| .gitignore | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
| update.sh | ||
Kubernetes plugin for drone.io
Docker Repository on Docker Cloud
Borrowed and distilled from honestbee/drone-kubernetes
This plugin allows to update a Kubernetes deployment.
- Cert based auth for tls
- Insecure auth without tls
This version deprecates token based auth
Usage
This pipeline will update the my-deployment deployment with the image tagged DRONE_COMMIT_SHA:0:8
pipeline:
deploy:
image: razorpay/drone-kubernetes
pull: true
secrets:
- docker_username
- docker_password
- server_url_<cluster>
- server_cert_<cluster>
- client_cert_<cluster>
- client_key_<cluster>
- ...
user: <kubernetes-user with a cluster-rolebinding>
cluster: <kubernetes-cluster>
deployment: [<kubernetes-deployements, ...>]
repo: <org/repo>
container: [ <containers,...> ]
namespace: <kubernetes-namespace>
tag:
- ${DRONE_REPO_BRANCH}-${DRONE_COMMIT_SHA}
- ...
when:
environment: <kubernetes-cluster>
branch: [ <branches>,... ]
event:
exclude: [push, pull_request, tag]
include: [deployment]
Required secrets
- server_url
- tls:
- server_cert
kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:' > ca.crtkubectl get secret [ your default secret name ] -o yaml | egrep 'ca.key:' > ca.key
- client_cert
- client_key
-
openssl genrsa -out client.key openssl req -new -key client.key -out client.csr -subj "/CN=drone/O=org" openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 500 -
cat ca.crt | base64 > car.crt.enc cat client.crt | base64 > client.crt.enc cat client.key | base64 > client.key.enc -
drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_url_<cluster> -value https://k8s.org.com.:443 drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name server_cert_<cluster> -value @./ca.crt.enc drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_cert_<cluster> -value @./client.crt.enc drone secret add -repository razorpay/gimli -image razorpay/drone-kubernetes -event deployment -name client_key_<cluster> -value @./client.key.enc
-
- server_cert
When using TLS Verification, ensure Server Certificate used by kubernetes API server is signed for SERVER url ( could be a reason for failures if using aliases of kubernetes cluster )
RBAC
When using a version of kubernetes with RBAC (role-based access control)
enabled, you will not be able to use the default service account, since it does
not have access to update deployments. Instead, you will need to create a
custom service account with the appropriate permissions (Role and RoleBinding, or ClusterRole and ClusterRoleBinding if you need access across namespaces using the same service account).
As an example (for the web namespace):
apiVersion: v1
kind: ServiceAccount
metadata:
name: drone-deploy
namespace: web
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: drone-deploy
namespace: web
rules:
- apiGroups: ["extensions"]
resources: ["deployments"]
verbs: ["get","list","patch","update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: drone-deploy
namespace: web
subjects:
- kind: ServiceAccount
name: drone-deploy
namespace: web
roleRef:
kind: Role
name: drone-deploy
apiGroup: rbac.authorization.k8s.io
Once the service account is created, you can extract the ca.cert and token
parameters as mentioned for the default service account above:
kubectl -n web get secrets
# Substitute XXXXX below with the correct one from the above command
kubectl -n web get secret/drone-deploy-token-XXXXX -o yaml | egrep 'ca.crt:|token:'
To do
Replace the current kubectl bash script with a go implementation.
Special thanks
Inspired by drone-helm.