使用vault来存储secret,需要使用drone的drone-vault插件
docker-compose文件内容如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
| version: "2"
networks:
gitea:
external: false
services:
drone:
image: drone/drone
environment:
- DRONE_GITEA_SERVER=http://1.2.3.4:18080
- DRONE_GITEA_CLIENT_ID=ff1a8b12-d53d-40f6-8352-168e22a430d0
- DRONE_GITEA_CLIENT_SECRET=xQCLpsvFPhw7-FBQBTEbPtODvTBsD5pPO4n4f0q9oxA=
- DRONE_RPC_SECRET=123456789
- DRONE_SERVER_HOST=1.2.3.4:10000
- DRONE_SERVER_PROTO=http
restart: always
networks:
- gitea
volumes:
- $HOME/data/drone:/data
ports:
- "10000:80"
ssh_runner:
image: drone/drone-runner-ssh
environment:
- DRONE_RPC_SECRET=123456789
- DRONE_RPC_HOST=drone:80
- DRONE_RPC_PROTO=http
- DRONE_RUNNER_CAPACITY=3
- DRONE_RUNNER_NAME=ssh_tx
- DRONE_SECRET_PLUGIN_ENDPOINT=http://drone_vault:3000
- DRONE_SECRET_PLUGIN_TOKEN=7890bcce69bb685a9a424767fe9d1be1
networks:
- gitea
docker_runner:
image: drone/drone-runner-docker
environment:
- DRONE_RPC_SECRET=123456789
- DRONE_RPC_HOST=drone:80
- DRONE_RPC_PROTO=http
- DRONE_RUNNER_CAPACITY=2
- DRONE_RUNNER_NAME=docker_tx
- DRONE_SECRET_PLUGIN_ENDPOINT=http://drone_vault:3000
- DRONE_SECRET_PLUGIN_TOKEN=7890bcce69bb685a9a424767fe9d1be1
networks:
- gitea
volumes:
- /var/run/docker.sock:/var/run/docker.sock
vault:
image: vault:latest
restart: always
container_name: vault
networks:
- gitea
volumes:
- $HOME/data/vault/file:/vault/file
- $HOME/data/vault/config:/vault/config
- $HOME/data/vault/logs:/vault/logs
cap_add:
- IPC_LOCK
environment:
- VAULT_API_ADDR=http://127.0.0.1:8200
- VAULT_ADDR=http://127.0.0.1:8200
- VAULT_LOCAL_CONFIG={"backend":{"file":{"path":"/vault/file"}},"default_lease_ttl":"168h","max_lease_ttl":"720h","ui":true,"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}}
ports:
- 10001:8200
command: vault server -config=/vault/config/local.json
drone-vault:
image: drone/vault
container_name: drone_vault
restart: always
networks:
- gitea
environment:
- DRONE_SECRET=7890bcce69bb685a9a424767fe9d1be1
- DEBUG=true
- VAULT_ADDR=http://vault:8200
- VAULT_TOKEN_RENEWAL=84h
- VAULT_TOKEN_TTL=168h
- VAULT_TOKEN=s.CQye7biA8bvF8YybOIiaTZtF
ports:
- 3000:3000
|
部署完成后,可以使用drone的cli来测试一下能不能取的到值,需要指定环境变量
1
2
| export DRONE_SECRET_SECRET=7890bcce69bb685a9a424767fe9d1be1
export DRONE_SECRET_ENDPOINT=http://127.0.0.1:3000
|
设置完成后,即可使用命令
1
| drone plugins secret get crawl/data/server user --repo octocat/hello-world
|
假如在vault中设定的kv secret是crawl/server,那么在drone cli中需要写crawl/data/server,在build.yml中也是同理。后面的user是crawl/server路径下的key名 –repo 随便指定即可
在build.yml中取vault的值采取以下形式
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| ---
kind: pipeline
type: ssh
name: deploy_to_server
trigger:
branch:
- master
event:
- push
- custom
server:
host:
from_secret: host
user:
from_secret: user
password:
from_secret: passwd
steps:
- name: submodules
commands:
- git submodule update --init --recursive
- name: greeting
commands:
- docker build -t test:test .
---
kind: secret
name: host
get:
path: crawl/data/server
name: host
---
kind: secret
name: passwd
get:
path: crawl/data/server
name: password
---
kind: secret
name: user
get:
path: crawl/data/server
name: user
|
参考: