Kubernetes

Updated 2 years ago by Admin

The Kubernetes Secret resource secures, stores, and controls access to tokens, passwords, certificates, and other secrets in modern computing. The Kubernetes Secrets extension provides your pipeline with access to Kubernetes secrets.

Kubernetes Secrets integration is provided by an extension and is only available if your system administrator has installed the extension.

Creating Secrets

Create a secret resource using the Kubernetes yaml configuration language, and persist to your cluster using kubectl. In the below example we store the Docker username and password.

1  apiVersion: v1
2  kind: Secret
3  type: Opaque
4  data:
5    username: YWRtaW4=
6    password: MWYyZDFlMmU2N2Rm
7  metadata:
8    name: docker

Accessing Secrets

Once our secrets are stored in Kubernetes, we can update our yaml configuration file to request access to our secrets. First we define a secret resource in our yaml for each external secret. We include the path to the secret, and the name or key of value we want to retrieve:

1  ---
2  kind: pipeline
3  name: default
4  
5  steps:
6  - name: build
7    image: alpine
8  
9  ---
10  kind: secret
11 name: username
12 get:
13   path: docker
14   name: username
15 
16 ---
17 kind: secret
18 name: password
19 get:
20   path: docker
21   name: password
22 ...

We can then reference the named secrets in our pipeline:

1  kind: pipeline
2  name: default
3  
4  steps:
5  - name: build
6    image: alpine
7    environment:
8      USERNAME:
9        from_secret: username
10      PASSWORD:
11       from_secret: password
12 
13 ---
14 kind: secret
15 name: username
16 get:
17   path: docker
18   name: username
19 
20 ---
21 kind: secret
22 name: password
23  get:
24   path: docker
25   name: password
26 
27 ...

Limiting Access

Secrets are available to all repositories and all build events by default. We strongly recommend that you limit access to secrets by repository and build events. This can be done by adding special annotations:

1  apiVersion: v1
2  kind: Secret
3  type: Opaque
4  data:
5    username: YWRtaW4=
6    password: MWYyZDFlMmU2N2Rm
7  metadata:
8    name: docker
9    annotations:
10      X-Drone-Repos: octocat/*
11     X-Drone-Events: push,tag
Limit By Repository

Use the X-Drone-Repos key to limit which repositories can access your secret. The value is a comma-separate list of glob patterns. If a repository name matches at least one of the patterns, it is granted access to the secret.

Limit access to a single repository:

7  metadata:
8    name: docker
9    annotations:
10      X-Drone-Repos: octocat/hello-world

Limit access to all repositories in an organization:

7  metadata:
8    name: docker
9    annotations:
10      X-Drone-Repos: octocat/*

Limit access to multiple repositories or organizations:

7  metadata:
8    name: docker
9    annotations:
10      X-Drone-Repos: octocat/*,spaceghost/*
Limit By Event

Use the X-Drone-Events key to limit which build events can access your secret. The value is a comma-separate list of events. If a build matches at least one of the events, it is granted access to the secret.

Limit access to push and tag events:

7  metadata:
8    name: docker
9    annotations:
10      X-Drone-Events: push,tag

You can combine annotations to limit by repository and event:

7  metadata:
8    name: docker
9    annotations:
10      X-Drone-Repos: octocat/* 
11      X-Drone-Events: push,tag

How did we do?