{"id":31480756,"url":"https://github.com/bh90210/dron8s","last_synced_at":"2025-10-02T05:50:18.290Z","repository":{"id":52069000,"uuid":"303128511","full_name":"bh90210/dron8s","owner":"bh90210","description":"Yet another Kubernetes plugin for Drone using dynamic Server Side Apply to achieve --server-side parity for your CI-CD pipelines","archived":false,"fork":false,"pushed_at":"2024-03-20T18:30:28.000Z","size":2167,"stargazers_count":20,"open_issues_count":2,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-11-15T01:35:53.979Z","etag":null,"topics":["ci-cd","cluster","drone","drone-ci","drone-plugin","k8s","kubernetes","kubernetes-runner"],"latest_commit_sha":null,"homepage":"http://plugins.drone.io/bh90210/dron8s","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bh90210.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-11T13:35:56.000Z","updated_at":"2023-05-25T09:28:06.000Z","dependencies_parsed_at":"2024-11-15T05:15:32.568Z","dependency_job_id":null,"html_url":"https://github.com/bh90210/dron8s","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/bh90210/dron8s","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bh90210%2Fdron8s","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bh90210%2Fdron8s/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bh90210%2Fdron8s/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bh90210%2Fdron8s/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bh90210","download_url":"https://codeload.github.com/bh90210/dron8s/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bh90210%2Fdron8s/sbom","scorecard":{"id":236284,"data":{"date":"2025-08-11","repo":{"name":"github.com/bh90210/dron8s","commit":"2bbb1ca35602b1de11b47dbeef4b23d0e3683df3"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.6,"checks":[{"name":"Code-Review","score":0,"reason":"Found 1/18 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":9,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish-image.yaml:16","Warn: no topLevel permission defined: .github/workflows/publish-image.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-image.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/bh90210/dron8s/publish-image.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-image.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/bh90210/dron8s/publish-image.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-image.yaml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/bh90210/dron8s/publish-image.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-image.yaml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/bh90210/dron8s/publish-image.yaml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: containerImage not pinned by hash: Dockerfile:11: pin your Docker image by updating gcr.io/distroless/static to gcr.io/distroless/static@sha256:2e114d20aa6371fd271f854aa3d6b2b7d2e70e797bb3ea44fb677afec60db22c","Info:   0 out of   1 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENCE:0","Info: FSF or OSI recognized license: The Unlicense: LICENCE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2021-0064 / GHSA-8cfg-vx93-jvxw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 17 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T05:49:47.719Z","repository_id":52069000,"created_at":"2025-08-17T05:49:47.719Z","updated_at":"2025-08-17T05:49:47.719Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":277963190,"owners_count":25906473,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-02T02:00:08.890Z","response_time":67,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci-cd","cluster","drone","drone-ci","drone-plugin","k8s","kubernetes","kubernetes-runner"],"created_at":"2025-10-02T05:50:14.909Z","updated_at":"2025-10-02T05:50:18.285Z","avatar_url":"https://github.com/bh90210.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg width=\"26%\" src=\"https://user-images.githubusercontent.com/22690219/119139719-02ab6580-ba4c-11eb-9dd4-fa810133c9f4.png\" /\u003e\n\u003c/p\u003e\n\n[![Build and publish docker image](https://github.com/bh90210/dron8s/actions/workflows/publish-image.yaml/badge.svg)](https://github.com/bh90210/dron8s/actions/workflows/publish-image.yaml) \u003cimg src=https://goreportcard.com/badge/github.com/bh90210/dron8s /\u003e \n\n# Dron8s\n\nYet another Kubernetes plugin for Drone using [dynamic](https://pkg.go.dev/k8s.io/client-go@v0.19.2/dynamic) [Server Side Apply](https://kubernetes.io/docs/reference/using-api/api-concepts/#server-side-apply) to achieve `kubectl apply --server-side` parity for your CI-CD pipelines.\n\n## Features\n* Create resources if they do not exist/update if they do\n* Can handle multiple yaml configs in one file\n* Can handle most resource types\u003csup\u003e1\u003c/sup\u003e\n* In-cluster/Out-of-cluster use\n* Easy set up, simple usage, well documented\n* Support variables\n\n_\u003csup\u003e1\u003c/sup\u003eDron8s uses [client-go@v0.19.2](https://github.com/kubernetes/client-go/tree/v0.19.2). While most common Kubernetes API will work with your cluster's version, some features will not. For more information check the [compatibility matrix](https://github.com/kubernetes/client-go#compatibility-matrix)._\n\n# [in-cluster](https://github.com/kubernetes/client-go/tree/master/examples/in-cluster-client-configuration) use\n\nIn-cluster use is intented to only work along [Kubernetes Runner](https://docs.drone.io/runner/kubernetes/overview/) with in-cluster deployment scope. That is your pipelines can only `apply` resources within the cluster Kubernetes Runner is running.\n\n## Prerequisites \nYou need to manually create a `clusterrolebinding` resource [to allow cluster edit access](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for Drone.\n\nAssuming you installed Drone/Kubernetes Runner using [Drone provided Helm charts](https://github.com/drone/charts/tree/master/charts) run:\n```bash\n$ kubectl create clusterrolebinding dron8s --clusterrole=edit --serviceaccount=drone:default --namespace=drone\n```\n_If you opted for manual installation you have to replace the `--serviceaccount` and/or `--namespace` flag with the correct service/namespace name you used (ie. `--serviceaccount=drone-ci:default --namespace=default`)._\n\n\n### In-cluster Pipe Example \n\n```yaml\nkind: pipeline\ntype: kubernetes\nname: dron8s-in-cluster-example\n\nsteps:\n- name: dron8s\n  image: ghcr.io/bh90210/dron8s:latest\n  settings:\n    yaml: ./config.yaml\n```\n\n### In-cluster Pipe Example With Variables\n\n_for a full example see the [examples](https://github.com/bh90210/dron8s/tree/main/examples) folder_\n\n```yaml\nkind: pipeline\ntype: kubernetes\nname: dron8s-in-cluster-example\n\nsteps:\n- name: dron8s\n  image: ghcr.io/bh90210/dron8s:latest\n  settings:\n    yaml: ./config.yaml\n    # variables. Must be lowercase, Usage: {{.service_name}}\n    service_name: myservice\n```\nAnd in your config:\n```yaml\napiVersion: v1\nkind: Service\nmetadata:\n  name: {{.service_name}}\nspec:\n...\n```\n\n## Uninstall\n\nYou need to manually delete the `clusterrolebinding` created as prerequisite. Run:\n\n```bash\n$ kubectl delete clusterrolebinding dron8s --namespace=drone\n```\n\n# [out-of-cluster](https://github.com/kubernetes/client-go/tree/master/examples/out-of-cluster-client-configuration) use\n\nFor out-of-cluster use you can choose whichever [runner](https://docs.drone.io/runner/overview/) you prefer but you need to provide you cluster's `kubeconfig` via a secret.\n\n## Prerequisites \nCreate a secret with the contents of kubeconfig.\n\n_NOTE: You can always use Vault or AWS Secrets etc. But for this example I only show [Per Repository](https://docs.drone.io/secret/repository/),  [Kubernetes Secrets](https://docs.drone.io/secret/external/kubernetes/) \u0026 [Encrypted](https://docs.drone.io/secret/encrypted/)._\n\n## **1. Per Repository Secrets (GUI)**\n\nCopy the contents of your `~/.kube/config` in Drone's Secret Value field and name the secret `kubeconfig`:\n\n![Imgur](https://imgur.com/Cx9h3Xx.jpg)\n\n### Per Repository Secrets - Docker Runner Pipe Example\n\n```yaml\nkind: pipeline\ntype: docker\nname: dron8s-out-of-cluster-example\n\nsteps:\n- name: dron8s\n  image: ghcr.io/bh90210/dron8s:latest\n  settings:\n    yaml: ./config.yaml\n    kubeconfig:\n        from_secret: kubeconfig\n```\n## Uninstall\n\nDelete the `secret` containing kubeconfig.\n\n![Imgur](https://imgur.com/nyxIlxY.jpg)\n\n## **2. Kubernetes Secrets (Kubectl)**\n\n_In order to use this type of secret you have to install `Kubernetes Secrets` [Helm Chart](https://github.com/drone/charts/tree/master/charts/drone-kubernetes-secrets).