i have a current need to use this tool with my EKS cluster. i am currently working another pull request.

The service-account option at

After using the plugin this morning, I've found that if I add braces around my variables (as seen in the docs), then variable substitution does not work correctly (at least for values in the Values parameter).

Dropping the braces, leaving just $MYVARIABLE, instead of ${MYVARIABLE} does work, though. Having looked at the code and tests it seems both should be interchangeable, is this not the case?

The value I'm substituting is fetched from a Drone secret. My pipeline step looks something like this:

  - name: deploy-qa
    image: myrepo/drone-helm
    settings:
      chart: mycharts/chart
      skip_tls_verify: true
      debug: true
      release: app-qa
      namespace: qa
      helm_repos: mycharts=https://charts.domain
      client_only: true
      values: rabbitmq.uri=${RABBITMQ_URI},otherThing.uri="http://bla",rabbitmq.exchange="exchange",rabbitmq.bindingKey=#
    environment:
      RABBITMQ_URI:
        from_secret: RABBITMQ_URI
      API_SERVER:
        from_secret: API_SERVER
      KUBERNETES_TOKEN:
        from_secret: KUBERNETES_TOKEN
    when:
      event:
        - promote
      target:
        - qa

In the example above, ${RABBITMQ_URI} isn't substituted, but $RABBITMQ_URI is. In the debug logs, I can see -ReplVar: _RABBITMQ_URI => RABBITMQ_URI-- when I don't add braces, but this is missing with braces around the variable.

So far as I can tell, the variable name matches the regex that the plugin seems to use match environment variables, so I'm unsure why this isn't working. Is this the intended behaviour and I'm just misunderstanding?

I'm using Drone 1.2 with a version of the plugin built from the latest commit on master.

There's no option to add a custom repo.

When passing --values valueFiles it would be good to have secrets there and replace them at run time.

I want to : helm --stable-repo-url http://192.168.3.3 ...
reason: stable-repo-url kubernetes-charts.storage.googleapis.com not connection, in china.

======= drone log =========
......
Creating /root/.helm
Creating /root/.helm/repository
Creating /root/.helm/repository/cache
Creating /root/.helm/repository/local
Creating /root/.helm/plugins
Creating /root/.helm/starters
Creating /root/.helm/cache/archive
Creating /root/.helm/repository/repositories.yaml
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com
Error: Looks like "https://kubernetes-charts.storage.googleapis.com" is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: net/http: TLS handshake timeout
Error running helm command: init

exit code 1

Helm supports setting value overrides on the command line, and also giving files containing additional values. Can you please add support for value files?

I have about 10 deep path values to set per environment for deployment, and setting these with files would keep the drone.yaml clean.

Suggested entry:

valueFiles: [ '/path/to/file1', '/path/to/file2' ]

Sorry for asking, but is there an issue with CI/CD pipeline? https://quay.io/repository/ipedrazas/drone-helm doesn't seem to be updated for a while?

Secrets that are passed as values using the values option can be leaked when using debug mode or in case of error as the whole helm command will be printed.

I don't know if there's a good fix for this as I don't know if it can be determined which of those values come from drone env variables, e.g. DRONE_TAG or from custom secrets, e.g SECRET_PASSWORD in the README example

Branches are used as part of the name of the objects, so they must match the regex a-z0-9?(.a-z0-9?)* (e.g. 'example.com')

we should add a sanitise branch function

It might help with visibility & search to add some tags to this repo? :)

For example: https://github.com/songsterr/drone-kubernetes-job.

Drone supports injecting secrets in the yaml file. Remove the secret/envvar handling in the code.

pipeline:
  ship:
    when:
      event: tag
    image: ipedrazas/drone-helm
    api_server: https://${K8S_MASTER}/
    skip_tls_verify: true
    chart: ./charts/myapp
    values: image.tag=${DRONE_COMMIT_SHA}
    release: myapp
    token: ${K8S_SERVICE_ACCOUNT_KEY}

