# Kubernetes plugin for drone.io [Docker Repository on Docker Cloud](https://cloud.docker.com/app/razorpay/repository/docker/razorpay/drone-kubernetes) ## Borrowed and distilled from [honestbee/drone-kubernetes](https://github.com/honestbee/drone-kubernetes) This plugin allows to update a Kubernetes deployment. - Cert based auth for tls - Insecure auth without tls This version deprecates token based auth ## Usage This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8` ```yaml pipeline: deploy: image: razorpay/drone-kubernetes pull: true secrets: - docker_username - docker_password - server_url_ - server_cert_ - client_cert_ - client_key_ - ... user: cluster: deployment: [] repo: container: [ ] namespace: tag: - ${DRONE_REPO_BRANCH}-${DRONE_COMMIT_SHA} - ... when: environment: branch: [ ,... ] event: exclude: [push, pull_request, tag] include: [deployment] ``` ## Required secrets - server_url - tls: - server_cert - `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:' > ca.crt` - `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.key:' > ca.key` - client_cert - client_key - ``` openssl genrsa -out client.key openssl req -new -key client.key -out client.csr -subj "/CN=drone/O=org" openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 500 ``` - ``` cat ca.crt | base64 > car.crt.enc cat client.crt | base64 > client.crt.enc cat client.key | base64 > client.key.enc ``` - ``` drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_url_ -value https://k8s.org.com.:443 drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_cert_ -value @./ca.crt.enc drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_cert_ -value @./client.crt.enc drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_key_ -value @./client.key.enc ``` When using TLS Verification, ensure Server Certificate used by kubernetes API server is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster ) ### RBAC When using a version of kubernetes with RBAC (role-based access control) enabled, you will not be able to use the default service account, since it does not have access to update deployments. Instead, you will need to create a custom service account with the appropriate permissions (`Role` and `RoleBinding`, or `ClusterRole` and `ClusterRoleBinding` if you need access across namespaces using the same service account). As an example (for the `web` namespace): ```yaml apiVersion: v1 kind: ServiceAccount metadata: name: drone-deploy namespace: web --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: drone-deploy namespace: web rules: - apiGroups: ["extensions"] resources: ["deployments"] verbs: ["get","list","patch","update"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: drone-deploy namespace: web subjects: - kind: ServiceAccount name: drone-deploy namespace: web roleRef: kind: Role name: drone-deploy apiGroup: rbac.authorization.k8s.io ``` Once the service account is created, you can extract the `ca.cert` and `token` parameters as mentioned for the default service account above: ``` kubectl -n web get secrets # Substitute XXXXX below with the correct one from the above command kubectl -n web get secret/drone-deploy-token-XXXXX -o yaml | egrep 'ca.crt:|token:' ``` ## To do Replace the current kubectl bash script with a go implementation. ### Special thanks Inspired by [drone-helm](https://github.com/ipedrazas/drone-helm).