3

I have drone running on a k8s cluster. One of my pipelines is for a GAE application.

I've been fighting with secrets for a while. It's a bit of a mission to make my secrets available. What I ended up doing was loading my key file name and contents into drone as a pair of secrets, then in my pipeline doing this:

  - echo $GOOGLE_KEY_CONTENTS > "/etc/google-keys/$${GOOGLE_KEY_NAME}.json"

If I ls or cat then the file is there and everything seems to be in order.

I then run:

- gcloud auth activate-service-account --key-file=/etc/google-keys/$${GOOGLE_KEY_NAME}.json

And the result is:

ERROR: gcloud crashed (ValueError): No key could be detected.

The key is there and looks fine to me

I also tried:

- gcloud info --run-diagnostics

And got the following output:

Network diagnostic detects and fixes local network connection issues.
Checking network connection...
done.
Reachability Check passed.
Network diagnostic (1/1 checks) passed.

If I try to authenticate with the same key file on my local machine it works just fine.

I've also managed to authenticate to gcloud from within a drone build when the drone instance was not running in k8s, and the secret key file was in a shared volume. (Unfortunately using a volume like this on k8s is impractical because drone wants me to make the secrets available to the base system of every single cluster node, and I'm not gooing to do that)

So either the k8s system is stopping gcloud from authenticating. Or I did something wrong when loading up my key. Or something else entirely.

Sheena
  • 15,590
  • 14
  • 75
  • 113

2 Answers2

0

The only way I could get it right was the following:

  1. copy all the keys to each and every node in the cluster at the same location
  2. use volumes in my drone.yml to access the directory with the keys

Note the conspicuous lack of k8s secrets and k8s volumes.

The reasons for this is that the drone agent might show up on any node (I suppose node labels could have been used if I insisted on putting the keys on just one node but I figure one node is as secure as the next in my cluster and the secrets are tiny...). So simply scp them to where they need to be.

The drone agent cant access any k8s mounted volumes. Only volumes from the base system. I suppose drone wasn't built for use with k8s

Sheena
  • 15,590
  • 14
  • 75
  • 113
-1

As described in this link, if you're using a service account to authenticate in applications running on Kubernetes, you need to use a secrets resource.

As described in step 5, this secret will be used as Environment Variable. The secret will be only accessible by the application where you have mounted the secret volume.

Marilu
  • 372
  • 1
  • 4
  • 11
  • incorrect. That's literally the first thing I tried. – Sheena Jan 19 '18 at 04:08
  • The information that I provided, it's the suggested way to authenticate your application when using a service account. If your drone doesn't work with secrets, you might want to reach out the company that built the drone, as Kubernetes recommends to put sensitive information in a [secret](https://kubernetes.io/docs/concepts/configuration/secret/) rather than a plain text somewhere in your nodes. – Marilu Jan 19 '18 at 16:18