Log shows this with exit code of 0

Creating /root/.helm 
Creating /root/.helm/repository 
Creating /root/.helm/repository/cache 
Creating /root/.helm/repository/local 
Creating /root/.helm/plugins 
Creating /root/.helm/starters 
Creating /root/.helm/repository/repositories.yaml 
Writing to /root/.helm/repository/cache/stable-index.yaml
$HELM_HOME has been configured at /root/.helm.
Warning: Tiller is already installed in the cluster.
(Use --client-only to suppress this message, or --upgrade to upgrade Tiller to the current version.)
Happy Helming!
The Kubernetes package manager
To begin working with Helm, run the 'helm init' command:
	$ helm init
This will install Tiller to your running Kubernetes cluster.
It will also set up any necessary local configuration.
Common actions from this point include:
- helm search:    search for charts
- helm fetch:     download a chart to your local directory to view
- helm install:   upload the chart to Kubernetes
- helm list:      list releases of charts
Environment:
  $HELM_HOME          set an alternative location for Helm files. By default, these are stored in ~/.helm
  $HELM_HOST          set an alternative Tiller host. The format is host:port
  $TILLER_NAMESPACE   set an alternative Tiller namespace (default "kube-namespace")
  $KUBECONFIG         set an alternative Kubernetes configuration file (default "~/.kube/config")
Usage:
  helm [command]
Available Commands:
  completion  Generate bash autocompletions script
  create      create a new chart with the given name
  delete      given a release name, delete the release from Kubernetes
  dependency  manage a chart's dependencies
  fetch       download a chart from a repository and (optionally) unpack it in local directory
  get         download a named release
  history     fetch release history
  home        displays the location of HELM_HOME
  init        initialize Helm on both client and server
  inspect     inspect a chart
  install     install a chart archive
  lint        examines a chart for possible issues
  list        list releases
  package     package a chart directory into a chart archive
  repo        add, list, remove, update, and index chart repositories
  reset       uninstalls Tiller from a cluster
  rollback    roll back a release to a previous revision
  search      search for a keyword in charts
  serve       start a local http web server
  status      displays the status of the named release
  test        test a release
  upgrade     upgrade a release
  verify      verify that a chart at the given path has been signed and is valid
  version     print the client/server version information
Flags:
      --debug                     enable verbose output
      --home string               location of your Helm config. Overrides $HELM_HOME (default "/root/.helm")
      --host string               address of tiller. Overrides $HELM_HOST
      --kube-context string       name of the kubeconfig context to use
      --tiller-namespace string   namespace of tiller (default "kube-system")
Use "helm [command] --help" for more information about a command.

I've tried not setting debug at all in the drone.yml, i've tried setting debug: false and i've tried debug: null.

Every time the plugin runs it echo's all the environment vars and I'm not sure how to turn that off. Please help!

Ideally, we want to have secrets defined in Vault.

The plugin could receive a vault token/host pair and pull the secrets from there.

to be able to remove the skip tls

Hi,

I'm extendedly using this plugin. I want to contribute to make this repo work with Go Module, so that we can have benefits with Go Module.

Please let me know your thoughts. 🙂

Hey,

are there already any plans to support Helm v3?

Maybe as a new plugin (which prevents breaking existing deployments).

Thanks for your awesome work!

Hi,

Trying to use helm plugin with new drone 1.X syntax, but failing miserably:

  - name: deploy
  image: quay.io/ipedrazas/drone-helm
  skip_tls_verify: true
  chart: ./helm/api
  update_dependencies: false
  values_files: "helm/production-values.yaml"
  release: api
  namespace: production
  when:
    branch: [drone-integration]

Error: API Server is needed to deploy.

Any ideas how to incorporate api_server and token? Ideally using Vault, which I have setup and enabled in drone

Regards

I'd like to verify the origin of my packages when they are installed via the drone pipeline. I understand that this would likely require loading my public keyring into the drone environment. It seems that no one has undertaken this effort so far and I might be able to start working on a PR.

Does anyone have thoughts on how to best accomplish this or things to consider? Any reason this hasn't been added yet?

Hello @ipedrazas

I try to use the latest code in master but I think the container repository is not being updated. The latest change is 20 days ago.

https://quay.io/repository/ipedrazas/drone-helm?tab=tags

can you please confirm?

Im getting this error message and I can't figure out why. As far as I can tell, the API Server is specified in my pipeline:

  deploy_helm:
    image: quay.io/ipedrazas/drone-helm
    api_server: https://my-k8s-server.foo.com
    kubernetes_token: ... token from kube ...
    chart: ./kubernetes/neo
    release: neo
    values: image.tag=${DRONE_BRANCH}-${DRONE_COMMIT_SHA:0:7},version=${DRONE_BRANCH}-${DRONE_COMMIT_SHA:0:7}
    when:
      branch: master
      event: push

Is there anything obviously wrong with that?

