Secret - no matching secret

dns · November 3, 2019, 9:24pm

hello, I’m not getting secret from orgsecret. there is anything that I’m doing wrong?

job log:

"kind":"secret","level":"trace","msg":"secret: encrypted: no matching secret","name":"client_secret"

command used to add secret:

drone orgsecret add octocat client_secret secret

check if existist:

$ drone orgsecret info octocat client_secret
client_secret 
Organization:       octocat
Pull Request Read:  true
Pull Request Write: true

drone.yml

- name: step2
  image: alpine
  environment:
    client_secret:
      from_secret: client_secret

$ drone repo info octocat/repo
Owner: octocat 
Repo: repo
Config: .drone.yml
Visibility: private
Private: true
Trusted: true
Protected: false
Remote: https://github.com/octocat/repo.git

bradrydzewski · November 3, 2019, 9:26pm

have you taken a look at Problems with Organization Secrets

dns · November 3, 2019, 9:36pm

yes, I did. without success ):

there is something else I need to do that I’m missing in order to work?

also, there is more info:

$ drone build info octocat/repo
Number: 12
Status: running
Event: push
Commit: 01e1e9c52dbf99dedaaa7f1d8efe0036118efb4c
Branch: master
Ref: refs/heads/master
Author: octo <octo@gmail.com>
Message: Update README.md

bradrydzewski · November 3, 2019, 10:29pm

it looks like the output has been scrubbed. We need to see this data unchanged so that we can check for common issues, such as case mismatch, etc. We also need to see the full runner logs.

you should also verify you are using the latest versions of the server and runner. older versions of the software may not support certain features.

dns · November 3, 2019, 10:55pm

I see. There is something strange in my job log:
no registry credentials loaded

maybe this is the reason to not work?

there is the full log:

{"arch":"amd64","level":"debug","machine":"machine","msg":"runner: get stage details from server","os":"linux","stage-id":17,"time":"2019-11-03T22:41:47Z"}
2019/11/03 22:41:47 [DEBUG] POST http://drone.drone:80/rpc/v1/details
2019/11/03 22:41:47 [DEBUG] POST http://drone.drone:80/rpc/v1/netrc
{"level":"trace","msg":"registry: no registry credentials loaded","time":"2019-11-03T22:41:47Z"}
{"level":"trace","msg":"registry: no registry credentials loaded","time":"2019-11-03T22:41:47Z"}
{"kind":"secret","level":"trace","msg":"secret: encrypted: no matching secret","name":"client_secret","time":"2019-11-03T22:41:47Z"}

bradrydzewski · November 3, 2019, 11:08pm

It doesn’t look like you are running the latest version of the runner [1]. The latest version uses the /rpc/v2 endpoint and I see your runner is using /rpc/v1. When using the latest version of the runner I see trace logs from the following:

github.com

drone/runner-go/blob/master/secret/static.go#L41:L64


			Data: v,
		})
	}
	return Static(secrets)
}


type static struct {
	secrets []*drone.Secret
}


func (p *static) Find(ctx context.Context, in *Request) (*drone.Secret, error) {
	logger := logger.FromContext(ctx).
		WithField("name", in.Name).
		WithField("kind", "secret")


	for _, secret := range p.secrets {
		if !strings.EqualFold(secret.Name, in.Name) {
			continue
		}
		// The secret can be restricted to non-pull request
		// events. If the secret is restricted, return

Note that we use organization secrets to build all the plugin images, and we have not experienced any issues to date. So you may also consider debugging from source [2].

[1] https://docs.drone.io/runner/docker/installation/linux/
[2] https://github.com/drone-runners/drone-runner-docker

dns · November 4, 2019, 12:09am

That is correct. I saw later my log is showing that endpoint too:

2019/11/03 23:02:27 [DEBUG] POST http://drone.drone:80/rpc/v1/beforeAll
{"arch":"amd64","build":18,"level":"info","machine":"machine","msg":"runner: start execution","os":"linux","pipeline":"default","repo":"octocat/repo","stage":1,"stage-id":18,"time":"2019-11-03T23:02:27Z"}
2019/11/03 23:02:27 [DEBUG] POST http://drone.drone:80/rpc/v1/before
2019/11/03 23:02:29 [DEBUG] POST http://drone.drone:80/rpc/v1/write
2019/11/03 23:02:29 [DEBUG] POST http://drone.drone:80/rpc/v1/write
2019/11/03 23:02:29 [DEBUG] POST http://drone.drone:80/rpc/v1/write
2019/11/03 23:02:29 [DEBUG] POST http://drone.drone:80/rpc/v1/write
2019/11/03 23:02:29 [DEBUG] POST http://drone.drone:80/rpc/v1/write
2019/11/03 23:02:29 [DEBUG] POST http://drone.drone:80/rpc/v1/write
2019/11/03 23:02:29 [DEBUG] POST http://drone.drone:80/rpc/v1/write
2019/11/03 23:02:30 [DEBUG] POST http://drone.drone:80/rpc/v1/write
2019/11/03 23:02:30 [DEBUG] POST http://drone.drone:80/rpc/v1/write
2019/11/03 23:02:30 [DEBUG] POST http://drone.drone:80/rpc/v1/upload?id=69
2019/11/03 23:02:30 [DEBUG] POST http://drone.drone:80/rpc/v1/after
2019/11/03 23:02:30 [DEBUG] POST http://drone.drone:80/rpc/v1/before

Also, I’m running on my kubernetes cluster and seems that it’s using the latest version controller.

    - name: KUBERNETES_NODE
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: spec.nodeName
    - name: DRONE_RUNNER_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: spec.nodeName
    image: drone/controller:1.3.1
    imagePullPolicy: Always

There is a way to change the endpoint using only environment variables?

Also, event the repository secrets aren’t working.

I updated all the image versions (tag) to 1.6.1. But no success. ):

bradrydzewski · November 4, 2019, 12:24am

There is a way to change the endpoint using only environment variables?

the endpoint is used in the newer versions of the runner. It sounds like you are using drone/agent which is the old runner image. See the docs for the new image. Using the newest version of the runner will give you better tracing output.

hopefully the trace output will help provide you with more insight. If not, you will probably need to start looking at the source code. There are unfortunately limits to the support I am able to provide without direct access to the system and without the ability to reproduce an issue. I think we have reached those limits.