Drone

[solved] External secret empty, unreliable

I’m trying to use the drone-vault secret plugin(extension?) with some problems.

I am running both the secret container, and the server in Kubernetes(GKE), and there is one external agent on a separate google compute instance, both the agent and the secret plugin connect to the drone server just fine.

The first issue: the secret plugin isn’t called at every commit/build, I’m not sure if the secrets are cached, and this is the intended behavior, but it seems really random.

The second issue: Whenever the plugin is actually called, and the secret is found, the container in the drone pipeline doesn’t get it, or gets an empty string.

I’m using a local fork of drone-vault with slightly more verbose logging, and the secret value is not empty there (at least in the “Find” method). Drone also gets to the “secret: external: found matching secret” trace log, yet the secret is still empty.

The .drone.yml:

kind: pipeline
name: default
     
steps:
     - name: test
       image: alpine
       pull: always
       environment:
           VAULT_TEST:
             from_secret: vaultsecret
           DRONE_TEST:
             from_secret: dronesecret
           NORMAL_ENV: normal env works
       commands:
           - echo $VAULT_TEST 
           - echo $DRONE_TEST
           - echo $NORMAL_ENV

---

kind: secret
name: vaultsecret
get:
  path: mykv/data/drone
  name: some-test

Am I missing something, or is there anything I could debug further?

Edit:

After some hours of trial and error, and source reading, I’ve figured it out.

There were multiple things wrongly configured:

  • The Drone server had no DRONE_AGENTS_ENABLED set, which means, it occasionally wanted to run the pipelines itself, which did not work.
  • The secrets aren’t centralized as I originally thought, and the agent didn’t have the secret plugin configured, though it should have.

As a consequence, when the Drone server wanted to run the pipeline, it queried the secret plugin, but the actual pipeline failed. And when the agent ran the pipeline successfully, it had no idea about the secret plugin, so the secret remained empty.

I support the idea of having some way to figure these out, with even a warning on the UI, that some secrets remained empty, as this RFC states (https://github.com/drone/drone/issues/2423), so that things like this are easier to identify/debug.

Also, the actual agent configuration variables don’t (yet) match the ones in the documentation, namely the DRONE_SECRET_ENDPOINT, and DRONE_SECRET_SECRET.

So if anyone runs into similar problems, as of this post the correct configurations concerning the secret plugins with Drone 1.3.1 are:

drone/vault:

SECRET_KEY={secret_secret_token}
VAULT_ADDR={http://vault.addr:8200}
VAULT_TOKEN={.yourVaultToken}

drone/agent:

DRONE_SECRET_ENDPOINT={http://drone.vault.addr:3000}
DRONE_SECRET_SECRET={secret_secret_token}
1 Like