Kubernetes Secret Not read correctly

scandinave · November 3, 2020, 7:14pm

Hi,
I’ve deployed Drone inside kubernetes and i created a Kubernetes Secret as mention is the docs.
in my .drone.yml this is what i’ve done.

kind: secret
name: username
get:
  path: drone-nexus-secret
  name: user
---
kind: secret
name: password
get:
  path: drone-nexus-secret
  name: password
---
kind: pipeline
type: kubernetes
name: default
steps:
  - name: authenticate
    image: robertstettner/drone-mvn-auth
    settings:
      servers:
        - id: release
          username: 
            from_secret: username
          password:
            from_secret: password
        - id: snapshot
          username: 
            from_secret: username
          password:
            from_secret: password
      profiles:
        - id: CI
          repositories:
            - id: private
              name: private Repository
              url: https://MyPrivateRepo
              layout: default
      active_profiles:
        - CI

But this fail. If i display the generated settings.xml, this is what i have :

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
   <localRepository>/drone/src/.m2</localRepository>
   <servers>
      <server>
         <id>release</id>
         <username>[object Object]</username>
         <password>[object Object]</password>
      </server>
      <server>
         <id>snapshot</id>
         <username>[object Object]</username>
         <password>[object Object]</password>
      </server>
   </servers>
   <profiles>
      <profile>
         <id>CI</id>
         <repositories>
            <repository>
               <id>private</id>
               <name>private Repository</name>
               <url>https://MyPrivateRepo</url>
               <layout>default</layout>
            </repository>
         </repositories>
         <pluginRepositories />
      </profile>
   </profiles>
   <activeProfiles>
      <activeProfile>CI</activeProfile>
   </activeProfiles>
</settings>

So secrets are not correctly handle. Am I falling inside the situation as describe is the doc ?:

Unlike docker pipelines, the pipeline status is passed to steps by file as opposed to environment variable. Existing plugins may not be compatible with kubernetes pipelines and will need to be patched accordingly. See how we patched the Slack plugin.

scandinave · November 4, 2020, 11:06am

Ok, I fork the drone-mvn-auth plugin to add the code that handle kubernetes environment file

// If kubernetes env file exist, load it and overwrite existing env variable.
// @see https://docs.drone.io/runner/kubernetes/overview/ Known Issues / Differences
log(`Kubernetes mode: ${fs.existsSync('/run/drone/env')}`);
if(fs.existsSync('/run/drone/env')) {
  const envConfig = dotenv.parse(fs.readFileSync('/run/drone/env'));
  for (const k in envConfig) {
    log(`Kubernetes env: ${k} : ${envConfig[k]}`);
    process.env[k] = envConfig[k];
  }
}

But the secret are not present in environment. I re-read the doc that says i must deploy drone-secret inside the same pod as drone-runner. Ok it’s done. it does not work. Debugging the runner, i can see this:

time="2020-11-04T10:34:08Z" level=trace msg="secret: database: no matching secret" kind=secret name=password thread=100
time="2020-11-04T10:34:08Z" level=trace msg="secret: encrypted: no matching secret" kind=secret name=password thread=100
time="2020-11-04T10:34:08Z" level=trace msg="secret: database: no matching secret" kind=secret name=password thread=100
time="2020-11-04T10:34:09Z" level=debug msg="secret: external: cannot get secret" error="Post http://drone-runner:3001: dial tcp 10.103.6.97:3001: connect: connection refused" kind=secret name=password thread=100

and this is my k8s manifest :

apiVersion: v1
kind: Service
metadata:
  name: drone-runner
  labels:
    app: drone-runner
  namespace: default
spec:
  type: ClusterIP
  ports:
    - port: 3000
      name: drone-runner
    - port: 3001
      name: drone-secret
  selector:
    app: drone-runner
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: drone-runner
  labels:
    app.kubernetes.io/name: drone-runner
  namespace: default
spec:
  replicas: 4
  selector:
    matchLabels:
      app.kubernetes.io/name: drone-runner
  template:
    metadata:
      labels:
        app.kubernetes.io/name: drone-runner
    spec:
      containers:
        - name: runner
          image: drone/drone-runner-kube:latest
          ports:
            - containerPort: 3000
          env:
            - name: DRONE_TRACE
              value: 'true'
            - name: DRONE_RPC_HOST
              value: drone
            - name: DRONE_RPC_PROTO
              value: http
            - name: DRONE_SECRET_PLUGIN_ENDPOINT
              value: http://drone-runner:3001
            - name: DRONE_SECRET_PLUGIN_TOKEN
              valueFrom:
                secretKeyRef:
                  name: drone-secret
                  key: rpc
            - name: DRONE_RPC_SECRET
              valueFrom:
                secretKeyRef:
                  name: drone-secret
                  key: rpc
        - name: drone-secret
          image: drone/kubernetes-secrets:latest
          ports:
            - containerPort: 3001
          env:
            - name: DEBUG
              value: 'true'
            - name: SERVER_ADDRESS
              value: ':3001'
            - name: SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: drone-secret
                  key: rpc

Any Idea ?

scandinave · November 4, 2020, 12:28pm

Ok I Just tried to defined secret repository via drone web ui. This does not work too. when i log the settings passed to the plugin, i get this from process.env.

PLUGIN_SERVERS:
   '[{"id":"releases","password":{"from_secret":"nexus_secret"},"username":{"from_secret":"nexus_username"}},{"id":"snapshots","password":{"from_secret":"nexus_secret"},"username":{"from_secret":"nexus_username"}}]',

The secret nexus_secret and nexus_username are not interpreted and i just receive the string.

I should miss something trivial no?

bradrydzewski · November 4, 2020, 2:26pm

The settings section is a map of type [string, string | Secret] which means from_secret cannot be used in nested structures like this. This will work:

settings:
  keyA:
    from_secret: ...

But this will not work:

settings:
  keyA:
    nestedKeyB
      from_secret: ...

scandinave · November 4, 2020, 2:40pm

Ok. So can’t use secret with the drone-mvn-auth ?

bradrydzewski · November 4, 2020, 2:51pm

I do not think that is an accurate statement. You can use secrets with this and any plugin, but you cannot use from_secret in nested attributes. You can use from_secret with the top level attributes, like this:

    settings:
      servers:
        from_secret: ....

… where the secret contains the JSON representation of the servers value (similar to this comment). Taking a step back, plugins should only use primitive types and arrays of primitive types as settings, and should not use complex objects in the settings section. This particular plugin does not follow these guidelines, hence the confusion you are facing.

scandinave · November 4, 2020, 4:23pm

Hmm ok I see. I think this limitation should be explicit in the doc.I have lost a lot of time trying to figure out the problem.

Thx for your support