Drone

Using Kubernetes secrets in Drone installed via helm

Hi there! So I’ve installed Drone helm chart following the instructions in the chart repo, and it seems to be running just fine (note: there’s just one pod running, the server, no agents, even though agent configuration is still present in values.yaml).

Now, my next step would be to run the build, of course, and to do that, I need to pass some environment variables down to the build process. The problem is, I have tried various different approaches, but still couldn’t get through. Here’s the pipeline that I have:

---
kind: pipeline
name: drone-test-pipeline

steps:
- name: build
  image: alpine
  environment:
    USERNAME:
      from_secret: username
    PASSWORD:
      from_secret: password
    SOME_VAR:
      from_secret: somevar
  commands:
    - set
    - echo Username is [$USERNAME]
    - echo Password is [$PASSWORD]
    - echo Some var is [$SOME_VAR]

trigger:
  branch:
    - drone-test

---
kind: secret
name: USERNAME
get:
  path: samplesecret
  name: username

---
kind: secret
name: PASSWORD
get:
  path: samplesecret
  name: password

I have, of course, created a “samplesecret” resource in the same namespace:

kind: Secret
apiVersion: v1
metadata:
  name: samplesecret
  namespace: drone
data:
  password: cGFzc3dvcmQ=
  username: YWRtaW4=
type: Opaque

In addition, I’ve also created a “somevar” secret using drone CLI. Unfortunately, this is the only one that gets output via the echo, and that too, as ‘********’

+ echo Username is [$USERNAME]
Username is []
+ echo Password is [$PASSWORD]
Password is []
+ echo Some var is [$SOME_VAR]
Some var is [********]

What am I doing wrong?

A few things jump out.

(1) the chart in Helm stable is broken and does not install the kubernetes runner, which is the only supported method for running Drone on kubernetes. Instead, the stable chart defaults to experimental features that were deprecated almost a year ago.

Due to the poor state of the stable Helm chart, we have decided to provide our own official chart. Just this week, a member of our community began working on a new chart from scratch. It is still a work in progress, see https://github.com/drone/charts

(2) to use kubernetes secrets you need to install the kubernetes secret extension. The stable helm chart does not install the kubernetes secret extension, to my knowledge. The drone/charts repositories does have a chart for installing the kubernetes secrets extension.

(3) once the kubernetes runner is properly installed, you need to make sure your yaml configuration file uses the appropriate kind and type. For example:

kind: pipeline
+type: kubernetes
name: drone-test-pipeline

Thanks @ashwilliams1, I’ll try it out when it’s ready.

Sadly, I haven’t been able to find much documentation on how to set up Drone in Kubernetes, so it’s been mostly trial and error for me.

Regarding point 3, I’ve tried with and without the type. The example in the docs doesn’t have it, so I assumed that the runner defaults to kubernetes when running in a cluster.

The example in the docs doesn’t have it, so I assumed that the runner defaults to kubernetes when running in a cluster.

when no type is defined the system assumes the pipeline is of type docker, for legacy reasons. The type parameter, and multiple runners, were introduced in 1.2 and we did not want to break existing configurations.

we cannot introduce any breaking changes to 1.x, but it would make sense in 2.x to throw an exception when the type is blank. That would certainly help in situations like this.

the examples in the kubernetes runner documentation should otherwise include the type:
https://kube-runner.docs.drone.io/

Sadly, I haven’t been able to find much documentation on how to set up Drone in Kubernetes, so it’s been mostly trial and error for me.

we do provide a manifest for the kubernetes runner in the kubernetes documentation:
https://kube-runner.docs.drone.io/installation/installation/#step-3-install

we do not provide a manifest for the server which means you would need to convert the “docker run” command in the install docs to a manifest:
https://docs.drone.io/installation/providers/github/#step-4-start-the-server

Thanks a lot for the explanation @ashwilliams1

I have a few questions regarding using the Kubernetes runner to close it off:

  1. Is this an officially recommended/supported way to run Drone at this point, or is it better to use a docker based set-up?
  2. Is there a way to specify the CPU and memory requests/limits values for the job pods, or are they always using the namespace/cluster defaults?
  3. Back to my original question of using Kubernetes secrets, you (and the documentation) mention that an extension has to be installed, but I couldn’t find any information regarding that. The drone/charts repo doesn’t have any actual charts at all at this point. Also, is this an extension for the runner or the server?

Thanks again for your help anyway!

Is this an officially recommended/supported way to run Drone at this point?

Yes, the Kubernetes runner is the only supported option for executing pipelines inside your Kubernetes cluster. Installing the Docker runner on Kubernetes is possible, but is not supported.

Is there a way to specify the CPU and memory requests/limits values for the job pods, or are they always using the namespace/cluster defaults?

Yes, see https://docs.drone.io/pipeline/kubernetes/syntax/steps/#resources

Back to my original question of using Kubernetes secrets, you (and the documentation) mention that an extension has to be installed, but I couldn’t find any information regarding that.

See https://docs.drone.io/runner/extensions/kube/

Thanks @ashwilliams1 and sorry for asking the questions that have answers in the docs. Guess I had some troubles navigating it—I’ll try to recap those and submit some issues to the docs repo later. It would definitely benefit from a few more cross-links (e.g. the page explaining the usage of Kubernetes secrets mentions the extension but doesn’t have the link to the page describing its installation) and maybe some pipeline examples containing all possible options for a given runner.

Anyhow the first question was more like “is running Drone in Kubernetes the right thing in the long term” rather “is using Kubernetes runner the right way to use Drone in Kubernetes”, but I guess you’ve cleared my doubts, thank you.

See https://docs.drone.io/runner/extensions/kube/

I understand that this extension will mostly be used together with Drone Kubernetes runner, and the Helm chart to install this extension has just been pushed yesterday to https://github.com/drone/charts/tree/master/charts/drone-kubernetes-secrets, but the page itself is somewhat confusing. It gives an example of docker run command, but is it actually intended to be run that way? And if yes, how is it supposed to connect to a cluster to retrieve the secrets?