Pulling private images is done by specifying a secret for Drone to use.
This is confirmed to work with encrypted secrets which are the only kind of secrets available in the OSS version.
I cannot get the functionality to work though. We’re running Drone v1.8.1 OSS. I’m not sure, but it seems that the embedded runner passes secrets to the registry which are constructed from no-op interfaces.
Support told me that the relevant code could be found here but as you see from the log snippet, messages from that module are not logged
As I said, not sure, but I think that:
- Starting from this line the manager initializes secrets.
- And here and here are the implementations of the secret interfaces of the OSS version
- So it looks like the encrypted secrets from the manifest are not used as registry secrets.
drone.yml
---
kind: pipeline
type: docker
name: Default
image_pull_secrets:
- pull_docker_config
steps:
- name: pull-private
image: xxx
- name: docker
image: plugins/docker
settings:
repo: xxx
registry: xxx
username:
from_secret: docker_username
password:
from_secret: docker_password
---
kind: secret
name: pull_docker_config
data: xxx
---
kind: secret
name: docker_username
data: xxx
---
kind: secret
name: docker_password
data: xxx
---
kind: signature
hmac: xxx
...
Log snippet
{"level":"trace","msg":"registry: database: cannot find secret","name":"pull_docker_config","time":"2020-07-01T04:53:45Z"}
{"level":"trace","msg":"registry: no registry credentials loaded","time":"2020-07-01T04:53:45Z"}
{"level":"trace","msg":"registry: no registry credentials loaded","time":"2020-07-01T04:53:45Z"}
{"level":"trace","msg":"registry: database: find secret","name":"pull_docker_config","time":"2020-07-01T04:53:45Z"}