I’m evaluating Drone as a CI/CD solultion for our team. I installed Drone on Kubernetes using a helm chart. What I’m trying to do is, I want to store secrets externally (in Vault) as we are already using it. Here’s what I’ve done so far:
- On the vault side, I’ve created a custom secret path in /drone (through
vault secrets enable -path /drone -version=2 kv)
- I created a custom helm chart separately to install drone-vault. Within the values, I set the env for SECRET_KEY, VAULT_ADDR, VAULT_AUTH_TYPE, VAULT_AUTH_MOUNT_POINT and VAULT_KUBERNTES_ROLE. This chart runs perfectly in a sense that it can authenticate to Vault and get Vault secrets from this pod.
- On the main vault chart, I added environment of DRONE_SECRET_SECRET and DRONE_SECRET_ENDPOINT (pointing to the above vault-drone service) under
What had me confused was that on the setup tutorials I saw in docs, DRONE_SECRET_SECRET and DRONE_SECRET_ENDPOINT environments are supposed to be in drone/agent. However, in my current setup, it is agentless and jobs are created as Kubernetes jobs.
The issue I have now is the pipeline cannot retrieve secrets from Vault. There is no logs on drone-vault pods suggesting that it had been accessed.
Can anyone point me in a right direction so that the pipeline jobs/pods will have DRONE_SECRET_SECRET and DRONE_SECRET_ENDPOINT environment variables in them?
As a reference, here’s my drone helm values.yaml file (reduced to only show the necessary part):
server: host: protocol: adminUser: env: DRONE_SECRET_SECRET: DRONE_SECRET_ENDPOINT:
my drone-vault values.yaml file:
image: repository: drone/vault tag: latest pullPolicy: Always service: type: ClusterIP port: 3000 env: VAULT_ADDR: VAULT_AUTH_TYPE: kubernetes VAULT_AUTH_MOUNT_POINT: kubernetes VAULT_KUBERNETES_ROLE:
My .drone.yml file:
steps: - name: validate image: alpine:3.9 environment: FIRSTNAME: from_secret: firstname LASTNAME: from_secret: lastname commands: - echo $FIRSTNAME - printenv | grep NAME --- kind: secret name: firstname get: path: drone/data/dummy name: first_name --- kind: secret name: lastname get: path: drone/data/dummy name: last_name
Thanks in advanced for the help.