Go to file
hashfyre 661f470526 temp: update script: blocking deployment watch 2018-01-23 13:07:18 +05:30
.gitignore .gitignore 2017-12-09 15:45:22 +05:30
Dockerfile base: alpine3.7 2018-01-12 17:36:11 +05:30
LICENSE Create LICENSE 2017-07-20 16:26:27 +08:00
README.md script, readme: plugin_auth_mode: token 2018-01-19 19:38:27 +05:30
update.sh temp: update script: blocking deployment watch 2018-01-23 13:07:18 +05:30


Kubernetes plugin for drone.io

Docker Repository on Docker Cloud

Borrowed and distilled from honestbee/drone-kubernetes

This plugin allows to update a Kubernetes deployment.

  • Cert based auth for tls
  • token based auth
  • Insecure auth without tls


This pipeline will update the my-deployment deployment with the image tagged DRONE_COMMIT_SHA:0:8

    image: razorpay/drone-kubernetes
    pull: true
      - docker_username
      - docker_password
      - server_url_<cluster>
      - server_cert_<cluster>
      - client_cert_<cluster> / - server_token_<cluster>
      - client_key_<cluster> / - server_token_<cluster>
      - ...
    user: <kubernetes-user with a cluster-rolebinding>
    cluster: <kubernetes-cluster>
    auth_mode: [ token | client-cert ] // provide only if providing server_cert_<cluster>
    deployment: [<kubernetes-deployements, ...>]
    repo: <org/repo>
    container: [ <containers,...> ]
    namespace: <kubernetes-namespace>
      - ...
      environment: <kubernetes-cluster>
      branch: [ <branches>,... ]
        exclude: [push, pull_request, tag]
        include: [deployment]

Required secrets

  • server_url
  • token:
    • server_token
      • kubectl get secret [ your default secret name ] -o yaml | egrep 'token:' > server.token
  • tls:
    • server_cert
      • kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:' > ca.crt
      • kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.key:' > ca.key
    • client_cert
    • client_key
      • openssl genrsa -out client.key
        openssl req -new -key client.key -out client.csr -subj "/CN=drone/O=org"
        openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 500
      • cat ca.crt | base64 > car.crt.enc
        cat client.crt | base64 > client.crt.enc
        cat client.key | base64 > client.key.enc
      • drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_url_<cluster> -value https://k8s.org.com.:443
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_cert_<cluster> -value @./ca.crt.enc
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_cert_<cluster> -value @./client.crt.enc
        drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_key_<cluster> -value @./client.key.enc

When using TLS Verification, ensure Server Certificate used by kubernetes API server is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )


When using a version of kubernetes with RBAC (role-based access control) enabled, you will not be able to use the default service account, since it does not have access to update deployments. Instead, you will need to create a custom service account with the appropriate permissions (Role and RoleBinding, or ClusterRole and ClusterRoleBinding if you need access across namespaces using the same service account).

As an example (for the web namespace):

apiVersion: v1
kind: ServiceAccount
  name: drone-deploy
  namespace: web


apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
  name: drone-deploy
  namespace: web
  - apiGroups: ["extensions"]
    resources: ["deployments"]
    verbs: ["get","list","patch","update"]


apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
  name: drone-deploy
  namespace: web
  - kind: ServiceAccount
    name: drone-deploy
    namespace: web
  kind: Role
  name: drone-deploy
  apiGroup: rbac.authorization.k8s.io

Once the service account is created, you can extract the ca.cert and token parameters as mentioned for the default service account above:

kubectl -n web get secrets
# Substitute XXXXX below with the correct one from the above command
kubectl -n web get secret/drone-deploy-token-XXXXX -o yaml | egrep 'ca.crt:|token:'

To do

Replace the current kubectl bash script with a go implementation.

Special thanks

Inspired by drone-helm.