Drone orgsecret add - client error 404

Hi guys! I am trying to add an org secrets via this command

drone orgsecret add org test_secret test_password

but keep getting:

client error 404: 404 page not found.

I can see that the request is hitting the drone server:

method=POST remote=“172.19.0.1:60492” request=/api/secrets/org request-
id=1Kx3SCQw7SSGRkMdwdmfAwXgG29

Is this something you can advise on please?

org secrets require drone 1.1 or higher, and the endpoint is only accessible to Drone system administrators.

@bradrydzewski thanks, yep, it seems i was running 1.0.
I am hitting another issue now: i have added few orgsecrets, but it seems they are not available from the pipeline.

drone orgsecret info napier-ai smtp_account_user
smtp_account_user
Organization: napier-ai
Pull Request Read: false
Pull Request Write: false

drone orgsecret info napier-ai smtp_account_password
smtp_account_password
Organization: napier-ai
Pull Request Read: false
Pull Request Write: false

then i am trying to access these secrets from the pipeline:

environment:
SMTP_ACCOUNT_PASSWORD:
from_secret: smtp_account_password
SMTP_ACCOUNT_USER:
from_secret: smtp_account_user
commands:
- echo “SMTP_ACCOUNT_USER is $SMTP_ACCOUNT_USER”
- echo “SMTP_ACCOUNT_PASSWORD is $SMTP_ACCOUNT_PASSWORD”

And they are not available…

This is probably just a configuration issue, however, I require more information to advise further. Please provide all of the following information:

  1. The full result of drone repo info <repository> (do not redact repository name)
  2. The full result of drone build info <repository> <build>
  3. The full yaml configuration file

@bradrydzewski just to clarify: i am trying to access the secrets during the PR event. As far as i know secrets for PR are disabled by default for security reasons.

Before i provide all the requested info, could you please advise how to pass Pull Request Read and
Pull Request Write parameters to drone orgsecret add command?

@bradrydzewski found the parameters in the source code:

drone orgsecret add napier-ai test test --allow-pull-request

Trying with the secrets enabled for PR now.

@bradrydzewski --allow-pull-request switch worked and now the secrets are now available on PR event.
The only one question: is it possible to use dockerconfigjson as a global secret in order to pull images from the private registries like below?

image_pull_secrets:

  • dockerconfigjson

I have basically added the org secret for dockerconfigjson , but the image pull fails with No such image error.

I have basically added the org secret for dockerconfigjson , but the image pull fails with No such image error.

yep, I have tested and confirmed this works.

@bradrydzewski so in general should i just add the org secret dockerconfigjson and reference it as usual like below?

image_pull_secrets:
– dockerconfigjson

I have copied the content of dockerconfigjson to a file and then added the secret with:

drone orgsecret add napier-ai dockerconfigjson $(cat dockerconfigjson) --allow-pull-request --allow-push-on-pull-request

But still unable to pull the image…
I do not see anything speacial in the drone server logs.

The drone agent is responsible for loading image_pull_secrets.
See: https://github.com/drone/drone/blob/master/plugin/registry/static.go#L34

I recommend setting DRONE_LOGS_TRUE=true on the agent and tracing through the code to further troubleshoot. You should be able to analyze the trace logs, in conjunction with reading the code, to debug further. You may also need to compile the agent from source and add your own debug logic as needed.

Many thanks for valuable advice, @bradrydzewski. I was inserting the valid dockerconfigjson json as i’ve checked it before inserting it as a usual credential.
In my case the json has been parsed with errors by drone agent and i had to define the json as the env var heredoc and then used that var as an argument to the drone orgsecret add command.

In case some one needs the solution:

  1. Define the json as a env var

read -r -d ‘’ JSON_SECRET << EOM
{
“auths”: {
our.registry.com”: {
“auth”: “encoded_hash”
}
}
}
EOM

  1. Create orgsecret

drone orgsecret add some_org dockerconfigjson $JSON_SECRET --allow-pull-request --allow-push-on-pull-request

1 Like

I hit the same issue where a JSON secret got corrupted somehow while getting it to the command line. drone orgsecret add needs a better way to ingest blob secrets.

there is syntax to load a secret from a file, see:
https://docs.drone.io/cli/orgsecret/drone-orgsecret-add/

2 Likes