Load drone server settings from file

[marcbachmann]

Currently the only way to pass secrets to drone is to use environment variables.
When you run drone in docker, this enforces you to define them in a config file, which is basically visible to everybody who has access to the orchestration platform where drone runs on.

Within the last year Docker and Kubernetes improved the configuration management of secrets and implemented a similar solution to use them inside containers/pods.
When you define a secret in a service resource file, that secret is then mounted into the container as a file you can use in your application.

To improve the security, Drone should provide an option to read such a file instead of using environment variables. It's common in docker that you point to such a secret file using an environment variable postfixed with _FILE.

The variables that are affected by such a change are the following ones:

DRONE_AGENT_SECRET > DRONE_AGENT_SECRET_FILE
DRONE_GITHUB_SECRET >  > DRONE_GITHUB_SECRET_FILE
DRONE_BITBUCKET_SECRET > DRONE_BITBUCKET_SECRET_FILE
DRONE_GITLAB_SECRET > DRONE_GITLAB_SECRET_FILE
DRONE_CODING_SECRET > DRONE_CODING_SECRET_FILE
DRONE_DATABASE_DATASOURCE > DRONE_DATABASE_DATASOURCE_FILE

Here are also some references to read about that docker/kubernetes feature.
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
https://docs.docker.com/engine/swarm/secrets/#how-docker-manages-secrets
http://rancher.com/docs/rancher/v1.4/en/cattle/secrets/#docker-hub-images

I'm sorry if this issue is a duplicate. I couldn't find any issue that discussed that topic.

[gtaylor]

When you define a secret in a service resource file, that secret is then mounted into the container as a file you can use in your application.

FWIW, you can mount a Kubernetes Secret as an env var without its value being visible to everyone. If that is your only concern, no change in Drone is needed.

[bradrydzewski]

@marcbachmann I issued a pull request to the library we use to read configuration parameters to optionally source values from file. The pull request has stalled and unfortunately I haven't had time to push it across the finish line.

I would LOVE for someone to pick this up and push it though. Relevant issue urfave/cli#613 and pull request urfave/cli#614

[so0k]

today - wouldn't it be up to drone to use altsrc package as described here - https://github.com/urfave/cli#values-from-alternate-input-sources-yaml-toml-and-others ?

[bradrydzewski]

actually, drone does support loading variables from a .env file in the working directory. So you could mount a .env file into to container at /.env and drone would read parameters from this file.

[gesellix]

With urfave/cli#675 being merged, I would love to see secrets in files being implemented in Drone. I'd also be willing to pick this up and submit a PR, but I'd probably need some code pointers where to find the relevant places I'd have to change.

[mjpvandenberg]

@bradrydzewski could you expand on that please? How do I get the variables defined in an .env file to available as environment variables during the pipeline run?

[bradrydzewski]

@mjpvandenberg this issue is about loading drone server settings (eg your github client id and secret and database credentials). It is not for loading pipeline secrets. If you want to load pipeline secrets from a file, and propagate to your build, you want to use the global secrets file http://docs.drone.io/setup-global-secrets/

[mjpvandenberg]

That seems to be Enterprise Edition-only. For non-EE, I found a workable solution is to mount a volume with a .sh file with a bunch of export statements and then, in the first task in the pipeline step, . that file.

[tboerger]

@mjpvandenberg or if you are using it for a company just buy the enterprise license and support the drone development.

[bradrydzewski]

you can now use docker run drone/drone --env-file /run/secrets/drone.conf to load an environment file, which should work with docker secrets.