\nFurthermore the assumption is that you use `Kubernetes Runner` with out-of-cluster scope. \nThat is a scenario where your CI/CD exists in cluster **a** and you apply configurations in cluster **b**. For in-cluster usage you do not need `Kubernetes Secrets` or secrets at all. See \u003ca href=\"#in-cluster-use\"\u003ein-cluster use\u003c/a\u003e._\n\nBefore using Kubernetes Secrets in your pipeline you first need to manually create your secrets via `kubectl`. In this case you need to create a secret out of `~/.kube/config`. Run:\n\n```bash\n$ kubectl create secret generic dron8s --from-file=kubeconfig=$HOME/.kube/config\n```\n_note that if you opted for different namespace than the default when installed `drone-kubernetes-secret` chart (`secretNamespace` \u0026 `KUBERNETES_NAMESPACE`) you need to also pass the appropriate `--namespace` flag to the above command_\n### Kubernetes Secrets - Kubernetes Runner Pipe Example\n\n```yaml\nkind: pipeline\ntype: kubernetes\nname: dron8s-out-of-cluster-example\n\nsteps:\n- name: dron8s\n  image: ghcr.io/bh90210/dron8s:latest\n  settings:\n    yaml: ./config.yaml\n    kubeconfig:\n        from_secret: kubeconfig\n---\nkind: secret\nname: kubeconfig\nget:\n  path: dron8s\n  name: kubeconfig\n```\n\n## Uninstall\n\nDelete the `secret` containing kubeconfig. Run:\n\n```bash\n$ kubectl delete secret dron8s\n```\n\n## **3. Encrypted (Drone CLI)**\n\nIn order to use this method you need to have Drone CLI [installed](https://docs.drone.io/cli/install/) and [configured](https://docs.drone.io/cli/configure/) on your machine.\n\nTo generate the secret run:\n```bash\n$ drone encrypt user/repository @$HOME/.kube/config\n```\nwhere `user` is your real username and `repository` the name of the repository that you are creating the secret for.\n\nCopy the output of your terminal to `data` field inside kubeconfig secret.\n\n### Encrypted Secret - Exec Runner Pipe Example\n\n```yaml\nkind: pipeline\ntype: exec\nname: dron8s-out-of-cluster-example\n\nplatform:\n  os: linux\n  arch: amd64\n\nsteps:\n- name: dron8s\n  image: ghcr.io/bh90210/dron8s:latest\n  settings:\n    yaml: ./config.yaml\n    kubeconfig:\n        from_secret: kubeconfig\n---\nkind: secret\nname: kubeconfig\ndata: ZGDJTGfiy5vzdvvZWRSEdIRlloamRmaW9saGJkc0vsVSDVs[...]\n```\n\n# Field Manager\n\n[When transferring ownership for `server-side-apply`](https://kubernetes.io/docs/reference/using-api/server-side-apply/#transferring-ownership) you will need to know the field manager of Dron8s ([as described on the relevant issue](https://github.com/bh90210/dron8s/issues/24)).\n\nThe field manager is `dron8s-plugin` and can be found in the [source code](https://github.com/bh90210/dron8s/blob/03fc616ea0bc8a612ee3ae1b95f9c4c2a385ffa2/main.go#L155) too.\n\n# Known issues (and workarounds)\n\n* If your resource contains `ports:` without specifically declaring `protocol: TCP`/`protocol: UDP` [you will probably get](https://github.com/bh90210/dron8s/issues/5) a similar error:\n```log\nfailed to create typed patch object: .spec.template.spec.containers[name=].ports: element 0: associative list with keys has an element that omits key field \"protocol\"\n```\nThe workaround is to simply define a protocol like so where applicable: \n```yaml\n        ports:\n          - protocol: TCP\n            containerPort: 80\n```\nIf it is not possible to alter the resource then maybe consider upgrading to Kubernetes v.0.20.0 where this bug is [hopefully resolved](https://github.com/kubernetes-sigs/structured-merge-diff/issues/130#issuecomment-706488157).\n\n# Developing\n\nYou need to have [Go](https://golang.org/doc/install) and [Docker](https://docs.docker.com/get-docker/) installed on your system.\n\nIf you wish you may clone the repo and directly edit `.drone.yaml` as everything you need for the build is right there.\n\nOtherwise:\n\n```bash\n$ git clone github.com/bh90210/dron8s\n$ docker build -t {yourusername}/dron8s .\n$ docker push {yourusername}/dron8s\n```\nTo use your own repo inside Drone pipelines just change the `image` field to `{yourusername}/dron8s`\n```yaml\nkind: pipeline\ntype: docker\nname: default\n\nsteps:\n- name: dron8s\n  image: {yourusername}/dron8s\n  settings:\n    yaml: ./config.yaml\n```\n_Replace `{yourusername}` with your actual Docker Hub (or other registry) username._\n\n_For more information see Drone's [Go Plugin Documentation](https://docs.drone.io/plugins/tutorials/golang/)._\n\n# Contributing \n\nAny code improvements, updates, documentation spelling corrections etc are _always_ very welcome.\n\nIt is a very simple project so just clone the master branch, edit it and open a PR.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbh90210%2Fdron8s","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbh90210%2Fdron8s","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbh90210%2Fdron8s/lists"}