Kubernetes secrets插件无法与有用的日志一起工作

Question

我使用舵图部署了drone.io。构建工作得很好。为了我的秘密，我遵循了这个文档：https://readme.drone.io/extend/secrets/kubernetes/install/

所以我创建了一个秘密来保存插件和drone服务器之间的共享密钥(对于ansible标记很抱歉)：

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: drone-kubernetes
data:
  server: {{ server.stdout | b64encode }}
  cert: {{ cert.stdout | b64encode }}
  token: {{ token.stdout | b64encode }}
  secret: {{ secret.stdout | b64encode }}

kubernetes secret插件的部署：

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: drone
    component: secrets
    release: drone
  name: drone-drone-secrets
spec:
  selector:
    matchLabels:
      app: drone
      component: secrets
      release: drone
  template:
    metadata:
      labels:
        app: drone
        component: secrets
        release: drone
    spec:
      containers:
      - env:
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
              key: secret
              name: drone-kubernetes
        image: docker.io/drone/kubernetes-secrets:linux-arm64
        imagePullPolicy: IfNotPresent
        name: secrets
        ports:
        - containerPort: 3000
          name: secretapi
          protocol: TCP
        volumeMounts:
        - mountPath: /etc/kubernetes/config
          name: kube
      volumes:
      - name: kube
        hostPath:
          path: /etc/kubernetes/admin.conf
          type: File

以及用于该部署的服务：

apiVersion: v1
kind: Service
metadata:
  labels:
    app: drone
    component: secrets
    release: drone
  name: drone-secrets
spec:
  ports:
  - name: secretapi
    port: 3000
    protocol: TCP
  selector:
    app: drone
    component: secrets
    release: drone
  type: ClusterIP

我为远程服务器部署打了补丁，以设置DRONE_SECRET_SECRET和DRONE_SECRET_ENDPOINT变量。

kubernetes-secrets插件的pod确实会像预期的那样看到文件"/etc/kubernetes/config“，并将SECRET_KEY作为环境。在drone-server pod中：

kubectl exec -i drone-drone-server-some-hash-here -- sh -c 'curl -s $DRONE_SECRET_ENDPOINT'
Invalid or Missing Signature

到目前一切尚好。一切似乎都设置得很好。

下面是我的测试项目的.drone.yml文件：

kind: pipeline
name: default
steps:

- name: kubectl
  image: private-repo.local:5000/drone-kubectl
  settings:
    kubectl: "get pods"
    kubernetes_server:
      from_secret: kubernetes_server
    kubernetes_cert:
      from_secret: kubernetes_cert

image_pull_secrets:
 - kubernetes_server
 - kubernetes_cert

---
kind: secret
name: kubernetes_server
get:
  path: drone-kubernetes
  name: server
---
kind: secret
name: kubernetes_cert
get:
  path: drone-kubernetes
  name: cert
---
kind: secret
name: kubernetes_token
get:
  path: drone-kubernetes
  name: token

目前自定义插件drone-kubectl只运行env命令来查看我是否得到了我的秘密，而我没有...我错过了什么？

Answer 1

好的，我在drone-drone-secrets部署中使用环境变量DEBUG找到了我的问题。错误是：

time="2019-06-10T06:29:22Z" level=debug msg="secrets: cannot find secret cert: kubernetes api: Failure 403 secrets \"drone-kubernetes\" is forbidden: User \"system:serviceaccount:toolchain:default\" cannot get resource \"secrets\" in API group \"\" in the namespace \"toolchain\""

所以我创建了这个serviceaccount和相关的角色：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: drone-drone-secrets
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: drone-drone-secrets
rules:
- apiGroups: [""] 
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: drone-drone-secrets
subjects:
- kind: ServiceAccount
  name: drone-drone-secrets
roleRef:
  kind: Role
  name: drone-drone-secrets
  apiGroup: rbac.authorization.k8s.io

并修补了部署以使用该服务帐户。现在一切都正常了。