stklcode
November 11, 2018, 11:39am
1
Hi,
I recently updated from 0.8 to 0.9.0 and now to 1.0.0-rc.1. Since 0.9 cloning Git repositories via HTTPS signed by a private CA fail.
Neither skip_verify nor mounting custom CA file (preferred solution) work.
.drone.yml (NOT working)
kind: pipeline
name: default
clone:
git:
image: plugins/git
depth: 10
skip_verify: true
steps:
[...]
Agent environment:
DRONE_RUNNER_VOLUMES=/my/custom/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
Clone step always fails with:
Initialized empty Git repository in /drone/src/.git/
+ git fetch --depth=10 origin +refs/heads/develop:
fatal: unable to access 'https://git.example.com/org/repo.git/': SSL
certificate problem: unable to get local issuer certificate
Using the legacy syntax works:
.drone.yml (working)
clone:
git:
image: plugins/git
depth: 10
skip_verify: true
pipeline:
[...]
However due to the migration of Matrix builds it obviously has to be migrated for most projects.
The Git server is running Gitea with GITEA_SKIP_VERIFY=false which works fine with mounting the CA file mentioned above on the Server node:
drone-server:
volumes:
- /my/custom/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
[...]
Do I need to make anything different when using v1.0 here?
Regards,
The default clone plugin has changed, as well as the syntax. You need to disable the default clone syntax and then configure your own custom clone step:
kind: pipeline
clone:
disable: true
steps:
- name: custom_clone
image: plugins/git
settings:
depth: 10
skip_verify: true
For more details see: https://docs.drone.io/config/pipeline/cloning/#custom-logic
stklcode
November 11, 2018, 5:32pm
3
Thanks very much for the quick reply. Custom clone step works for me.
However I wonder if there is still a way to provide a custom CA certificate for the new clone plugin?
Something like passing the servers/agents CA bundle to the clone plugin or applying DOCKER_RUNNER_VOLUMES would be sufficient here. skip_verify surely does the job, but with a private CA I’d appreciate the certificate to be verified.
PS: Just noticed that the DRONE_RUNNER_VOLUMES line (as mentioned in first post) does not seem to have the desired effect, at least not for the custom_clone stage… Manually running the plugins/git with the mounted CA file works, in Drone it doesn’t (without skip_verify)
I am not able to reproduce any issues with DRONE_RUNNER_VOLUMES
I added this to my agent config:
DRONE_RUNNER_VOLUMES=/tmp/drone:/tmp/drone
I ran these commands on the agent host machine:
mkdir -p /tmp/drone
touch /tmp/drone/foo.txt
I am using this yaml:
kind: pipeline
name: default
steps:
- name: test
image: alpine
commands:
- ls -la /tmp/drone
And it printed the results as expected:
+ ls -la /tmp/drone
total 4
drwxr-xr-x 3 root root 102 Nov 11 20:35 .
drwxrwxrwt 3 root root 4096 Nov 11 20:36 ..
-rw-r--r-- 1 root root 0 Nov 11 20:35 foo.txt
I therefore cannot confirm any issues with mounted volumes at this time. In my testing they seem to be working as expected, when properly configured.
stklcode
November 12, 2018, 9:00am
5
Interesting… I tried again.
This direct call does work:
# docker run --rm \
-v /my/custom/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt \
-e DRONE_REMOTE_URL=https://git.example.com/org/repo.git \
-e DRONE_COMMIT_SHA=0123456789abcdef01234567896abcdef0123456 \
plugins/git
+ git init
Initialized empty Git repository in /.git/
+ git remote add origin https://git.example.com/org/repo.git
+ git fetch --no-tags origin +refs/heads/master:
From https://git.example.com/org/repo
* branch master -> FETCH_HEAD
* [new branch] master -> origin/master
+ git reset --hard -q 0123456789abcdef01234567896abcdef0123456
+ git submodule update --init --recursive
Drone with this agent variable (double checked the config is really active - raises exceptions on the agent when invalid paths are given)
DRONE_RUNNER_VOLUMES=/my/custom/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt,/tmp/drone/cache:/cache
and this .drone.yml
kind: pipeline
clone:
disable: true
steps:
- name: clone
image: plugins/git
settings:
depth: 10
fails with SSL exception.
Pulled the latest 1.0.0-rc.1 images for Drone server/agent about 10 minutes ago. Platform is Debian Linux, Kernel 4.9, amd64, Docker CE 18.09.0~3.