1.0.0-rc.1: Kubernetes secrets: Invalid signature

flah00 · November 28, 2018, 3:52pm

Heyoo

I’ve got a working drone installation. I am now trying to button up the kubernetes secrets add-on. New jobs fail to create the environment variables I’ve defined in my yaml. I was unable to obtain error logs from kubernetes-secrets, until I turned on debug logging (DEBUG=true). The error is time="2018-11-28T15:22:52Z" level=debug msg="secrets: invalid signature in http.Request". I’ve checked the agent and secrets SECRET_KEY, they match. Is there anything else I might’ve missed?

drone.yml

kind: pipeline
name: default
steps:
  - name: test
    image: clojure
    pull: always
    commands:
      - env
      - ./scripts/test.sh
    environment:
      POSTGRES_PORT_5432_TCP_ADDR: postgres
      POSTGRES_PORT_5432_TCP_PORT: 5432
      REDIS_PORT_6379_TCP_ADDR: redis
      REDIS_PORT_6379_TCP_PORT: 6379
      LEIN_USERNAME:
        from_secret: aws_key_id
      LEIN_PASSPHRASE:
        from_secret: aws_secret
services:
  - name: redis
    image: redis:3
  - name: postgres
    image: postgres:9.6-alpine
---
kind: secret
external_data:
  aws_key_id:
    path: drone-secrets
    name: aws_key_id_prod
  aws_secret:
    path: drone-secrets
    name: aws_secret_prod

agent config

      DRONE_RPC_SERVER: http://drone-drone
      DRONE_RPC_SECRET: <set to the key 'secret' in secret 'drone-drone'>  Optional: false
      DRONE_SECRET_ENDPOINT: http://drone-drone-secrets:3000
      SECRET_KEY: <set to the key 'secretService' in secret 'drone-drone'>  Optional: false
      DOCKER_HOST: tcp://localhost:2375
      DRONE_LOGS_DEBUG: true
      DRONE_RPC_DEBUG: true

kubernetes-secrets config

      SECRET_KEY: <set to the key 'secretService' in secret 'drone-drone'>  Optional: false
      DEBUG: true
      KUBERNETES_CONFIG: /etc/kubernetes/config
      KUBERNETES_NAMESPACE: drone

bradrydzewski · November 28, 2018, 4:16pm

looks like you are using the wrong environment variable to pass the secret to drone:

      DRONE_RPC_SERVER: http://drone-drone
      DRONE_RPC_SECRET: <set to the key 'secret' in secret 'drone-drone'>  Optional: false
      DRONE_SECRET_PLUGIN_ENDPOINT: http://drone-drone-secrets:3000
+     DRONE_SECRET_PLUGIN_TOKEN: xxxxx
-     SECRET_KEY: <set to the key 'secretService' in secret 'drone-drone'>  Optional: false
      DOCKER_HOST: tcp://localhost:2375
      DRONE_LOGS_DEBUG: true
      DRONE_RPC_DEBUG: true

flah00 · November 28, 2018, 5:27pm

Doh! Shoulda caught that, thanks for the extra set of eyes. That resolved my initial issue.

Now I’m told that the requested key does not exist. I have installed drone into its own namespace, called drone. I set the env var in kubernetes secrets to KUBERNETES_NAMESPACE=drone. The kube config I install defines three clusters (dev, prod, staging), but the default context is set to the cluster drone is running on (dev). The secret is named drone-secrets and it is in the drone namespace.

time="2018-11-28T16:59:14Z" level=debug msg="secrets: cannot find secret aws_key_id_prod: invalid or missing secret key"
time="2018-11-28T16:59:14Z" level=debug msg="secrets: cannot find secret aws_secret_prod: invalid or missing secret key"

secret

apiVersion: v1
kind: Secret
metadata:
  namespace: drone
  name: drone-secrets
type: Opaque
stringData:
  aws_key_id_prod: ...
  aws_secret_prod: ...
  aws_key_id_dev: ...
  aws_secret_dev: ...

drone yaml

...
    environment:
      LEIN_USERNAME:
        from_secret: aws_key_id
      LEIN_PASSPHRASE:
        from_secret: aws_secret
---
kind: secret
external_data:
  aws_key_id:
    path: drone-secrets
    name: aws_key_id_prod
  aws_secret:
    path: drone-secrets
    name: aws_secret_prod

flah00 · November 28, 2018, 6:03pm

The chart was missing permissions to access secrets, I added it. But I’m still getting the same error.

- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get

flah00 · November 28, 2018, 11:27pm

@bradrydzewski
Tcpdump shows me there’s a mismatch, between what the agent sends and what the plugin expects. It seems the drone/drone-kubernetes-secrets expects a request with secret#key and the agent sends each in their own field. I managed to fix this issue locally, but I lack a familiarity with the dep command to completely fix the issue and open a PR (I ran dep ensure -update github.com/drone/drone-go but it still updated a bunch of other stuff).

https://github.com/drone/drone-kubernetes-secrets/compare/master...Adaptly:pc-update-deps?

Anyway, I hope to get my go chops up to snuff soon, so I can contribute in more meaningful ways, in the future.

rvora · February 6, 2019, 7:17pm

I am seeing the same behavior. @bradrydzewski was this fixed in 1.0 rc5?

@flah00 how did you fix this locally? I am guessing you did a local code fix and build your own agent or plugin docker image?

bradrydzewski · February 11, 2019, 9:07pm

I merged the patch from flah00 that updates drone-go and published a new Docker image. I would expect this issue to now be resolved.