Enable Drone Kubernetes Secrets Chart
Interestingly, the existence of this chart somewhat contradicts the [docs](https://docs.drone.io/runner/extensions/kube/), which suggest you should "_\[d\]eploy the secret extension in the same Pod as your Kubernetes runner_". Though the interaction appears to be via an HTTP call, so that doesn't seem like would be an issue.
This commit is contained in:
Jack Jackson
parent
4cc1c531e2
commit
8d70bbe78b
@ -15,3 +15,6 @@ dependencies:
|
||||
repository: https://charts.drone.io
|
||||
version: "0.6.1"
|
||||
alias: drone-runner
|
||||
- name: drone-kubernetes-secrets
|
||||
repository: https://charts.drone.io
|
||||
version: "0.1.4"
|
||||
|
||||
22
charts/drone/templates/kubernetes_secrets_secret.yaml
Normal file
22
charts/drone/templates/kubernetes_secrets_secret.yaml
Normal file
@ -0,0 +1,22 @@
|
||||
{{- /*
|
||||
https://itnext.io/manage-auto-generated-secrets-in-your-helm-charts-5aee48ba6918
|
||||
*/}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "kubernetes-secrets-secret"
|
||||
annotations:
|
||||
"helm.sh/resource-policy": "keep"
|
||||
type: Opaque
|
||||
data:
|
||||
# retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result
|
||||
{{- $existing_secret := (lookup "v1" "Secret" .Release.Namespace "kubernetes-secrets-secret") | default dict }}
|
||||
{{- $secretData := (get $existing_secret "data") | default dict }}
|
||||
# set $secret to existing secret data or generate a random one when not exists
|
||||
{{- $secret := (get $secretData "secret") | default (randAlphaNum 32 | b64enc) }}
|
||||
# generate 32 chars long random string, base64 encode it and then double-quote the result string.
|
||||
SECRET_KEY: {{ $secret | quote }}
|
||||
# Duplicate the secret-value with a different key so that it can be mounted into the environment of a pod which
|
||||
# required a different name (to the best of my knowledge, there's no way to mount a secret as an env variable but
|
||||
# transform the key)
|
||||
DRONE_SECRET_PLUGIN_TOKEN: {{ $secret | quote }}
|
||||
@ -22,6 +22,9 @@ drone-runner:
|
||||
DRONE_RPC_SECRET: rpc-secret
|
||||
DRONE_RPC_HOST: drone-drone-server:3500 # This is the name of the service for the runner
|
||||
DRONE_RUNNER_NETWORK_OPTS: "com.docker.network.driver.mtu:1450"
|
||||
DRONE_SECRET_PLUGIN_ENDPOINT: "http://drone-drone-kubernetes-secrets:3000"
|
||||
extraSecretNamesForEnvFrom:
|
||||
- kubernetes-secrets-secret
|
||||
dind:
|
||||
commandArgs:
|
||||
- "--host"
|
||||
@ -42,6 +45,14 @@ drone-runner:
|
||||
values:
|
||||
- rasnu2
|
||||
|
||||
drone-kubernetes-secrets:
|
||||
rbac:
|
||||
secretNamespace: drone
|
||||
env:
|
||||
KUBERNETES_NAMESPACE: drone
|
||||
extraSecretNamesForEnvFrom:
|
||||
- kubernetes-secrets-secret
|
||||
|
||||
drone:
|
||||
server: "drone.scubbo.org"
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user