我使用头盔图表部署了drone.io。构建工作正常。 为了我的秘密,我关注了以下文档:https://readme.drone.io/extend/secrets/kubernetes/install/
所以我创建了一个秘密,以在插件和无人机服务器之间保存共享的秘密密钥(抱歉,ansible标记):
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: drone-kubernetes
data:
server: {{ server.stdout | b64encode }}
cert: {{ cert.stdout | b64encode }}
token: {{ token.stdout | b64encode }}
secret: {{ secret.stdout | b64encode }}
kubernetes秘密插件的部署:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: drone
component: secrets
release: drone
name: drone-drone-secrets
spec:
selector:
matchLabels:
app: drone
component: secrets
release: drone
template:
metadata:
labels:
app: drone
component: secrets
release: drone
spec:
containers:
- env:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
key: secret
name: drone-kubernetes
image: docker.io/drone/kubernetes-secrets:linux-arm64
imagePullPolicy: IfNotPresent
name: secrets
ports:
- containerPort: 3000
name: secretapi
protocol: TCP
volumeMounts:
- mountPath: /etc/kubernetes/config
name: kube
volumes:
- name: kube
hostPath:
path: /etc/kubernetes/admin.conf
type: File
以及用于该部署的服务:
apiVersion: v1
kind: Service
metadata:
labels:
app: drone
component: secrets
release: drone
name: drone-secrets
spec:
ports:
- name: secretapi
port: 3000
protocol: TCP
selector:
app: drone
component: secrets
release: drone
type: ClusterIP
我修补了无人机服务器部署,以设置DRONE_SECRET_SECRET和DRONE_SECRET_ENDPOINT变量。
kubernetes-secrets插件的pod确实按预期方式看到了文件“ / etc / kubernetes / config”,并且将SECRET_KEY作为环境。 从无人机服务器吊舱中:
kubectl exec -i drone-drone-server-some-hash-here -- sh -c 'curl -s $DRONE_SECRET_ENDPOINT'
Invalid or Missing Signature
到目前为止,一切都很好。一切似乎设置正确。
这是我的测试项目的.drone.yml文件:
kind: pipeline
name: default
steps:
- name: kubectl
image: private-repo.local:5000/drone-kubectl
settings:
kubectl: "get pods"
kubernetes_server:
from_secret: kubernetes_server
kubernetes_cert:
from_secret: kubernetes_cert
image_pull_secrets:
- kubernetes_server
- kubernetes_cert
---
kind: secret
name: kubernetes_server
get:
path: drone-kubernetes
name: server
---
kind: secret
name: kubernetes_cert
get:
path: drone-kubernetes
name: cert
---
kind: secret
name: kubernetes_token
get:
path: drone-kubernetes
name: token
当前,自定义插件drone-kubectl仅运行env命令来查看我是否正在获取我的秘密,而我没有...我缺少什么?
答案 0 :(得分:2)
好吧,我在drone-drone-secrets部署中使用环境变量DEBUG发现了我的问题。错误是:
time="2019-06-10T06:29:22Z" level=debug msg="secrets: cannot find secret cert: kubernetes api: Failure 403 secrets \"drone-kubernetes\" is forbidden: User \"system:serviceaccount:toolchain:default\" cannot get resource \"secrets\" in API group \"\" in the namespace \"toolchain\""
所以我创建了这个服务帐户和相关角色:
apiVersion: v1
kind: ServiceAccount
metadata:
name: drone-drone-secrets
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: drone-drone-secrets
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: drone-drone-secrets
subjects:
- kind: ServiceAccount
name: drone-drone-secrets
roleRef:
kind: Role
name: drone-drone-secrets
apiGroup: rbac.authorization.k8s.io
并修补部署以使用该服务帐户。现在一切正常。