Pipeline fails with messages related to secrets in runners

simple pipeline. kubernetes runner. setup as per online examples (role bindings, etc…).
making just a test thing. but won’t work…
making push from developer’s VM, all good, then it logs this:
{“level”:“debug”,“msg”:“api: read access granted”,“name”:“go_070921”,“namespace”:“devops”,“request-id”:“1xooLGZ85HojeFNjVdX078B2FQf”,“time”:“2021-09-07T16:05:44Z”,“user.login”:“devops”,“visibility”:“public”}

and runner logs this:

  • failed to create secret" error=“secrets is forbidden: User “system:serviceaccount:development:default” cannot create resource “secrets” in API group “” in the namespace “development”” namespace=development
  • “failed to delete secret” error=“secrets “drone-lcjzvvuk2ht4sr5w18xt” is forbidden: User “system:serviceaccount:development:default” cannot delete resource “secrets” in API group “” in the namespace “development”” namespace=development

drone UI says: go_app - clone: skipped and nothing more…

any ideas community please?

same issue.


// https://github.com/drone/charts/tree/master/charts/drone-runner-kube
resource "helm_release" "drone-server" {
  name       = "drone-server"
  repository = "https://charts.drone.io"
  chart      = "drone"
  namespace  = var.namespace
  // TODO: version lock
  dynamic "set" {
    for_each = {
      "fullnameOverride"               = local.drone_svc_name
      "image.tag"                      = "2.4.0"
      "env.DRONE_SERVER_HOST"          = local.drone_server_uri
      "env.DRONE_SERVER_PROTO"         = "https"
      "env.DRONE_RPC_SECRET"           = var.drone_rpc_secret
      "env.DRONE_DATABASE_SECRET"      = var.drone_database_secret
      "env.DRONE_GITHUB_CLIENT_ID"     = var.drone_github_client_id
      "env.DRONE_GITHUB_CLIENT_SECRET" = var.drone_github_client_secret
      "env.DRONE_DATABASE_DRIVER"      = "postgres"
      "env.DRONE_DATABASE_DATASOURCE"  = var.rds_conn_string_drone
      "env.DRONE_S3_BUCKET"            = aws_s3_bucket.drone.id
      "env.DRONE_USER_FILTER"          = "myotherorg\\,myghorg"
      "env.DRONE_GIT_ALWAYS_AUTH"      = true
      "env.DRONE_TRACE"                = true
      "env.DRONE_DEBUG"                = true
      "AWS_ACCESS_KEY_ID"              = aws_iam_access_key.drone_server.id
      "AWS_SECRET_ACCESS_KEY"          = aws_iam_access_key.drone_server.secret
      "AWS_DEFAULT_REGION"             = data.aws_region.current.name
    }
    content {
      name  = set.key
      value = set.value
    }
  }
}

resource "helm_release" "drone-runner" {
  name       = "drone-runner"
  repository = "https://charts.drone.io"
  chart      = "drone-runner-kube"
  namespace  = var.namespace
  // TODO: version lock
  dynamic "set" {
    for_each = {
      "image.tag"                   = "1.0.0-rc.1"
      "env.DRONE_RPC_HOST"          = "${local.drone_svc_name}.${var.namespace}.svc.cluster.local"
      "env.DRONE_RPC_PROTO"         = "http"
      "env.DRONE_RPC_SECRET"        = var.drone_rpc_secret
      "env.DRONE_NAMESPACE_DEFAULT" = "tools"
      "env.DRONE_TRACE"             = true
      "env.DRONE_DEBUG"             = true
    }
    content {
      name  = set.key
      value = set.value
    }
  }
  values = [
    yamlencode({
      "rbac.buildNamespaces" = ["tools"]
    })
  ]
}```


trace msg=“secret: database: found matching secret” kind=secret name=slack_webhook thread=17

time=“2021-10-13T00:29:55Z” level=debug msg=“updated stage to running” build.id=16 build.number=8 repo.id=79 repo.name=lettuce repo.namespace=myorg2 stage.id=16 stage.name=default stage.number=1 thread=17

time=“2021-10-13T00:29:55Z” level=error msg=“failed to create secret” error=“secrets is forbidden: User “system:serviceaccount:tools:drone-runner-drone-runner-kube” cannot create resource “secrets” in API group “” in the namespace “tools”” namespace=tools pod=drone-cvvpk7kp4sshr03keoa2

time=“2021-10-13T00:29:56Z” level=debug msg=“destroying the pipeline environment” build.id=16 build.number=8 repo.id=79 repo.name=lettuce repo.namespace=imisti stage.id=16 stage.name=default stage.number=1 thread=17

time=“2021-10-13T00:30:01Z” level=error msg=“failed to delete secret” error=“secrets “drone-cvvpk7kp4sshr03keoa2” is forbidden: User “system:serviceaccount:tools:drone-runner-drone-runner-kube” cannot delete resource “secrets” in API group “” in the namespace “tools”” namespace=tools pod=drone-cvvpk7kp4sshr03keoa2

cannot create resource “secrets” in API group “” in the namespace “tools”

The Kubernetes pipeline executes inside a Pod, and Drone secrets are injected into Pods as Kubernetes secrets that are created at runtime, using the Kubernetes API. This error indicates you have not given the Kubernetes runner sufficient permission to create a Kubernetes secret in the target namespace.