Currently the only way to pass secrets to drone is to use environment variables.
When you run drone in docker, this enforces you to define them in a config file, which is basically visible to everybody who has access to the orchestration platform where drone runs on.
Within the last year Docker and Kubernetes improved the configuration management of secrets and implemented a similar solution to use them inside containers/pods.
When you define a secret in a service resource file, that secret is then mounted into the container as a file you can use in your application.
To improve the security, Drone should provide an option to read such a file instead of using environment variables. It's common in docker that you point to such a secret file using an environment variable postfixed with _FILE.
The variables that are affected by such a change are the following ones:
DRONE_AGENT_SECRET > DRONE_AGENT_SECRET_FILE
DRONE_GITHUB_SECRET > > DRONE_GITHUB_SECRET_FILE
DRONE_BITBUCKET_SECRET > DRONE_BITBUCKET_SECRET_FILE
DRONE_GITLAB_SECRET > DRONE_GITLAB_SECRET_FILE
DRONE_CODING_SECRET > DRONE_CODING_SECRET_FILE
DRONE_DATABASE_DATASOURCE > DRONE_DATABASE_DATASOURCE_FILE
Here are also some references to read about that docker/kubernetes feature.
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
https://docs.docker.com/engine/swarm/secrets/#how-docker-manages-secrets
http://rancher.com/docs/rancher/v1.4/en/cattle/secrets/#docker-hub-images
I'm sorry if this issue is a duplicate. I couldn't find any issue that discussed that topic.
Currently the only way to pass secrets to drone is to use environment variables.
When you run drone in docker, this enforces you to define them in a config file, which is basically visible to everybody who has access to the orchestration platform where drone runs on.
Within the last year Docker and Kubernetes improved the configuration management of secrets and implemented a similar solution to use them inside containers/pods.
When you define a secret in a service resource file, that secret is then mounted into the container as a file you can use in your application.
To improve the security, Drone should provide an option to read such a file instead of using environment variables. It's common in docker that you point to such a secret file using an environment variable postfixed with
_FILE.The variables that are affected by such a change are the following ones:
Here are also some references to read about that docker/kubernetes feature.
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
https://docs.docker.com/engine/swarm/secrets/#how-docker-manages-secrets
http://rancher.com/docs/rancher/v1.4/en/cattle/secrets/#docker-hub-images
I'm sorry if this issue is a duplicate. I couldn't find any issue that discussed that topic.