Can drone/drone image support _FILE for env var secrets

decentral1se · June 18, 2020, 2:08pm

Hey,

Firstly, thanks for the wonderful software!

I am using Docker Swarm to deploy Drone. Swarm forces users to inject secrets as files on the file system, into /run/secrets/mycoolsecret, for example, and then some images publishers support a _FILE postfix for their environment variables so as to support Swarm users.

See how Mariadb handles this:

https://github.com/docker-library/docs/blob/master/mariadb/README.md#docker-secrets

So, concretely, for Drone, I’d like to see the following available:

DRONE_GITEA_CLIENT_SECRET -> DRONE_GITEA_CLIENT_SECRET_FILE
DRONE_RPC_SECRET -> DRONE_RPC_SECRET_FILE

So that I can do something like:

  drone:
    image: "drone/drone:1.8.0"
  volumes:
    - "data:/data"
  environment:
    - DRONE_GITEA_CLIENT_SECRET_FILE: /run/secrets/gitea_client_secret

I’ve raised this issue also recently for the invoiceninja image:

https://github.com/invoiceninja/dockerfiles/issues/149

Best,

Luke

bradrydzewski · June 18, 2020, 2:41pm

You can store secrets in a file and load using the method described here:

bradrydzewski · June 18, 2020, 2:43pm

also, some more background, we use a library to read environment files into Go structures. I formally requested them to support the _FILE convention however they did not seem interested. It would certainly help if people voted on / commented on the issue to try and convince them:

decentral1se · June 18, 2020, 4:09pm

Thanks! Commented on the issue

coderars · February 7, 2022, 9:16am

Hi,

may I ask for some update on this issue? The linked solutions by @bradrydzewski seem outdated (404).

What’s the current recommended way to use Docker secrets instead of hardcoded (unsafe) tokens in a docker-compose file to run Drone?

My Docker secrets are working fine, but I can’t find a way to start Drone using them, only complicated workarounds with custom container entry scripts to manually read Docker secrets and then manually create the required ENV vars.

Am I right that it’s something still not officially implemented by Drone? Should I open a Feature Request? I don’t want to store my tokens in a file on my VPS.

I thought it’s simple as:

    secrets:
      - drone_gh_client_id
      - drone_gh_client_secret
      - drone_rpc_secret
    environment:
      DRONE_GITHUB_CLIENT_ID: /run/secrets/drone_gh_client_id
      DRONE_GITHUB_CLIENT_SECRET: /run/secrets/drone_gh_client_secret
      DRONE_RPC_SECRET: /run/secrets/drone_rpc_secret

Thank you!