ipirva
April 27, 2019, 3:16am
1
Hello,
I do no manage to integrate Drone w/ Vault. I tried troubleshooting with drone CLI and curl.
root@37139c1880d7:/# curl -X GET -H "X-Vault-Token:$DRONE_SECRET_SECRET" $DRONE_SECRET_ENDPOINT/v1/secret/data/docker
{"request_id":"bfd8710b-5a7f-9b17-701e-d13f7eab2bb0","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"config.json":"{\n \"auths\": {\n \"xxx\": {\n \"auth\": \"xxx\"\n }\n }\n}"},"metadata":{"created_time":"2019-04-27T03:03:07.733328206Z","deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null}
root@37139c1880d7:/#
root@37139c1880d7:/#
root@37139c1880d7:/# drone plugins secret get v1/secret/data/docker --repo test/test
Temporary Redirect
root@37139c1880d7:/# drone plugins secret get /v1/secret/data/docker --repo test/test
Temporary Redirect
root@37139c1880d7:/# drone plugins secret get secret/data/docker --repo test/test
Temporary Redirect
Has anybody had to solve this before?
Thanks,
something looks off … the $DRONE_SECRET_ENDPOING is not the address of your vault server. It is the address of the vault plugin, which is running as a standalone deamon and acts as an adapter between drone and vault.
did you install the plugin as described here:https://docs.drone.io/extend/secrets/vault/install/
and are you using the plugin address as DRONE_SECRET_ENDPOINT ?
ipirva
April 27, 2019, 4:37pm
3
Thank you, I got the variables right and re-did the test:
printenv | egrep -i “vault|secret”
drone plugins secret get --repo test/test secret/data/docker
curl -X GET -H “X-Vault-Token:$VAULT_TOKEN” $VAULT_ADDR/v1/secret/data/docker {“request_id”:"…",“lease_id”:"",“renewable”:false,“lease_duration”:0,“data”:{…},“metadata”:{…}
The Vault plugin says:
I am using the :latest drone/drone and drone/vault
ipirva
April 27, 2019, 6:01pm
4
Looking further I see the following message in tcpdump
0x00a0: 3a35 393a 3539 2047 4d54 0d0a 436f 6e74 :59:59.GMT..Cont
0x00b0: 656e 742d 4c65 6e67 7468 3a20 3130 320d ent-Length:.102.
0x00c0: 0a0d 0a7b 2265 7272 6f72 7322 3a5b 2265 ...{"errors":["e
0x00d0: 7272 6f72 2070 6572 666f 726d 696e 6720 rror.performing.
0x00e0: 746f 6b65 6e20 6368 6563 6b3a 2066 6169 token.check:.fai
0x00f0: 6c65 6420 746f 206c 6f6f 6b20 7570 206e led.to.look.up.n
0x0100: 616d 6573 7061 6365 2066 726f 6d20 7468 amespace.from.th
0x0110: 6520 746f 6b65 6e3a 206e 6f20 6e61 6d65 e.token:.no.name
0x0120: 7370 6163 6522 5d7d 0a space"]}.
which seems to be the reason behind “secret not found”
ipirva
April 27, 2019, 8:01pm
6
Strange the namespace reference in the error message returned by Vault … I do not use namespaces on Vault side.
I haven’t been able to figure out how comes that the drone cli request does not receive a success answer from Vault.
ipirva
April 28, 2019, 10:57am
7
I tested the Drone Vault integration with a fresh Vault installation. The behavior is unchanged.
Could this problem be because of the Drone Vault plugin? I am saying this because the curl GET is successful.
Has the Drone Vault plugin been QAed with specific Vault version?
Thanks.
Unlikely. Drone uses the official Vault library when fetching secrets. There are also teams, including myself, using this in production today without issue.
ipirva
April 28, 2019, 3:19pm
9
I was asking because:
the errors say “namespace” which is a feature available only with Vault Enterprise - I do not have Enterprise version
I am using the latest Vault docker image
I am lost in the ecosystem
ipirva
April 28, 2019, 7:43pm
10
I could move forward with my troubleshooting:
I added VAULT_API_ADDR to the exported env variables and to the drone vault plugin docker composer:
printenv | egrep -i “vault|secret”
and the .drone.yml could handle the pull of my container using Vault secret
steps:
name: build_package
image_pull_secrets:
kind: secret
drone cli is working as expected:
