Drone docker plugin unable to pull secrets if configured in certain way

krishsur · August 28, 2018, 3:27pm

I was trying to trigger drone job to build docker image for one of my projects, the end result of that drone job is to build the latest version of the docker image and push that image to the private docker hub, we have defined drone secrets for the docker hub credentials and additional application specific secrets(by environments, stage/prod) that are required during the build. The issue is when I define the drone job in .drone.yml with the configuration to pull those secrets, with source and target variables and some secrets without that combination in a certain way in drone.yml , build is broken that the drone server is unable to pull the secrets, currently, I am using drone 0.6 version, but the latest version of docker plugin. Here is the snippet of the drone job, if defined in such a way failed to pull the secrets docker_username and docker_password from drone server

publish-prod-grafana-image:
secrets: [ docker_username, docker_password ] . <-----
secrets:
- { source: gfa_grafana_prod_pg_password, target: gfa_grafana_pg_password } <----
secrets: [ gfa_grafana_client_id, gfa_grafana_client_password ]
build_args_from_env: [ gfa_grafana_pg_password, gfa_grafana_client_id, gfa_grafana_client_password ]
image: plugins/docker:latest
when:
event: tag
ref: refs/tags/prod-grafana*
tag: ${DRONE_TAG}
environment:
- DOCKER_LAUNCH_DEBUG=true
context: grafana/
dockerfile: grafana/Dockerfile
registry: docker..com/gfaplat
repo: docker..com/gfaplat/prod-grafana

If defined this way it works, i.e. define the secrets with source and target section first in the sequence and the rest of the secrets config followed, it appears weird

publish-prod-grafana-image:
secrets:
- { source: gfa_grafana_prod_pg_password, target: gfa_grafana_pg_password } . <-----
secrets: [ docker_username, docker_password ] . <-----
secrets: [ gfa_grafana_client_id, gfa_grafana_client_password ]
build_args_from_env: [ gfa_grafana_pg_password, gfa_grafana_client_id, gfa_grafana_client_password ]
image: plugins/docker:latest
when:
event: tag
ref: refs/tags/prod-grafana*
tag: ${DRONE_TAG}
environment:
- DOCKER_LAUNCH_DEBUG=true
context: grafana/
dockerfile: grafana/Dockerfile
registry: docker..com/gfaplat
repo: docker..com/gfaplat/prod-grafana

Not sure if there is any issues/bug , so checking with the community

bradrydzewski · August 28, 2018, 3:30pm

I think the issue, if I understand correctly, is that you have the secrets block defined multiple times, which is not valid syntax, and essentially is overwriting previous values. You should only define the secret block once.

secrets:
- source: gfa_grafana_prod_pg_password
  target: gfa_grafana_pg_password
- source: docker_username
  target: docker_username
- source: docker_password
  target: docker_password
- source: gfa_grafana_client_id
  target: gfa_grafana_client_id
- source: gfa_grafana_client_password
  target: gfa_grafana_client_password

krishsur · August 28, 2018, 3:37pm

Thanks for the response. hmm… ok but if organized in the way I documented the build proceeds without any issue and the secrets are not overwritten, just checking, but the point noted regarding the valid syntax

bradrydzewski · August 28, 2018, 5:13pm

the yaml file is a map of type map[string]interface{}. So when you put the secrets section in the yaml multiple time, you are essentially overwriting the item in the map each time, thus negating previous entries.

krishsur · August 28, 2018, 5:48pm

Thanks Brady for the clarifications