image image: eu.gcr.io/privaterepo/image commands: - echo "works" # Doesn't work - name: publish image: plugins/gcr settings: registry: eu.gcr.io repo: eu.gcr.io/private_repo/kapitan dockerfile: kapitan/Dockerfile tags: latest build_args: - KAPITAN_RELEASE=0.27.4-ci
As you can see, already at this step I am able to configure docker with no need to share any secret.
However, when I try to build and push an image, the job fails. I have tried with both docker and gcr plugins.
unauthorized: You don’t have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
224 time=“2020-06-10T15:46:20Z” level=fatal msg=“exit status 1”
Just to confirm, if I run the exact same command with a traditional secret, it works:
steps: - name: publish image: plugins/gcr settings: registry: eu.gcr.io repo: eu.gcr.io/private_repo/kapitan dockerfile: kapitan/Dockerfile tags: latest build_args: - KAPITAN_RELEASE=0.27.4-ci json_key: from_secret: google_credentials --- kind: secret name: google_credentials get: path: drone-runner name: google_credentials
Would you be interested in supporting workload identity? It would make deploying drone to a GKE enabled cluster so much quicker and secure.