Use this plugin to deploy Docker images to Google Container Engine (GKE).
The following parameters are used to configure this plugin:
image- this plugin's Docker image- optional
project- project of the container cluster (defaults to inferring from the service accounttokencredential) - optional
zone- zone of the container cluster - optional
region- region of the container cluster cluster- name of the container cluster- optional
namespace- Kubernetes namespace to operate in (defaults todefault) - optional
template- Kubernetes manifest template (defaults to.kube.yml) - optional
secret_template- Kubernetes Secret resource manifest template (defaults to.kube.sec.yml) - optional
wait_deployments- list of Deployments to wait for successful rollout, usingkubectl rollout status - optional
wait_seconds- ifwait_deploymentsis set, number of seconds to wait before failing the build vars- variables to use intemplateandsecret_template(see below for details)secrets- credential and variables to use insecret_template(see below for details)- optional
expand_env_vars- expand environment variables for values invarsfor reference (defaults tofalse)
These optional parameters are useful for debugging:
dry_run- do not apply the Kubernetes templates (defaults tofalse)verbose- dump availablevarsand the generated Kubernetestemplate(excluding secrets) (defaults tofalse)
drone-gke requires a Google service account and uses its JSON credential file to authenticate.
This must be passed to the plugin under the target token.
The plugin infers the GCP project from the JSON credentials (token) and retrieves the GKE cluster credentials.
Improved in Drone 0.5+, it is no longer necessary to align the JSON file.
Simply copy the contents of the JSON credentials file and paste it directly in the input field (for example for a secret named GOOGLE_CREDENTIALS).
drone secret add \
--event push \
--event pull_request \
--event tag \
--event deployment \
--repository org/repo \
--name GOOGLE_CREDENTIALS \
--value @gcp-project-name-key-id.json
The plugin attempts to fetch credentials for authenticating to the cluster via kubectl.
If connecting to a regional cluster, you must provide the region parameter to the plugin and omit the zone parameter.
If connecting to a zonal cluster, you must provide the zone parameter to the plugin and omit the region parameter.
The zone and region parameters are mutually exclusive; providing both to the plugin for the same execution will result in an error.
drone-gke also supports creating Kubernetes secrets for you. These secrets should be passed from Drone secrets to the plugin as environment variables with targets with the prefix secret_. These secrets will be used as variables in the secret_template in their environment variable form (uppercased).
Kubernetes expects secrets to be base64 encoded, drone-gke does that for you. If you pass in a secret that is already base64 encoded, please apply the prefix secret_base64_ and the plugin will not re-encode them.
These variables are always available to reference in any manifest, and cannot be overwritten by vars or secrets:
---START VARIABLES AVAILABLE FOR ALL TEMPLATES---
{
"BRANCH": "master",
"BUILD_NUMBER": "12",
"COMMIT": "4923x0c3380413ec9288e3c0bfbf534b0f18fed1",
"TAG": "",
"cluster": "my-gke-cluster",
"namespace": "",
"project": "my-gcp-proj",
"zone": "us-east1-a"
}
---END VARIABLES AVAILABLE FOR ALL TEMPLATES---
It may be desired to reference an environment variable for use in the Kubernetes manifest.
In order to do so in vars, the expand_env_vars must be set to true.
For example when using drone deploy org/repo 5 production -p IMAGE_VERSION=1.0, to get IMAGE_VERSION in vars:
expand_env_vars: true
vars:
image: my-image:$${IMAGE_VERSION}The plugin will expand the environment variable for the template variable.
To use $${IMAGE_VERSION} or $IMAGE_VERSION, see the Drone docs about preprocessing.
${IMAGE_VERSION} will be preprocessed to an empty string.
Note particularly the gke: build step.
---
pipeline:
build:
image: golang:1.8
environment:
- GOPATH=/drone
- CGO_ENABLED=0
commands:
- go get -t
- go test -v -cover
- go build -v -a
when:
event:
- push
- pull_request
gcr:
image: plugins/docker
storage_driver: overlay
username: _json_key
registry: us.gcr.io
repo: us.gcr.io/my-gke-project/my-app
tag: ${DRONE_COMMIT}
secrets:
- source: GOOGLE_CREDENTIALS
target: docker_password
when:
event: push
branch: master
gke:
image: nytimes/drone-gke
zone: us-central1-a
cluster: my-gke-cluster
namespace: ${DRONE_BRANCH}
environment:
- USER=root
expand_env_vars: true
vars:
image: gcr.io/my-gke-project/my-app:${DRONE_COMMIT}
app: my-app
env: dev
user: $${USER}
secrets:
- source: GOOGLE_CREDENTIALS
target: token
- source: API_TOKEN
target: secret_api_token
- source: P12_CERT
target: secret_base64_p12_cert
when:
event: push
branch: masterNote the two Kubernetes yml resource manifests separated by ---.
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{.app}}-{{.env}}
spec:
replicas: 3
template:
metadata:
labels:
app: {{.app}}
env: {{.env}}
spec:
containers:
- name: app
image: {{.image}}
ports:
- containerPort: 8000
env:
- name: APP_NAME
value: {{.app}}
- name: USER
value: {{.user}}
- name: API_TOKEN
valueFrom:
secretKeyRef:
name: {{.app}}-{{.env}}
key: api-token
---
apiVersion: v1
kind: Service
metadata:
name: {{.app}}-{{.env}}
spec:
type: LoadBalancer
selector:
app: {{.app}}
env: {{.env}}
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8000Note that the templated output will not be dumped when debugging.
---
apiVersion: v1
kind: Secret
metadata:
name: {{.app}}-{{.env}}
type: Opaque
data:
api-token: {{.SECRET_API_TOKEN}}
p12-cert: {{.SECRET_BASE64_P12_CERT}}