Configuration in Vault
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. The Vault plugin allows you to access Vault secret from your pipeline.
Example Vault secret:
$ vault kv put secret/docker \
username=octocat \
password=correct-horse-battery-staple
Security
Secrets are available to all repositories and all build events by default. We strongly recommend that you limit access to secrets by repository and build events. This can be done by adding special properties:
$ vault kv put secret/docker \
username=octocat \
password=correct-horse-battery-staple \
x-drone-events=push,tag \
x-drone-repos=octocat/*,spaceghost/*
Limit By Repository
You can use the X-Drone-Repos
annotation to limit which repositories can access your global Kubernetes secret. The annotation accepts a comma-separate list of glob patterns. If a repository name matches at least one of the patterns, it is granted access to the secret.
Limit access to a single repository:
$ vault kv put secret/docker \
username=octocat \
password=correct-horse-battery-staple \
x-drone-repos=octocat/hello-world
Limit access to all repositories in an organization:
$ vault kv put secret/docker \
username=octocat \
password=correct-horse-battery-staple \
x-drone-repos=octocat/*
Limit access to muliptle repositories or organizations:
$ vault kv put secret/docker \
username=octocat \
password=correct-horse-battery-staple \
x-drone-repos=octocat/*,spaceghost/*
Limit By Event
You can use the X-Drone-Events
annotation to limit which build events can access your global Kubernetes secret. The annotation is a comma-separate list of events. If a build matches at least one of the events, it is granted access to the secret.
Limit access to push and tag events:
$ vault kv put secret/docker \
username=octocat \
password=correct-horse-battery-staple \
x-drone-events=push,tag
You can combine annotations to limit by repository and event:
$ vault kv put secret/docker \
username=octocat \
password=correct-horse-battery-staple \
x-drone-events=push,tag \
x-drone-repos=octocat/*,spaceghost/*