How to get rid of skip_verify: true during cloning?

Dear all,

first of all thanks for drone! It is just awesome.
I am running drone in k8s with the helm charts from:

• https://github.com/drone/charts/tree/master/charts/drone
• https://github.com/drone/charts/tree/master/charts/drone-runner-kube

Because we have an internal GitHub instance with private repositories my chart values mount the ca certificates as follows:

extraVolumes:
 - name: ca-bundle
   configMap:
     name: utils-ca-bundle
extraVolumeMounts:
 - name: ca-bundle
   mountPath: /etc/ssl/certs/ca-certificates.crt
   subPath: ca-bundle.pem

This solved a first issue with the web ui.

However I still need to provide skip_verify: true in the pipeline to get the clone working:

clone:
  skip_verify: true

What has to be done to get the clone working without skip_verify: true?
thanks - Chris

I recommend setting a global environment variable (passed to the kube runner) [1] to disable SSL verification globally during clone. This has the same effect as adding the skip_verify flag to every yaml.

DRONE_RUNNER_ENVIRON=GIT_SSL_NO_VERIFY=true

[1] https://docs.drone.io/runner/kubernetes/configuration/reference/drone-runner-environ/

Thanks Brad

to me this is basically the same issue as the verification is still skipped. If I get it right, then there is currently no way to mount /etc/ssl/certs/ca-certificates.crt into the containers of pipeline steps - may this be the automatic or customized clone (https://docs.drone.io/pipeline/kubernetes/syntax/cloning/) or the container of any other step.

Would it be reasonable to:

1. Extend the helm chart to be able to write something like this:

   caCertifactes:
     <configMapName>: <configMapDataKey>
   

2. Adjust the drone runtime (engine/kube/kube.go) to mount this into the pod-containers for each step?

If yes I’d like to invest some time here.

Adjust the drone runtime (engine/kube/kube.go) to mount this into the pod-containers for each step?

The challenge with config maps is they are per-namespace. You can configure a pipeline to run in different namespaces [1], in which case this approach may be less effective.

[1] Metadata | Drone