Ability to inject/mount self-signed certificates bundle into container. about drone-docker HOT 7 CLOSED

The root issue that seems to be causing our problems is that the version of Linux this is based on, deep, deep in the layer chain, has an old set of CA certificates.

We ported the entire logic/behaviour over to a custom CentOS7 based container and it's all working fine now - so I suspect this issue is twofold:

• Image is using old baseline, missing many common CA's (a quick compare versus CentOS7/Ubuntu latest)
• No way to inject custom certs bundle. Would allow us to use internal registry / self-signed and also mitigate issue of missing root public CA.

from drone-docker.

I believe this needs to be resolved at the Drone level with the ability to read-only mount certificate volumes into plugin containers. We can then update plugins to load these certs from well-known directories using something like https://github.com/jackspirou/syscerts

from drone-docker.

This would be a great improvement. The current workaround of using the insecure flag isn't ideal.

from drone-docker.

+1 for the ability to inject certificates, by some means, into /etc/docker/certs.d/ to allow for a self-signed secure registry. I'm at the point now where, in the absence of this feature, I'm forced to explore other options for the generation of Docker images as build artifacts.

from drone-docker.

@bchivari you can always fork the plugin and build your own image with the certificate included (0.5 only), or mount your certificate at runtime as a volume (0.5 only)

pipeline:
  ...
  publish:
    image: plugins/docker
    ...
    volumes:
      - /etc/docker/certs.d:/etc/docker/certs.d

As mentioned above you might be able to use the insecure: true flag as a temporary workaround:

pipeline:
  ...
  publish:
    image: plugins/docker
    insecure: true
    ...

There are plans to expose a global certificate pool to all plugins (not just docker) but that isn't something that will be ready in the near term. In the mean time, there should be sufficient workarounds available to proceed even if you require a custom certificate.

from drone-docker.

If anyone is interested in contributing an implementation of the global cert pool please contact us in our gitter channel to discuss further. https://gitter.im/drone/drone

If not, please note that it is not something I'm actively working on in the near term. If you have to wait for me to implement this feature, you could be waiting months ...

from drone-docker.

drone now supports a global DRONE_VOLUME parameter. This is a global server setting that instructs drone to mount folders in all containers and can be used to mount custom certificate chains.

DRONE_VOLUME=/etc/ssl/certs:/etc/ssl/certs

from drone-docker.