Drone

Docker Swarm, Drone, Gitea, Traefik and self-signed SSL

Hello,

I have a self-signed SSL certificate which is loaded into Traefik (none of this is public-internet facing so Let’s Encrypt is out, I believe). All traffic is automatically forwarded over to HTTPS in the frontends. This works great when hitting up any of my other services in Docker Swarm as the cert is trusted in Windows, so all the sites say they’re “Secure” according to Chrome. IE, Gitea, Graylog and others are all now nicely behind the SSL proxy.

When I hit up the Drone front-end, I can login OK if I add “DRONE_GITEA_SKIP_VERIFY=true” to the Drone configuration. However, when I test the webhooks from inside Gitea, I get a response from the Drone hook:

Delivery: Post https://drone.neptune.corp.zppr.co.uk/hook?secret={secret}: x509: certificate signed by unknown authority.

How do I fix that?

I tried adding the certs to Drone using DRONE_TLS_CERT and DRONE_TLS_KEY configs, but I then hit an endless redirect loop when attempting to Login or do anything on the Drone dashboard.

Most interesting is if I just drop all the SSL configuration and change everything to http (including the OAuth callback URL), everything works great. So I feel sure the networking side is fine.

I’ll include some configs below. Let me know if I’ve missed anything.

drone-docker-stack.yml

---
version: "3.7"

networks:
  traefik-public:
    external: true

secrets:
  key.key:
    external: true
  cert.crt:
    external: true

services:
  drone:
    deploy:
      labels:
        - traefik.frontend.rule=Host:drone.neptune.corp.zppr.co.uk
        - traefik.enable=true
        - traefik.port=80
      placement:
        constraints:
          - "node.role == manager"
      replicas: 1
      restart_policy:
        condition: on-failure
    environment:
      - DRONE_LOGS_DEBUG=true
      - DRONE_GITEA_CLIENT_ID={clientId}
      - DRONE_GITEA_CLIENT_SECRET={clientsecret}
      - "DRONE_GITEA_SERVER=https://gitea.neptune.corp.zppr.co.uk"
      - DRONE_GITEA_SKIP_VERIFY=true
      - DRONE_GIT_ALWAYS_AUTH=true
      - DRONE_RPC_SECRET={rpcsecret}
      - DRONE_SERVER_HOST=drone.neptune.corp.zppr.co.uk
      - DRONE_SERVER_PROTO=https
      - DRONE_REPOSITORY_TRUSTED=true
      #- DRONE_TLS_CERT=/run/secrets/cert.crt
      #- DRONE_TLS_KEY=/run/secrets/key.key
    image: "drone/drone:1.4.0"
    networks:
      - traefik-public
    volumes:
      - "drone:/data"
      - "/var/run/docker.sock:/var/run/docker.sock"
volumes:
  drone:
    driver: local

traefik.toml:

defaultEntryPoints = ["http", "https"]
[entryPoints]
  [entryPoints.http]
    address = ":80"
  [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
    address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/run/secrets/cert.crt"
      keyFile = "/run/secrets/key.key"