Photo by Belinda Fewings on Unsplash

[2/3] Complete guide to CI/CD pipelines with on kubernetes — Drone Vault extension

4 min readApr 5, 2020


original article


You are running kubernetes and using an expensive yet easy and maintainable CI/CD pipelines.

You want to save money but don’t want to spend too much time migrating and don’t want to give up on features.

You want to be able to :

  • Push your images to your private docker registry
  • Monitor your build with prometheus
  • Access your hashicorp vault secrets from your pipeline.

This series of three articles will help you go through it with Drone CI !

Check the first post to setup the private registry, the drone server and the kube runner. In this post we will go through the installation and configuration of the drone vault extension.

Vault & Drone

If you want to get your secrets directly from your vault we will need to deploy the drone vault extension. Here is the high level design of the setup.

Vault Configuration

First we need to create an approle and a policy in the vault to authorize the extension to the vault secret. If you want to know how to install and configure a vault in your kubernetes cluster just read our article.

Create approle auth Via the Vault CLI

  1. Enable the AppRole auth method
$ vault auth enable approle
  1. Create an approle named drone-shared linked to the drone-shared-policy.
$ vault write auth/approle/role/drone-shared \
token_policies="drone-shared-policy" token_ttl=48h token_max_ttl=72h
  1. Fetch the RoleID of the AppRole:
$ vault read auth/approle/role/drone-shared/role-id
role_id df465465-dfs5465446f
  1. Get a SecretID issued against the AppRole:
$ vault write -f auth/approle/role/drone-shared/secret-id
secret_id 684f684s6g4-45g6f4d
secret_id_accessor g9gdf-fdgdgdfg9dfgd
  1. Create the drone-shared-policy

We need to authorize the login and accessing the secrets located at secret/drone in read only.

# Login with AppRole
path "auth/approle/login" {
capabilities = ["create", "read"]
# Read shared data kv2
path "kv/data/secret/drone/*" {
capabilities = ["read", "list"]

Drone vault extension deployment

Now we are ready to deploy the drone vault extension inside our cluster. You can find my version of the drone-vault extension deployment here.

We need first to create a secret with our approle ID, approle secret and a secret that we will later share with the kube runner.

$ kubectl create secret generic vault-drone \
--from-literal=approle_role_id=df465465-dfs5465446f \
--from-literal=approle_role_secret=684f684s6g4-45g6f4d \

Next we need to mount our cluster Certificate Authority. Indeed the drone-vault extension will talk to our vault pod using https. As our vault certificate has been issued by our cluster authority we need the CA certificate to validate the vault TLS certificate.

$kubectl config view --raw -o json |\
jq -r '.clusters[0].cluster."certificate-authority-data"'|\
tr -d '"' | base64 --decode > kubca.crt
$ kubectl create configmap ca-crt --from-file=kubca.crt

Then we put all this information together inside a deployment and create the resource in our cluster.

$ kubectl create -f drone-vault-deployment.yaml

Finally we need to create a service for the drone-vault extension.

$ kubectl expose deployment drone-vault --type=ClusterIP \

Drone kube runner configuration

We need to update the runner configuration to include the plugin address and the shared secret. Let’s add these environment variables into the kube runner chart values file.


Now we can access our secret by defining the vault path directly inside the drone.yaml file that describes the Drone pipeline.

kind: secret
name: docker_username
path: kv/data/secret/drone/docker/login
name: username
kind: secret
name: docker_password
path: kv/data/secret/drone/docker/login
name: password

And access it in the pipeline steps as usual

from_secret: docker_username
from_secret: docker_password

Secrets are available to all repositories and all build events by default. We strongly recommend that you limit access to secrets by repository and build events. This can be done by adding special properties.

$ vault kv put secret/docker \
username=octocat \
password=correct-horse-battery-staple \
x-drone-events=push,tag \

That’s it for this second article in the next one we will scrape drone metrics with Prometheus operator by defining a service monitor. If you want to know more about vault and how to set it up on kubernetes don’t miss our previous article.

If you have questions remarks you can PM me: telegram:@Zgorizzo mail:

This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.