Clarify TLS Verfication impact

2017-02-20 18:20:47 +08:00 · 2017-02-20 18:20:47 +08:00 · 8da057f924
parent 5c69e4ff09
commit 8da057f924
2 changed files with 10 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -30,6 +30,7 @@ This more complex example demonstrates how to deploy to several environments bas
        deploy-staging:
            image: quay.io/honestbee/drone-kubernetes
            kubernetes_server: ${KUBERNETES_SERVER_STAGING}
+            kubernetes_cert: ${KUBERNETES_CERT_STAGING}
            kubernetes_token: ${KUBERNETES_TOKEN_STAGING}
            deployment: my-deployment
            repo: myorg/myrepo
@ -43,6 +44,7 @@ This more complex example demonstrates how to deploy to several environments bas
            image: quay.io/honestbee/drone-kubernetes
            kubernetes_server: ${KUBERNETES_SERVER_PROD}
            kubernetes_token: ${KUBERNETES_TOKEN_PROD}
+            # notice: no tls verification will be done, warning will is printed
            deployment: my-deployment
            repo: myorg/myrepo
            container: my-container
@ -56,10 +58,15 @@ This more complex example demonstrates how to deploy to several environments bas
    drone secret add --image=honestbee/drone-kubernetes \
        your-user/your-repo KUBERNETES_SERVER https://mykubernetesapiserver

+    drone secret add --image=honestbee/drone-kubernetes \
+        your-user/your-repo KUBERNETES_CERT <base64 encoded CA.crt>

    drone secret add --image=honestbee/drone-kubernetes \
        your-user/your-repo KUBERNETES_TOKEN eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJ...

+When using TLS Verification, ensure Server Certificate used by kubernetes API server 
+is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )
+
 ## To do 

 Replace the current kubectl bash script with a go implementation.
--- a/update.sh
+++ b/update.sh
@ -18,15 +18,16 @@ fi

 kubectl config set-credentials default --token=${KUBERNETES_TOKEN}
 if [ ! -z ${KUBERNETES_CERT} ]; then
-  echo ${KUBERNETES_CERT}} | base64 -d > ca.crt
+  echo ${KUBERNETES_CERT} | base64 -d > ca.crt
  kubectl config set-cluster default --server=${KUBERNETES_SERVER} --certificate-authority=ca.crt
 else
+  echo "WARNING: Using insecure connection to cluster"
  kubectl config set-cluster default --server=${KUBERNETES_SERVER} --insecure-skip-tls-verify=true
 fi

 kubectl config set-context default --cluster=default --user=default
 kubectl config use-context default
-  
+
 IFS=',' read -r -a DEPLOYMENTS <<< "$PLUGIN_DEPLOYMENT"
 for DEPLOY in ${DEPLOYMENTS[@]}; do
  echo Deploying to $KUBERNETES_SERVER