Integrate Hashicorp Vault with Drone

Question

Integrate Hashicorp Vault with Drone

ipedrazas opened this issue 7 years ago · 6 comments

ipedrazas commented 7 years ago

Ideally, we want to have secrets defined in Vault.

The plugin could receive a vault token/host pair and pull the secrets from there.

Answer 1 · 2017-11-20T22:26:26.000Z

Drone has built-in Vault support now, FWIW.

Answer 2 · 2017-11-21T10:01:41.000Z

Oh, that's awesome!

The use case was slightly different: having the secrets in Vault and having Kubernetes integrated with Vault means not having to worry about secrets being leaked during CI/CD.

I'll take a look anyway!

Answer 3 · 2017-11-23T03:09:06.000Z

We use VaultController in our clusters and our Charts get secrets using secretClaims - so we never expose secrets in Drone.

However, we do have scenarios where the helm release requires different user defined values per helm deploy, and current way of passing key value pairs in the drone pipeline is too verbose.

For this, we are adding skuid/helm-value-store support, which is strictly for non-secrets. (and tied into AWS DynamoDb atm)

I will open a PR, but doubt the functionality would benefit the majority of the user base of this plugin, thus I wonder if this should be split off in a different plugin?

Answer 4 · 2017-11-23T08:08:40.000Z

Actually, this has been a long time standing issue in my backlog. Truth is that if Helm supports plugins, we should make this drone plugin to support Helm plugins.

Answer 5 · 2017-11-23T09:45:56.000Z

I should approach it that way, idd

helm value store does require a specific plugin config (yaml file)

how would the drone-plugin pull that config

Answer 6 · 2017-11-23T09:50:47.000Z

scrap that - I need to re-read https://github.com/kubernetes/helm/blob/master/docs/plugins.md

but it would eat CI time if plugins can't be baked into the drone-helm plugin image