how to create a drone secret file?

Question

the docs show how to set a file to a secret envvar http://readme.drone.io/0.5/secrets/

is there a convenient way to do the opposite? e.g. have this ssh key be available in .ssh/id_rsa with all the correct permissions.

And by "convienient" I obviously mean without having to type mkdir, > or chmod

Answer 1

If you want to use an ssh key as part of your build, you can add the ssh key to the secret store using the following command:

drone secrets add --image=<image> <repo> SSH_KEY @/path/to/.ssh/id_rsa

Note that the @ notation is similar to curl. The reason this feature exists is because creating the secret using cat (or some other sort of pipe) seems to cause a malformed file to upload.

Once the file is added, you can reference in your Yaml:

pipeline:
  image: busybox
  environment:
    - SSH_KEY: ${SSH_KEY}
  commands:
    - mkdir /root/.ssh && echo "$SSH_KEY" > /root/.ssh/id_rsa && chmod 0600 /root/.ssh/id_rsa

Note that it is important to cat SSH_KEY inside quotes in order to preserve new lines.

You may also need to add the host to known_hosts in order to prevent host key issues; change bitbucket.org to whatever host you're pulling from in the following, and add it to commands (after the command shown above, to ensure that the /root/.ssh directory exists):

ssh-keyscan -H bitbucket.org >> /root/.ssh/known_hosts

(You'll also need to install openssh-client or equivalent, if it's not already available in your build image.)

And by "convienient" I obviously mean without having to type mkdir, > or chmod

nope

Answer 2

In drone 0.8+

First, you need to encode base64 if its a binary.

base64 -i yourfile.bin -o base64file.bin

Then add the secret to drone:

drone secret add --repository <repo> --name yourname_keys --value @base64file.bin

Once in the pipeline something like this:

command:
 - echo "$YOURNAME_KEYS" > some/path/afilebase64
 - base64 -D -i some/path/afilebase64 -o some/path/afilebinary

Answer 3

In Drone 0.7+ when using Github oAuth2 to authenticate into Drone it automatically adds the Github username and password to the builds .netrc.

The password is actually a token instead of a password. The .netrc will look as such:

machine github.com
  login <SOME_SECRET>
  password x-oauth-basic

This means you can clone private Github repos over HTTPS without having to specify the username/password, i.e. git clone https://github.com/USER/REPO/git.

You can also get the same effect locally by adding a ~/.netrc file and adding something like:

machine github.com
  login <GITHUB_USERNAME>
  password <GITHUB_PERSONAL_TOKEN>

machine api.github.com
  login <GITHUB_USERNAME>
  password <GITHUB_PERSONAL_TOKEN>

You will have to generate a personal token.

For example, if using the Ruby package manger bundler, you can add the following to the Gemfile:

gem 'documas', git: 'https://github.com/Propheris/documas-core.git'

The build can do bundle install successfully since it will clone the above repo via HTTPS using the Github token. The only issue is that when you do bundle install locally it will ask for a username/password. To overcome this add a ~/.netrc file to your development machine as per the above example.