I’m trying to use the drone-vault secret plugin(extension?) with some problems.
I am running both the secret container, and the server in Kubernetes(GKE), and there is one external agent on a separate google compute instance, both the agent and the secret plugin connect to the drone server just fine.
The first issue: the secret plugin isn’t called at every commit/build, I’m not sure if the secrets are cached, and this is the intended behavior, but it seems really random.
The second issue: Whenever the plugin is actually called, and the secret is found, the container in the drone pipeline doesn’t get it, or gets an empty string.
I’m using a local fork of drone-vault with slightly more verbose logging, and the secret value is not empty there (at least in the “Find” method). Drone also gets to the “secret: external: found matching secret” trace log, yet the secret is still empty.
The .drone.yml:
kind: pipeline
name: default
steps:
- name: test
image: alpine
pull: always
environment:
VAULT_TEST:
from_secret: vaultsecret
DRONE_TEST:
from_secret: dronesecret
NORMAL_ENV: normal env works
commands:
- echo $VAULT_TEST
- echo $DRONE_TEST
- echo $NORMAL_ENV
---
kind: secret
name: vaultsecret
get:
path: mykv/data/drone
name: some-test
Am I missing something, or is there anything I could debug further?
Edit:
After some hours of trial and error, and source reading, I’ve figured it out.
There were multiple things wrongly configured:
- The Drone server had no
DRONE_AGENTS_ENABLEDset, which means, it occasionally wanted to run the pipelines itself, which did not work. - The secrets aren’t centralized as I originally thought, and the agent didn’t have the secret plugin configured, though it should have.
As a consequence, when the Drone server wanted to run the pipeline, it queried the secret plugin, but the actual pipeline failed. And when the agent ran the pipeline successfully, it had no idea about the secret plugin, so the secret remained empty.
I support the idea of having some way to figure these out, with even a warning on the UI, that some secrets remained empty, as this RFC states (https://github.com/drone/drone/issues/2423), so that things like this are easier to identify/debug.
Also, the actual agent configuration variables don’t (yet) match the ones in the documentation, namely the DRONE_SECRET_ENDPOINT, and DRONE_SECRET_SECRET.
So if anyone runs into similar problems, as of this post the correct configurations concerning the secret plugins with Drone 1.3.1 are:
drone/vault:
SECRET_KEY={secret_secret_token}
VAULT_ADDR={http://vault.addr:8200}
VAULT_TOKEN={.yourVaultToken}
drone/agent:
DRONE_SECRET_ENDPOINT={http://drone.vault.addr:3000}
DRONE_SECRET_SECRET={secret_secret_token}