Drone-kubernetes-secrets not formatted correctly

Drone Support
1

Hi,
I’ve spent a few hours banging my head against this wall. And now I believe drone-kubernetes-secrets does not export secrets correctly.

I get errors when I use secrets extracted with drone-kubernetes-secrets, I believe this is due to a trailing new-line that’s inserted for some reason.

I have a pipeline like this that works:

Summary 
---
kind: pipeline
type: kubernetes
name: default

steps:
  - name: build kaniko
    image: docker:dind
    volumes:
      - name: dockersock
        path: /var/run
    commands:
      - sleep 5 # give docker enough time to start
      - cd kaniko/
      - echo "$(echo $CI_REGISTRY_PASSWORD)" | docker login $CI_REGISTRY -u "$CI_REGISTRY_USER"  --password-stdin
      - docker build . -t $CI_REGISTRY_IMAGE:$CI_TAG
      - docker push $CI_REGISTRY_IMAGE:$CI_TAG
    environment:
      CI_REGISTRY: https://harbor.default.cluster.lukasj.org
      CI_REGISTRY_USER:
        from_secret: username
      CI_REGISTRY_PASSWORD:
        from_secret: token
      CI_REGISTRY_IMAGE: harbor.default.cluster.lukasj.org/plugins/kaniko
      CI_TAG: latest


services:
  - name: docker
    image: docker:dind
    privileged: true
    volumes:
      - name: dockersock
        path: /var/run

volumes:
  - name: dockersock
    temp: {}

---
kind: secret
name: username
get:
  path: plugins-registry-sa
  name: username

---
kind: secret
name: token
get:
  path: plugins-registry-sa
  name: token

However, if I would change:
echo “$(echo $CI_REGISTRY_PASSWORD)” | docker login $CI_REGISTRY -u “$CI_REGISTRY_USER” --password-stdin
To:
echo $CI_REGISTRY_PASSWORD | docker login $CI_REGISTRY -u “$CI_REGISTRY_USER” --password-stdin
Then it no longer works because of invalid credentials. I believe this is because the password somehow gets some whitespace inserted somewhere along the line.

My Kubernetes secret is defined as:

apiVersion: v1
kind: Secret
type: Opaque

metadata:
  name: plugins-registry-sa
  namespace: drone

data:
  username: "cm9ib3QkZHJvbmUtY2kK"
  token: "ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmxlSEFpT2pFMk1UWXpNVGt6TURNc0ltbGhkQ0k2TVRVNE5EYzRNek13TXl3aWFYTnpJam9pYUdGeVltOXlMWFJ2YTJWdUxXUmxabUYxYkhSSmMzTjFaWElpTENKcFpDSTZOU3dpY0dsa0lqb3pOU3dpWVdOalpYTnpJanBiZXlKU1pYTnZkWEpqWlNJNklpOXdjbTlxWldOMEx6TTFMM0psY0c5emFYUnZjbmtpTENKQlkzUnBiMjRpT2lKd2RYTm9JaXdpUldabVpXTjBJam9pSW4wc2V5SlNaWE52ZFhKalpTSTZJaTl3Y205cVpXTjBMek0xTDJobGJHMHRZMmhoY25RdGRtVnljMmx2YmlJc0lrRmpkR2x2YmlJNkltTnlaV0YwWlNJc0lrVm1abVZqZENJNklpSjlYWDAud0o0Umd2RDF0Z2c4eE9rQ1ZLS3Y2QXdGYWJwSE9kUGN6YTRjaEhiM3huc2d6MXFXLXJIVjhBaW4zaXViay1rUjFRakg3NVVVa0RqY2Rqa3QtRC04cVdHM2prYUo4c0lNRlFXY1U0WUdzUUw1UUdwTi00UXVyVmJySjg2Ry0xeGJlOEZPU0ZYZnNKcXpJbDVSOXZYWkw4UllMOHMyaVQxTlp3MVNQc3NhZm8wNUJHVEswMi1vX090elhrUlBvVzNBLW5fUUJJOXZSQXJrVEQzQzh3MFAxRG1fb3QyRjZYTkFBUWQ2X0c0YkNuVmp6Uk0ydHR3emstVjZnSkdhUFVzRUhFSXdpUENFN2Y2bmxvWnlISTlqZ2dGNjdXSXJNVXZZQ0s1VFdPY2ltNWVsWUJHWUR3MlJmODI2RmFvOE1RNEVTMEtZdkxoeEtTSkU0TTVYd0N6eW90eUxyR2pVaGFqRDdNMzI1VHl4UWdiTEFWZGgzdlVLQmZVazkwY25sRXM3OTVfa21xOTBUQUNDbDVYTHZMOEQwUWJwbHdnMVVZOUNrYjUtRTRYNUU3U3l6UC1hRm5SY0dYUjBLTDFvQzN1aTkxTGFmOGEwLXk3b084bjFaT25MaGZ2M0pEMU9MUHpEdmVOcjlvVFh1V2pabWdMZ09hbjBYS0FKb1FobXNmWEthaERfaE9IbUxVSTc3YlZ3VmtIOTFHNk9ZeXJ6U2JYbDVGcmZkd1lydlFuVDdidjROeFNiamd4Q3N2a0dYTklNaGhZTG1xUkZVMGJvMEtMUGVCZlgwd1l0T2ZOVWlvYUJpS2c4SHk1RHpOMU54THNtSWsyQ3dZb3NvQkd1MklqNVdpNGV0OWdpQTdxdHJEWGxlQ3lBdmZrOG9jd3pTdzRYQnlmNFVMNnQ1bG8K"
2

The kubernetes secret runner does not append a trailing slash anywhere in the code. The code itself is quite readable if you would like to audit:

Perhaps the problem is that you are using echo without the echo -n flag? The -n flag prevents a newline from being added to echo statements.

3

You are right, sorry.

I thought I had covered my bases, but the issue was in the generation of my secrets.
All the different tools I tried to verify the generation of my tools all trimmed the whitespace away so I thought I had sanity-checked the secret values being inserted.