/drone-vault

Drone plugin for integrating with the Vault secrets manager

Primary LanguageGoOtherNOASSERTION

drone-vault-extension

A secret extension that provides optional support for sourcing secrets from Vault. Please note this project requires Drone server version 1.3 or higher.

Installation

Create a shared secret:

$ openssl rand -hex 16
bea26a2221fd8090ea38720fc445eca6

Download and run the plugin:

$ docker run -d \
  --publish=3000:3000 \
  --env=DRONE_DEBUG=true \
  --env=DRONE_SECRET=bea26a2221fd8090ea38720fc445eca6 \
  --env=VAULT_ADDR=... \
  --env=VAULT_TOKEN=... \
  --restart=always \
  --name=drone-vault drone/vault

Using approle authentication:

$ docker run -d \
  --publish=3000:3000 \
  --env=DRONE_DEBUG=true \
  --env=DRONE_SECRET=bea26a2221fd8090ea38720fc445eca6 \
  --env=VAULT_ADDR=... \
  --env=VAULT_AUTH_TYPE=approle \
  --env=VAULT_TOKEN_TTL=72h
  --env=VAULT_TOKEN_RENEWAL=24h
  --env=VAULT_APPROLE_ID=... \
  --env=VAULT_APPROLE_SECRET=... \
  --restart=always \
  --name=drone-vault drone/vault

Update your runner configuration to include the plugin address and the shared secret.

DRONE_SECRET_PLUGIN_ENDPOINT=http://1.2.3.4:3000
DRONE_SECRET_PLUGIN_TOKEN=bea26a2221fd8090ea38720fc445eca6

You can configure the plugin with the following DRONE environment variables:

string        DRONE_BIND
bool          DRONE_DEBUG
string        DRONE_SECRET
string        VAULT_ADDR
time.Duration VAULT_TOKEN_RENEWAL
time.Duration VAULT_TOKEN_TTL
string        VAULT_AUTH_TYPE
string        VAULT_AUTH_MOUNT_POINT
string        VAULT_KUBERNETES_ROLE

For example, if you'd like to change the port the plugin serves, use:

docker run --publish=3001:3001 --env=DRONE_BIND=0.0.0.0:3001 ...

This plugin accepts the following VAULT environment variables for the vault client:

VAULT_ADDR
VAULT_CACERT
VAULT_CAPATH
VAULT_CLIENT_CERT
VAULT_SKIP_VERIFY
VAULT_MAX_RETRIES
VAULT_TOKEN
VAULT_TLS_SERVER_NAME

One use-case for these env vars would be if you secured your vault endpoint with TLS and a self-signed certificate. You could then insert the CA into the drone-vault plugin container like this (considered you've copied the ca.crt file to the host):

docker run -d \
-v /home/ubuntu/ca.crt:/ca.crt \
--publish=3001:3001 \
--env=DRONE_BIND=0.0.0.0:3001 \
--env=DRONE_DEBUG=true \
--env=DRONE_SECRET=${DRONE_SECRET} \
--env=VAULT_CACERT=/ca.crt \
--env=VAULT_ADDR=https://${VAULT_IP_OR_HOSTNAME}:8200 \
--env=VAULT_TOKEN=${VAULT_TOKEN} \
--restart=always \
--name=drone-vault drone/vault