DRONE_RUNNER_ENV not working with secrets

Drone Support
1

Hi,

Plugin arguments sourced from secrets aren’t working for me in a plugin. The plugin source itself is available here: https://gitlab.com/bnmcg/drone-helm-push/-/blob/master/main.go

My pipeline:

kind: pipeline
type: kubernetes
name: myproject

steps:
  - name: publish-image
    image: plugins/docker
    settings:
      registry: docker.myorg.com
      repo: docker.myorg.com/myorg/myproject
      username:
        from_secret: DOCKER_USERNAME
      password:
        from_secret: DOCKER_PASSWORD
      auto_tag: true
    when:
      event:
        - tag
  
  - name: publish-chart
    image: bnmcg/drone-helm-push:2.2.2
    settings:
      chart_path: helm/myproject
      repository_username:
        from_secret: DOCKER_USERNAME
      repository_password:
        from_secret: DOCKER_PASSWORD
      repository_uri: https://charts.myorg.com
    # when:
    #   event:
    #     - promote
    #   target:
    #     - chart

  - name: deploy
    image: docker.myorg.com/bnmcg/drone-helm
    settings:
      chart: myorg/myproject
      skip_tls_verify: true
      release: myproject
      namespace: myorg
      helm_repos: myorg=https://charts.myorg.com
      client_only: true
      values: image.tag=${DRONE_TAG##v}
      values_files: helm/values.production.yaml
    environment:
      API_SERVER:
        from_secret: API_SERVER
      KUBERNETES_TOKEN:
        from_secret: KUBERNETES_TOKEN
    when:
      event:
        - promote
      target:
        - production

the chart_path and repository_uri parameters are correctly injected as PLUGIN_REPOSITORY_URI and PLUGIN_CHART_PATH. However, repository_usernameandrepository_password` don’t appear as environment variables.

If I set the value of repository_username and repository_password to strings, instead of sourcing from from_secret: ..., then the variables are injected into the environment correctly.

I’m using Drone 1.6.5 and the Kubernetes runner.

Drone repo info:

Owner: myorg
Repo: myproject
Config: .drone.yml
Visibility: private
Private: true
Trusted: false
Protected: false
Remote: https://gitlab.com/myorg/myproject.git

Drone build info:

Number: 37
Status: failure
Event: push
Commit: 2320dc0bbed51b975ec2807c88a776620bb5c504
Branch: master
Ref: refs/heads/master
Author: bnmcg
Message: Print arguments

Drone secret info tells me “json: cannot unmarshal array into Go value of type drone.Secret”. The secrets in question are sourced from DRONE_RUNNER_ENV. They do work correctly in other plugins (eg: the Docker plugin).

2

DRONE_RUNNER_ENV does not provide secrets, it sets global environment variables that are automatically injected into every step. You cannot use from_secret with global environment variables since they are not secrets.

3

Ah, interesting… I think the Docker plugin is working coincidentially, as checking the code it also loads the username from the DOCKER_USERNAME environment variable, same for the password.

Is there a better way to provide secrets to all pipelines, or should I just interpolate the value from the environment variable?

4

it also loads the username from the DOCKER_USERNAME environment variable, same for the password.

the reason you are seeing DOCKER_USERNAME and DOCKER_PASSWORD being injected is because you have set global environment variables, which are injected into every step, including plugin steps. This described behavior is expected.

Is there a better way to provide secrets to all pipelines, or should I just interpolate the value from the environment variable?

You could use organization secrets:
https://docs.drone.io/secret/organization/

You could also use global environment variables to globally configure plugins, automatically (without declaring anything in the yaml). You just need to name the variables correctly.

For example, if your plugin reads the username from PLUGIN_REPOSITORY_USERNAME, you need to name your global environment variable accordingly.

-DRONE_RUNNER_ENV=DOCKER_USERNAME:octocat
+DRONE_RUNNER_ENV=PLUGIN_REPOSITORY_USERNAME:octocat

Just remember that when using global environment variables you cannot use from_secret since global environment variables are not secrets. Doing so would likely reset the value, resulting in an empty string.

  - name: publish-chart
    image: bnmcg/drone-helm-push:2.2.2
    settings:
      chart_path: helm/myproject
-     repository_username:
-       from_secret: DOCKER_USERNAME
-     repository_password:
-       from_secret: DOCKER_PASSWORD