Inject secrets via kontena vault and drone PLUGIN_PARAMS - don't work

jackewitz · November 29, 2016, 11:30am

Dear Communtiy,

I just try to inject a kontena token (to deploy latest build) via kontena vault and drone PLUGIN_PARAMS, but it seems that drone don’t care about the variable PLUGIN_PARAMS set as an environment variable. Is that right? Or can a pass PLUGIN_PARAMS to drone inside the docker container?

More Informations:

Install drone on kontena.io: https://github.com/kontena/examples/tree/master/drone/0.5
-> i change / add the following:
- secret: DRONE_PLUGIN_PARAMS
name: PLUGIN_PARAMS
type: env

DRONE_PLUGIN_PARAMS is set to “KONTENA_TOKEN=ABC…XYZ” in kontena vault.

.drone.yml looks like:
environment:
- KONTENA_URL=https://IP-ADRESSE
- KONTENA_GRID=testing
- KONTENA_TOKEN=$$KONTENA_TOKEN

but in the drone log I see: “KONTENA_TOKEN=$$KONTENA_TOKEN” . hmmm???

Well PLUGIN_PARAMS is not mentioned here: http://readme.drone.io/0.5/install/server-configuration/ - so maybe it is impossible?

An other question: is it possible to get into the drone-container to verify the environment variables? I tried it with docker exec -it XYZ bash and sh, but without success.

Ciao … Iver

mjwwit · November 29, 2016, 12:18pm

Drone 0.5 no longer interpolates secrets in the .drone.yml file, that means that this will not work:

environment:
  - KONTENA_TOKEN=$$KONTENA_TOKEN

The solution is quite simple however; secrets are available to all allowed plugin containers as environment variables. This means that your KONTENA_TOKEN environment variable will already be available if you add it as a secret.
I’ve never heard of PLUGIN_PARAMS. But this will work: instead of adding PLUGIN_PARAMS as secret, add KONTENA_TOKEN instead.

In short, run:

drone secret add --image some/plugin your/project KONTENA_TOKEN ABC...XYZ

Then use this as .drone.yml:

environment:
  - KONTENA_URL="https://IP-ADDRESSE"
  - KONTENA_GRID=testing

As for your other question, I’m not quite sure what you mean by “verify”.
If you want to see what environment variables are injected into your container, you can dry dumping all the environment vars:

pipeline:
  some-step:
    image: your/plugin
    commands:
      - env

I hope this helps.

jackewitz · November 29, 2016, 12:40pm

For PLUGIN_PARAMS see: http://readme.drone.io/usage/secrets/#global-secrets:0d943d142dc6bcdd2e544b095a49f72b

Thanks for the informations, I just try and come back.

jackewitz · November 29, 2016, 1:36pm

Hmmm,

I just add a secret via “drone secret add …” and then “drone sign organisation/project” but I still got a “WARNING: unable to verify the Yaml signature.”

I tried to re-generate .drone.yml.sig, but git don’t recoginze changes. Hmm??

Any hints?

mjwwit · November 29, 2016, 2:07pm

What version of drone are you using? I thought it was 0.5, but you linked to the docs for 0.4.

jackewitz · November 29, 2016, 2:28pm

I use drone server 0.5. But I made a mistake and uses drone-cli 0.4. Now I upgrade to 0.5, error message is gone and everything works well.

THANK YOU for your helpfull informations !!!

Ciao … Iver