Hi guys! I am trying to add an org secrets via this command
drone orgsecret add org test_secret test_password
but keep getting:
client error 404: 404 page not found.
I can see that the request is hitting the drone server:
method=POST remote=“172.19.0.1:60492” request=/api/secrets/org request-
id=1Kx3SCQw7SSGRkMdwdmfAwXgG29
Is this something you can advise on please?
org secrets require drone 1.1 or higher, and the endpoint is only accessible to Drone system administrators.
@bradrydzewski thanks, yep, it seems i was running 1.0.
I am hitting another issue now: i have added few orgsecrets, but it seems they are not available from the pipeline.
drone orgsecret info napier-ai smtp_account_user
smtp_account_user
Organization: napier-ai
Pull Request Read: false
Pull Request Write: false
drone orgsecret info napier-ai smtp_account_password
smtp_account_password
Organization: napier-ai
Pull Request Read: false
Pull Request Write: false
then i am trying to access these secrets from the pipeline:
environment:
SMTP_ACCOUNT_PASSWORD:
from_secret: smtp_account_password
SMTP_ACCOUNT_USER:
from_secret: smtp_account_user
commands:
- echo “SMTP_ACCOUNT_USER is $SMTP_ACCOUNT_USER”
- echo “SMTP_ACCOUNT_PASSWORD is $SMTP_ACCOUNT_PASSWORD”
And they are not available…
This is probably just a configuration issue, however, I require more information to advise further. Please provide all of the following information:
drone repo info <repository> (do not redact repository name)drone build info <repository> <build>
@bradrydzewski just to clarify: i am trying to access the secrets during the PR event. As far as i know secrets for PR are disabled by default for security reasons.
Before i provide all the requested info, could you please advise how to pass Pull Request Read and
Pull Request Write parameters to drone orgsecret add command?
@bradrydzewski found the parameters in the source code:
drone orgsecret add napier-ai test test --allow-pull-request
Trying with the secrets enabled for PR now.
@bradrydzewski --allow-pull-request switch worked and now the secrets are now available on PR event.
The only one question: is it possible to use dockerconfigjson as a global secret in order to pull images from the private registries like below?
image_pull_secrets:
- dockerconfigjson
I have basically added the org secret for dockerconfigjson , but the image pull fails with No such image error.
I have basically added the org secret for dockerconfigjson , but the image pull fails with No such image error.
yep, I have tested and confirmed this works.
@bradrydzewski so in general should i just add the org secret dockerconfigjson and reference it as usual like below?
image_pull_secrets:
– dockerconfigjson
I have copied the content of dockerconfigjson to a file and then added the secret with:
drone orgsecret add napier-ai dockerconfigjson $(cat dockerconfigjson) --allow-pull-request --allow-push-on-pull-request
But still unable to pull the image…
I do not see anything speacial in the drone server logs.
The drone agent is responsible for loading image_pull_secrets.
See: https://github.com/drone/drone/blob/master/plugin/registry/static.go#L34
I recommend setting DRONE_LOGS_TRUE=true on the agent and tracing through the code to further troubleshoot. You should be able to analyze the trace logs, in conjunction with reading the code, to debug further. You may also need to compile the agent from source and add your own debug logic as needed.
Many thanks for valuable advice, @bradrydzewski. I was inserting the valid dockerconfigjson json as i’ve checked it before inserting it as a usual credential.
In my case the json has been parsed with errors by drone agent and i had to define the json as the env var heredoc and then used that var as an argument to the drone orgsecret add command.
In case some one needs the solution:
read -r -d ‘’ JSON_SECRET << EOM
{
“auths”: {
“our.registry.com”: {
“auth”: “encoded_hash”
}
}
}
EOM
drone orgsecret add some_org dockerconfigjson $JSON_SECRET --allow-pull-request --allow-push-on-pull-request
I hit the same issue where a JSON secret got corrupted somehow while getting it to the command line. drone orgsecret add needs a better way to ingest blob secrets.
there is syntax to load a secret from a file, see:
https://docs.drone.io/cli/orgsecret/drone-orgsecret-add/