Unrelated, but can I use the DNS address as I'm running Drone in the same cluster as the deployment target e.g.: api_server: http://kubernetes.default.svc.local

Got this error message from the latest image quay.io/ipedrazas/drone-helm:latest

Creating /root/.helm 
Creating /root/.helm/repository 
Creating /root/.helm/repository/cache 
Creating /root/.helm/repository/local 
Creating /root/.helm/plugins 
Creating /root/.helm/starters 
Creating /root/.helm/cache/archive 
Creating /root/.helm/repository/repositories.yaml 
Error: Looks like "https://kubernetes-charts.storage.googleapis.com" is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: failed to load system roots and no roots provided
Error running helm command: init --upgrade

Notice there are some changes from here

I might be able to open a PR on this in a week or two. I recently upgraded to 1.2 and encountered this issue.

It would be great to include this in the newly created plugin registry. I'm happy to help if you have any questions. http://readme.drone.io/tutorials/how-to-register-a-plugin/

Something I've found incredibly useful for secret management is https://github.com/futuresimple/helm-secrets. The gist is its a wrapper + plugin for Helm that delegates secret enc/dec to https://github.com/mozilla/sops.

In general I think this would be a relatively easy addition. Not sure if others are interested in this so just throwing it out as a suggestion.

Right now, there's no possibility in updating the repo

Hello! First off amazing job, this plugin is excellent and solves so many problems for me.

I'm trying to use a more customized release name than just the branch or tag or other standard Drone environment variable. I looked in the main.go file and it appears you are loading a "env-file" but I can't figure out how to use it. Where does this file need to be created in the shared volume? This is what I'm basically doing, I attempted using the variables directly when they didn't seem to be implicitly picked up from the file I created, but it may be in the wrong place? Any help is greatly appreciated!

pipeline:
  step-one:
    image: node:10.14.2
    commands:
      - export ticketNumber=$(echo "${CI_COMMIT_BRANCH}" | awk 'match($0, /(^TIX-[0-9]*)/) { print tolower( substr( $0, RSTART, RLENGTH ))}')
      - echo "RELEASE: ${ticketNumber}" > env-file
      - echo "VALUES: valueOne=something,valueTwo=somthing" >> env-file
      - echo "NAMESPACE: my-namespace" >> env-file
      - cat env-file

  deploy:
      image: quay.io/ipedrazas/drone-helm
      skip_tls_verify: "true"
      chart: ./charts/microservices
      release: ${RELEASE}
      values: ${VALUES}
      namespace: ${NAMESPACE}
      secrets: [ api_server, kubernetes_token ]

Resolving envvars is very cumbersome. Adding a prefix will normalise and make easier managing the secrets/envvars

Hi,

I checked the package, it is a fork of GO built-in text/template package. The feature it provided is to trim Newlines, which it is actually can be done with Go. For e.g:

{{- if true -}}
hello
{{-end}}

Will produce

hello\n

I have tested in CI, it is actually not needed. If someone can tell me more about this package's usage, I'm happy to know it. Thanks

I have a simple pipeline:

pipeline:
  helm_deploy:
    image: quay.io/ipedrazas/drone-helm
    skip_tls_verify: true
    chart: stable/prometheus
    update_dependencies: false
    release: prometheus
    namespace: production-prometheus
    dry-run: true
    secrets: [ api_server, kubernetes_token ]
    when:
      branch: [master]

Interestingly, when this ran, it actually deployed prometheus, into that namespace.

Is there a recommended way of having helm lint * run in a charts repo before packaging helm charts?

Hi! I'm looking to use this plugin but I have tiller already installed in its name space with specific settings. Will the plugin screw the installed tiller when it runs or does it see that it's installed and skip? Or does it anyway leave the existing settings instead of say reinstalling? Not sure how to read the code unfortunately. Thanks!

�how to setting the username and password ?

I noticed a previous issue for adding these into the docker image in the past, but that was reverted due to the size of the iamge.

I'm wondering if we can dynamically download kubectl packages and run them on the fly? Here's a shell script that can do something similar. Thinking the user could provide the version in the settings.

os=darwin  # or linux
arch=amd64
version=1.16.0

curl -LO https://storage.googleapis.com/kubernetes-release/release/v${version}/bin/${os}/${arch}/kubectl

chmod +x ./kubectl
./kubectl version

I have a use case where tiller is installed into a specific (not kube-system) namespace in my clusters. I'd like to be able to pass in a value to the helm init command with the --tiller-namespace flag so I can use this plugin. If the parameter is set, it would append to the init command.

