Can drone/drone image support _FILE for env var secrets

decentral1se · June 18, 2020, 2:08pm

Hey,

Firstly, thanks for the wonderful software!

I am using Docker Swarm to deploy Drone. Swarm forces users to inject secrets as files on the file system, into /run/secrets/mycoolsecret, for example, and then some images publishers support a _FILE postfix for their environment variables so as to support Swarm users.

See how Mariadb handles this:

docs/mariadb/README.md at master · docker-library/docs · GitHub

So, concretely, for Drone, I’d like to see the following available:

DRONE_GITEA_CLIENT_SECRET → DRONE_GITEA_CLIENT_SECRET_FILE
DRONE_RPC_SECRET → DRONE_RPC_SECRET_FILE

So that I can do something like:

  drone:
    image: "drone/drone:1.8.0"
  volumes:
    - "data:/data"
  environment:
    - DRONE_GITEA_CLIENT_SECRET_FILE: /run/secrets/gitea_client_secret

I’ve raised this issue also recently for the invoiceninja image:

Support `_FILE` env vars for secret configuration · Issue #149 · invoiceninja/dockerfiles · GitHub

Best,

Luke

bradrydzewski · June 18, 2020, 2:41pm

You can store secrets in a file and load using the method described here:

bradrydzewski · June 18, 2020, 2:43pm

also, some more background, we use a library to read environment files into Go structures. I formally requested them to support the _FILE convention however they did not seem interested. It would certainly help if people voted on / commented on the issue to try and convince them:

decentral1se · June 18, 2020, 4:09pm

Thanks! Commented on the issue

coderars · February 7, 2022, 9:16am

Hi,

may I ask for some update on this issue? The linked solutions by @bradrydzewski seem outdated (404).

What’s the current recommended way to use Docker secrets instead of hardcoded (unsafe) tokens in a docker-compose file to run Drone?

My Docker secrets are working fine, but I can’t find a way to start Drone using them, only complicated workarounds with custom container entry scripts to manually read Docker secrets and then manually create the required ENV vars.

Am I right that it’s something still not officially implemented by Drone? Should I open a Feature Request? I don’t want to store my tokens in a file on my VPS.

I thought it’s simple as:

    secrets:
      - drone_gh_client_id
      - drone_gh_client_secret
      - drone_rpc_secret
    environment:
      DRONE_GITHUB_CLIENT_ID: /run/secrets/drone_gh_client_id
      DRONE_GITHUB_CLIENT_SECRET: /run/secrets/drone_gh_client_secret
      DRONE_RPC_SECRET: /run/secrets/drone_rpc_secret

Thank you!

Topic		Replies	Views
Configure Drone Docker image with secrets instead of ENV Drone Support	2	628	September 20, 2019
Docker stack deploy with docker secrets Drone Support	4	908	June 18, 2020
Is the Global Secrets File feature still supported? Drone Support	3	802	October 13, 2021
Secrets with drone exec Drone Support	5	2385	May 28, 2019
Drone exec --secret-file= not working as expected (since 1.6.1) Drone Support	0	427	October 31, 2022

Can drone/drone image support _FILE for env var secrets

Related topics