Drone

How setup drone with Hashicorp vault

I have a problem. Drone can’t receive secrets from Hashicorp vault, and I don’t know where is the problem. Who can help me?

My service stack.

Docker version 19.03.4, build 9013bf583a
docker-compose version 1.24.1, build 4667896

drone/drone:1.6.1 + postgres:11 + drone/vault + vault:1.3.0 + nginx

./drone/docker-compose.yml

version: '3.7'
services:
#Drone ci
  drone:
      image: 'drone/drone:1.6.1'
      restart: always
      container_name: drone
      volumes:
          - '/var/run/docker.sock:/var/run/docker.sock'
          - '/mnt/data/drone:/data'
      environment:
### https://docs.drone.io/installation/providers/bitbucket-cloud/
          - 'DRONE_ORGS=mycompany'
          - 'DRONE_BITBUCKET_CLIENT_ID=*****'
          - 'DRONE_BITBUCKET_CLIENT_SECRET=******'
          - 'DRONE_RUNNER_CAPACITY=10'
          - 'DRONE_SERVER_HOST=drone.somedomain'
          - 'DRONE_SERVER_PROTO=https'
          - 'DRONE_TLS_AUTOCERT=false'
### Logging
          - 'DRONE_LOGS_TRACE=true'
          - 'DRONE_LOGS_TEXT=true'
          - 'DRONE_LOGS_PRETTY=true'
          - 'DRONE_LOGS_COLOR=true'
### Create admin user
          - 'DRONE_USER_CREATE=username:root,admin:true,token:*****'
          - 'DRONE_AGENTS_DISABLED=true'
### DB
          - 'DRONE_DATABASE_DRIVER=postgres'
          - 'DRONE_DATABASE_DATASOURCE=postgres://postgres:******@db:5432/postgres?sslmode=disable'
## VAULT
          - 'DRONE_SECRET_PLUGIN_ENDPOINT=http://drone-vault:3000'
          - 'DRONE_SECRET_PLUGIN_TOKEN=drone****
  drone-vault:
      ports:
          - '3000:3000'
      environment:
          - DRONE_DEBUG=true
          - DRONE_SECRET=drone*****
          - VAULT_ADDR=http://vault:8200
          - VAULT_TOKEN=****
          - VAULT_API_ADDR=http://vault:8200
      restart: always
      container_name: drone-vault
      image: drone/vault
  db:
    image: "postgres:11"
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=****
    volumes:
      - /mnt/data/postgres:/var/lib/postgresql/data
      - /mnt/backup:/tmp/pg_backup
networks:
  default:
    external:
      name: nginx-proxy

My drone.yml

kind: pipeline
name: build and publish

steps:
- name: prepare
  image: busybox
  privileged: true
  commands:
    - mkdir -p /cache/${DRONE_REPO}/docker
  volumes:
    - name: cache
      path: /cache
- name: docker-build-publish
  image: plugins/docker
  privileged: true
  settings:
    username:
      from_secret: docker_hub_login
    password:
      from_secret: docker_hub_pass
    repo: somerepo/someimage
    tags: latest
  when:
    branch: master
  use_cache: true
  volumes:
  - name: docker
    path: /var/lib/docker
- name: telegram
  image: appleboy/drone-telegram
  settings:
    token:
      from_secret: telegram_token
    to:
      from_secret: telegram_id
    message: >
      {{#success build.status}}
      ✅ Build #{{build.number}} of `{{repo.name}}` succeeded.
      📝 Commit by {{commit.author}} on `{{commit.branch}}`:
      ```
      {{commit.message}}
      ```
      🌐 {{ build.link }}
      {{else}}
      ❌ Build #{{build.number}} of `{{repo.name}}` failed.
      📝 Commit by {{commit.author}} on `{{commit.branch}}`:
      ```
      {{commit.message}}
      ```
      🌐 {{ build.link }}
      {{/success}}
  when:
    status: [ success, failure ]
volumes:
  - name: cache
    host:
      path: /var/cache
  - name: docker
    host:
      path: /var/cache/${DRONE_REPO}/docker
---
kind: secret
name: docker_hub_login
get:
  path: /secrets/service/ci/prod/docker_hub
  name: docker_hub_login
---
kind: secret
name: docker_hub_pass
get:
  path: /secrets/service/ci/prod/docker_hub
  name: docker_hub_pass
---
kind: secret
name: telegram_token
get:
  path: /secrets/service/ci/prod/telegram
  name: telegram_token
---
kind: secret
name: telegram_id
get:
  path: /secrets/service/ci/prod/telegram
  name: telegram_id