drone-passwordstate

Description

drone.io plugin, allowing to export passwords (secrets) from a Click Studio Passwordstate password list. The plugin exports secrets to the specified file within the workspace, allowing the file to be used inside further pipeline steps (e.g. deploying them to Kubernetes via drone-helm plugin.

Usage

Simple usage

To simply export all the secrets from the specified Passwordstate to a./secrets.yaml file, the following pipeline step should be added:

pipeline:
  inject_secrets:
    image: tdabasinskas/drone-passwordstate
    api_endpoint: https://passwordstate/api/
    api_key: $PASSWORD_STATE_KEY
    skip_tls_verify: false
    password_list_id: 1231
    output_path: ./secrets.yaml
    secrets: [ PASSWORD_STATE_KEY ]

The plugin will connect to the specified Passwordstate instance and extract the passwords as secrets using UserName field as the secret key and Password field as the secret value. Once finished, the folllowing file will be created within the workspace:

secrets:
  some_secret: 'some_secret_value'
  another_secret: 'another_secret_value'

Encoding secrets

By default, secrets are exported as-is, meaning, they would need to be separately encoded with BASE64 if used as Kubernetes secrets. To handle that automatically, encode_secrets parameter can be used, e.g.:

pipeline:
  inject_secrets:
    image: tdabasinskas/drone-passwordstate
    api_endpoint: https://passwordstate/api/
    api_key: d417b3c2f586b9eaed8b736f95324cd5
    skip_tls_verify: false
    password_list_id: 1231
    output_path: ./secrets.yaml
    encode_secrets: true

Using different Key/Value fields

As mentioned, by default, UserName and Password fields are used as the Key/Value pair. However, different fields can be specified, e.g.:

pipeline:
  inject_secrets:
    image: tdabasinskas/drone-passwordstate
    api_endpoint: https://passwordstate/api/
    api_key: d417b3c2f586b9eaed8b736f95324cd5
    skip_tls_verify: false
    password_list_id: 1231
    key_field: Title
    value_field: GenericField6

Please note, that "Generic Fields", even when renamed in Passwordstate, still have to be entered as "GenericField1", "GenericField2" and so on for password retrieval to work.

Using the plugin for Kubernetes secrets

One of the most likely use case for the plugin would be combining it with drone-helm plugin, allowing you to deploy the secrets as part of the whole Helm chart. The following example illustrates the pipeline combining these two plugins:

pipeline:
  inject_secrets:
    image: tdabasinskas/drone-passwordstate
    api_endpoint: https://passwordstate/api/
    skip_tls_verify: false
    password_list_id: 1231
    output_path: ./secrets.yaml
    encode_secrets: true
    secrets: [ API_KEY ]
  deploy:
    image: quay.io/ipedrazas/drone-helm
    chart: ./helm
    release: app
    values_files: [ ./helm/values.default.yaml, ./secrets.yaml ]
    wait: true
    prefix: DEV

Assuming the helm chart under ./helm contains the following secrets template file, it would be automatically filled with the secrets during the deployment:

apiVersion: v1
kind: Secret
metadata:
  name: {{ .Release.Name }}-secrets
type: Opaque
data:
  cache__connectionString: {{ .Values.secrets.some_secret | quote }}
  consul__token: {{ .Values.secrets.another_secret | quote }}

Known issues

• The plugin currently supports exporting of all secrets within the password list only, not allowing to specify the exact secrets (passwords) to export.

Contributing

Feel free to fork the repository and submit changes via a Pull Request.