Drone

Kubernetes secrets plugin

I deployed drone.io using the helm chart. Builds are working fine.
For my secrets I folowed this docs : https://readme.drone.io/extend/secrets/kubernetes/install/

So I created a secret to hold the shared secret key between the plugin and the drone server (sorry for the ansible markups) :

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: drone-kubernetes
data:
  server: {{ server.stdout | b64encode }}
  cert: {{ cert.stdout | b64encode }}
  token: {{ token.stdout | b64encode }}
  secret: {{ secret.stdout | b64encode }}

A deployment for the kubernetes secret plugins :

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: drone
    component: secrets
    release: drone
  name: drone-drone-secrets
spec:
  selector:
    matchLabels:
      app: drone
      component: secrets
      release: drone
  template:
    metadata:
      labels:
        app: drone
        component: secrets
        release: drone
    spec:
      containers:
      - env:
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
              key: secret
              name: drone-kubernetes
        image: docker.io/drone/kubernetes-secrets:linux-arm64
        imagePullPolicy: IfNotPresent
        name: secrets
        ports:
        - containerPort: 3000
          name: secretapi
          protocol: TCP
        volumeMounts:
        - mountPath: /etc/kubernetes/config
          name: kube
      volumes:
      - name: kube
        hostPath:
          path: /etc/kubernetes/admin.conf
          type: File

And a service for that deployement :

apiVersion: v1
kind: Service
metadata:
  labels:
    app: drone
    component: secrets
    release: drone
  name: drone-secrets
spec:
  ports:
  - name: secretapi
    port: 3000
    protocol: TCP
  selector:
    app: drone
    component: secrets
    release: drone
  type: ClusterIP

I patched the drone-server deployment to set the DRONE_SECRET_SECRET and DRONE_SECRET_ENDPOINT variable.

The pods for the kubernetes-secrets plugins do see the file “/etc/kubernetes/config” as expected and have SECRET_KEY as environnement.
And from the drone-server pod :

kubectl exec -i drone-drone-server-some-hash-here -- sh -c 'curl -s $DRONE_SECRET_ENDPOINT'
Invalid or Missing Signature

So far so good. Everything seems setup properly.

Here is my .drone.yml file for my test project :

kind: pipeline
name: default
steps:
#- name: docker
  #image: plugins/docker
  #settings:
    #registry: 192.168.10.200:5000
    #repo: "192.168.10.200:5000/${DRONE_REPO_NAME}"
    #tags: latest
    #insecure: true

- name: kubectl
  image: private-repo.local:5000/drone-kubectl
  settings:
    kubectl: "get pods"
    kubernetes_server:
      from_secret: kubernetes_server
    kubernetes_cert:
      from_secret: kubernetes_cert

image_pull_secrets:
 - kubernetes_server
 - kubernetes_cert
 
---
kind: secret
name: kubernetes_server
get:
  path: drone-kubernetes
  name: server
---
kind: secret
name: kubernetes_cert
get:
  path: drone-kubernetes
  name: cert
---
kind: secret
name: kubernetes_token
get:
  path: drone-kubernetes
  name: token

Currently the custom plugin drone-kubectl only run the env command to see if I’m getting my secrets, and I dont… What I am missing ?