Hi,
I am stuck in a place for a while, i am using drone stable version, installed on kubernetes

here is my .drone.yaml

- name: release_staging
    image: quay.io/ipedrazas/drone-helm
    environment:
      STAGING_API_SERVER:
        from_secret: staging_api_server
      STAGING_KUBERNETES_TOKEN:
        from_secret: staging_kubernetes_token
    settings:
      skip_tls_verify: true
      chart: ./helm
      release: staging
      values: >-
        secret.APPLE_VERIFY_RECEIPT_PASSWORD=${APPLE_VERIFY_RECEIPT_PASSWORD},
        secret.AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID},
        secret.AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY},
        secret.OPBEAT_SECRET_TOKEN=${OPBEAT_SECRET_TOKEN},
        secret.FACEBOOK_KEY=${FACEBOOK_KEY},
        secret.FACEBOOK_SECRET=${FACEBOOK_SECRET},
        secret.GOOGLE_TAG_ID=${GOOGLE_TAG_ID},
        secret.OPBEAT_ORGANIZATION_ID=${OPBEAT_ORGANIZATION_ID},
        secret.AWS_BACKUP_ACCESS_KEY_ID=${AWS_BACKUP_ACCESS_KEY_ID},
        secret.AWS_BACKUP_SECRET_ACCESS_KEY=${AWS_BACKUP_SECRET_ACCESS_KEY},
        secret.DATABASE_URL=${DATABASE_URL},
        secret.DROPBOX_KEY=${DROPBOX_KEY},
        secret.DROPBOX_SECRET=${DROPBOX_SECRET},
        secret.MAILCHIMP_API_KEY=${MAILCHIMP_API_KEY},
        secret.MAILCHIMP_LIST_ID=${MAILCHIMP_LIST_ID},
        secret.NEW_RELIC_LICENSE_KEY=${NEW_RELIC_LICENSE_KEY},
        secret.OPBEAT_APP_ID=${OPBEAT_APP_ID},
        secret.SECRET_KEY_BASE=${SECRET_KEY_BASE},
        secret.SENDGRID_USERNAME=${SENDGRID_USERNAME},
        secret.SENDGRID_PASSWORD=${SENDGRID_PASSWORD},
        secret.DOCKER_CONFIG_JSON=${DOCKER_CONFIG_JSON},
        SUBDOMAIN=staging,
        image.tag=13
      prefix: STAGING
      namespace: staging
      values_files: ["helm/values.staging.yaml"]

what i did it i intentionally created error and saw the debug log, it looks the helm command is not picking up these values.

Error running helm command: upgrade --install staging ./helm --set secret.APPLE_VERIFY_RECEIPT_PASSWORD=, secret.AWS_ACCESS_KEY_ID=, secret.AWS_SECRET_ACCESS_KEY=, secret.OPBEAT_SECRET_TOKEN=, secret.FACEBOOK_KEY=, secret.FACEBOOK_SECRET=, secret.GOOGLE_TAG_ID=, secret.OPBEAT_ORGANIZATION_ID=, secret.AWS_BACKUP_ACCESS_KEY_ID=, secret.AWS_BACKUP_SECRET_ACCESS_KEY=, secret.DATABASE_URL=, secret.DROPBOX_KEY=, secret.DROPBOX_SECRET=, secret.MAILCHIMP_API_KEY=, secret.MAILCHIMP_LIST_ID=, secret.NEW_RELIC_LICENSE_KEY=, secret.OPBEAT_APP_ID=, secret.SECRET_KEY_BASE=, secret.SENDGRID_USERNAME=, secret.SENDGRID_PASSWORD=, secret.DOCKER_CONFIG_JSON=, image.tag=13 --values helm/values.staging.yaml --namespace staging

and even if it successfully deploys i can see in deployment the image tag is latest which is written in values.yaml file,

image:
  tag: latest

its picking that one, but not my value 13.

I have no clue.

is ${SECRET_NAME} is the right way to write values in .drone.yaml? I have exactly copied the content of my yaml, so i am asking if dollarsign-bracket-value-bracket is that right format?
why my image.tag not reaching to my deployment template?

FYI: i added secrets from drone UI under that project with prefixed with STAGING. I am using postgres as data storage, and i enabled encryption.