I have drone, drone-vault, drone-runner-kube, and drone-autoscaler all running inside EKS. I am able to reference vault secrets when using the kubernetes pipeline. I’m also able to spin up a new EC2 instance when using a docker pipeline.
The part I’m unsure of is, is it possible for my docker pipelines running on EC2 instances to reference secrets in vault?
@jsl,
If your network is open and if you are able to reach the drone-vault endpoint from ec2 than I think you should be able to use.
Could you please test and let us know if you are facing any issue.
Thanks for following up.
I do plan on creating ingress and service resources for drone-vault so that the ec2 instance can communicate to it. I’m also planning on add the following to the instance with a custom cloud init.
cloud-init will create the following
write_files:
- path: /root/agent.env
content: |
DRONE_SECRET_PLUGIN_ENDPOINT=vault-plugin-endpoint
DRONE_SECRET_PLUGIN_TOKEN=secret-plugin
and then set the following environment variable to the drone-autoscaler deployment.
DRONE_AGENT_ENV_FILE: /root/agent.env
I’ll test this I sort out my other issue drone-autoscaler-agent-x509-cert-error
I have figured out my issue with the autoscaler. I am again able to create on-demand instances and run a build however I still cannot get secrets from vault. I have created ingress and service resources for drone-vault. I have tried many different configs but cannot find one that works.
# drone-autoscaler env
DRONE_SECRET_PLUGIN_ENDPOINT: https://drone-vault.example.com # doesn't seem like this is support but I wanted to try it
DRONE_SECRET_PLUGIN_TOKEN: secret-token # doesn't seem like this is support but I wanted to try it
DRONE_AGENT_ENVIRON: DRONE_SECRET_PLUGIN_ENDPOINT:https://drone-vault.example.com,DRONE_SECRET_PLUGIN_TOKEN:secret-token
DRONE_AGENT_ENV_FILE: /root/agent.env
DRONE_AMAZON_USERDATA_FILE: /root/cloud-init.yml
cloud-init.yml: | # I'm using the example from docs with this as the addition
write_files:
- path: /root/agent.env
content: |
DRONE_SECRET_PLUGIN_ENDPOINT=https://drone-vault.example.com
DRONE_SECRET_PLUGIN_TOKEN=secret-token
One thing that jumps out is that DRONE_AGENT_ENV_FILE is read by the autoscaler, not by the runner. This means you would mount the env file into your autoscaler container, as opposed to try to pass to the runner directly via cloud-init. The autoscaler reads this file [1][2] and uses the contained values to create the runner container [3].
Remember that you can also ssh into the machines and check to see what environment variables are passed to the runner (using docker inspect) and you can also enable trace logging for the runner and inspect the logs (using docker logs) to trace through the code [4] and triage vault issues.
[1] https://github.com/drone/autoscaler/blob/master/config/load.go#L20:L28
[2] https://github.com/drone/autoscaler/blob/master/engine/engine.go#L67
[3] https://github.com/drone/autoscaler/blob/master/engine/install.go#L164
[4] https://github.com/drone/runner-go/blob/master/secret/external.go#L33
(the above links are intended to help you trace through the code and better understand how everything is wired up)
Thanks for pointing me in the right direction. I noticed that some of my env vars were not making it to the container and found that it was because I was setting the vars in DRONE_AGENT_ENVIRON incorrectly. The docs mention DRONE_AGENT_ENVIRON=foo:bar,baz:qux however I realized that I had to flip that around because I’m running in k8s and loading this with a configmap.
The fix for me was.
# drone-autoscaler configmap (just a bunch of env vars)
DRONE_AGENT_ENVIRON: DRONE_SECRET_PLUGIN_ENDPOINT=https://drone-vault.example.com,DRONE_SECRET_PLUGIN_TOKEN=secret-token
Thanks again for following up and the references. It helped a lot.