drone.io plugin, allowing to export passwords (secrets) from a Click Studio Passwordstate password list. The plugin exports secrets to the specified file within the workspace, allowing the file to be used inside further pipeline steps (e.g. deploying them to Kubernetes via drone-helm plugin.
To simply export all the secrets from the specified Passwordstate to a./secrets.yaml file, the following pipeline step should be added:
pipeline:
inject_secrets:
image: tdabasinskas/drone-passwordstate
api_endpoint: https://passwordstate/api/
api_key: $PASSWORD_STATE_KEY
skip_tls_verify: false
password_list_id: 1231
output_path: ./secrets.yaml
secrets: [ PASSWORD_STATE_KEY ]The plugin will connect to the specified Passwordstate instance and extract the passwords as secrets using UserName field as the secret key and Password field as the secret value. Once finished, the folllowing file will be created within the workspace:
secrets:
some_secret: 'some_secret_value'
another_secret: 'another_secret_value'By default, secrets are exported as-is, meaning, they would need to be separately encoded with BASE64 if used as Kubernetes secrets. To handle that automatically, encode_secrets parameter can be used, e.g.:
pipeline:
inject_secrets:
image: tdabasinskas/drone-passwordstate
api_endpoint: https://passwordstate/api/
api_key: d417b3c2f586b9eaed8b736f95324cd5
skip_tls_verify: false
password_list_id: 1231
output_path: ./secrets.yaml
encode_secrets: trueAs mentioned, by default, UserName and Password fields are used as the Key/Value pair. However, different fields can be specified, e.g.:
pipeline:
inject_secrets:
image: tdabasinskas/drone-passwordstate
api_endpoint: https://passwordstate/api/
api_key: d417b3c2f586b9eaed8b736f95324cd5
skip_tls_verify: false
password_list_id: 1231
key_field: Title
value_field: GenericField6Please note, that "Generic Fields", even when renamed in Passwordstate, still have to be entered as "GenericField1", "GenericField2" and so on for password retrieval to work.
One of the most likely use case for the plugin would be combining it with drone-helm plugin, allowing you to deploy the secrets as part of the whole Helm chart. The following example illustrates the pipeline combining these two plugins:
pipeline:
inject_secrets:
image: tdabasinskas/drone-passwordstate
api_endpoint: https://passwordstate/api/
skip_tls_verify: false
password_list_id: 1231
output_path: ./secrets.yaml
encode_secrets: true
secrets: [ API_KEY ]
deploy:
image: quay.io/ipedrazas/drone-helm
chart: ./helm
release: app
values_files: [ ./helm/values.default.yaml, ./secrets.yaml ]
wait: true
prefix: DEVAssuming the helm chart under ./helm contains the following secrets template file, it would be automatically filled with the secrets during the deployment:
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-secrets
type: Opaque
data:
cache__connectionString: {{ .Values.secrets.some_secret | quote }}
consul__token: {{ .Values.secrets.another_secret | quote }}- The plugin currently supports exporting of all secrets within the password list only, not allowing to specify the exact secrets (passwords) to export.
Feel free to fork the repository and submit changes via a Pull Request.