Drone-vault plugin - missing vault address

Drone Support
1

Hi,
I’m trying to get the drone-vault plugin to work, but despite the VAULT_ADDR environment variable having been set the pod doesn’t start with a ‘missing vault address’ warning followed by “Post /v1/auth//login: unsupported protocol scheme “””.

I’m on a 1.19 EKS cluster with the vault-operator injecting the VAULT_ environment variables into the pod. I have also tried setting them manually but that too is giving the same errors.

This is the config of the deployment:

template:
  metadata:
    labels:
      app: drone-vault-plugin
    annotations:
      vault.security.banzaicloud.io/vault-addr: https://vault.foobar.net
      vault.security.banzaicloud.io/vault-path: foobar-path
      vault.security.banzaicloud.io/vault-role: kubernetes-foobar-readonly
  spec:
    containers:
    - args:
      - /bin/drone-vault
      command:
      - /vault/vault-env
      env:
      - name: DRONE_DEBUG
        value: "true"
      - name: DRONE_SECRET
        value: vault:secret/data/foobar/drone#foobar-secret
      - name: VAULT_ADDR
        value: https://vault.foobar.net
      - name: VAULT_AUTH_TYPE
        value: kubernetes
      - name: VAULT_KUBERNETES_ROLE
        value: drone
      - name: VAULT_ADDR
        value: https://vault.foobar.net
      - name: VAULT_SKIP_VERIFY
        value: "false"
      - name: VAULT_AUTH_METHOD
        value: jwt
      - name: VAULT_PATH
        value: foobar-path
      - name: VAULT_ROLE
        value: kubernetes-foobar-readonly
      - name: VAULT_IGNORE_MISSING_SECRETS
        value: "false"
      - name: VAULT_ENV_PASSTHROUGH
      - name: VAULT_JSON_LOG
        value: "false"
      - name: VAULT_CLIENT_TIMEOUT
        value: 10s
      - name: VAULT_LOG_LEVEL
        value: debug
      image: drone/vault:1.2.0

which results in this log:

$ kubectl logs drone-vault-plugin-84689c6c45-gj6lp
time="2021-11-29T16:03:27Z" level=info msg="received new Vault token" app=vault-env
time="2021-11-29T16:03:27Z" level=info msg="initial Vault token arrived" app=vault-env
time="2021-11-29T16:03:27Z" level=info msg="spawning process: [/bin/drone-vault]" app=vault-env
time="2021-11-29T16:03:27Z" level=warning msg="missing vault address"
time="2021-11-29T16:03:27Z" level=debug msg="kubernetes: reading account token" path=/var/run/secrets/kubernetes.io/serviceaccount/token
time="2021-11-29T16:03:27Z" level=debug msg="kubernetes: requesting vault token" endpoint=/v1/auth//login
time="2021-11-29T16:03:27Z" level=error msg="kubernetes: cannot request vault token" endpoint=/v1/auth//login error="Post /v1/auth//login: unsupported protocol scheme \"\""
time="2021-11-29T16:03:27Z" level=fatal msg="Post /v1/auth//login: unsupported protocol scheme \"\""

As the pod ends up in a crashloop and doesn’t even start I can’t really ssh into it to troubleshoot but does anyone have any suggestions what may be causing this?

I did check the source to see if i missed anything but could find anything obvious.

Thanks

2

Apologies, I think the environment variables are not actually set correctly by the vault-operator so I’m looking at that first.

3

A few hour of troubleshooting later and I think it’s safe to conclude the plugin and the vault-operator injection don’t like eachother.
I have now removed the vault-operator annotations and hardcoded the DRONE_SECRET value and managed to get it to work. Note I did also have to add env VAULT_AUTH_MOUNT_POINT and set that to the value the vault.security.banzaicloud.io/vault-path annotation was set to.

This isn’t ideal as I can’t get the DRONE_SECRET from Vault anymore, but it’s better then not being to use Vault integration in the pipelines.
If someone has a way of using both then please let me know.