[plugins/github-release] ca certificates with GHE

cb80 · March 5, 2020, 9:59am

In case anyone needs it. I got this error trying to publish to GHE:

time="2020-03-05T09:21:16Z" level=fatal msg="Failed to create the release. Failed to retrieve or create a release: Failed to create release: Post https://<ghe>/repos/<org>/<repo>/releases: x509: certificate signed by unknown authority"

I build my own docker image as follows:

FROM alpine:latest as pre
COPY <certfiles> /usr/local/share/ca-certificates/
RUN apk update && apk add ca-certificates
FROM plugins/github-release
COPY <certfiles> /usr/local/share/ca-certificates/
COPY --from=pre /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

This I am using in the pipeline as follows:

- name: publish
  image: myregistry/droneplugins/github-release
  settings:
    files: awesomefile
    api_key:
      from_secret: github_token
    base_url: https://api.<ghe>/
    upload_url: https://uploads.<ghe>/
  when:
    event: tag

Please let me know if there is a better way.

bradrydzewski · March 5, 2020, 4:44pm

I recommend using the DRONE_RUNNER_VOLUMES variable to bind mount certificates stored on the host into all pipeline containers. This eliminates the need to create custom images.

DRONE_RUNNER_VOLUMES=<certfiles>:/usr/local/share/ca-certificates/,<certfolder>:/etc/ssl/certs/

cb80 · March 6, 2020, 2:14pm

This is implemented for the docker [1] but not for the kube runner [2]. I should have said that I am talking about kubernetes. Any chance to get this into the kube runner?

[1]: https://github.com/drone-runners/drone-runner-docker/blob/master/command/daemon/config.go#L44-L57
[2]: https://github.com/drone-runners/drone-runner-kube/blob/master/command/daemon/config.go#L47-L56

bradrydzewski · March 6, 2020, 11:51pm

Sure, it is something that we can add to our backlog or accept a pull request for, should someone want to expedite the feature.

cb80 · March 10, 2020, 7:22am

I looked into the code and so far came up with the following: https://github.com/cb80/drone-runner-kube/compare/master..volumesFromEnv. It’s not fully tested and I can’t work on it the next days. But I wanted to let you know. The main issue I had was with read-write vs. read-only. I did not manage to get the source:target:ro pattern from the docker runner to work. The envconfig from Kelsey does not allow that. I am not sure if that is still working in the docker runner. So I came up with DRONE_RUNNER_VOLUMES and DRONE_RUNNER_RO_VOLUMES. I am using the charts where it could look like this:

DRONE_RUNNER_VOLUMES: /opt:/opt,/foo:/bar
DRONE_RUNNER_RO_VOLUMES: /etc/ssl/certs:/etc/ssl/certs

Do let me know your thoughts on it.

bradrydzewski · March 10, 2020, 5:16pm

there is an open pull request that is a pre-requisite for supporting :ro at https://github.com/kelseyhightower/envconfig/pull/133

cb80 · March 17, 2020, 10:41am

I finished my tests and created https://github.com/drone-runners/drone-runner-kube/pull/24.

cb80 · March 17, 2020, 9:03pm

By the way … the volume is not getting mounted when the mount point is a link. I stumbled over this with a SLES image [1] where /etc/ssl/certs is a link to /var/lib/ca-certificates/pem. The helm chart of the drone-runner-kube is configured with DRONE_RUNNER_VOLUMES: /etc/ssl/certs:/etc/ssl/certs. As I anyhow use a derived docker image from the SLES image, my workaround in the Dockerfile of the derived image is to remove the link and copy /var/lib/ca-certificates/pem to /etc/ssl/certs. Not ideal but it solves it.

1: registry.opensuse.org/suse/templates/images/sle-15-sp1/base/images/suse/sle15:15.1