Browse Source

New post: Easier Drone Deploys with Docker Images

restyle-spring-2019
Annika Backstrom 1 year ago
parent
commit
733e37c4f7
1 changed files with 130 additions and 0 deletions
  1. 130
    0
      content/easier-drone-deploys-docker-images.md

+ 130
- 0
content/easier-drone-deploys-docker-images.md View File

@@ -0,0 +1,130 @@
1
+Title: Easier Drone Deploys with Docker Images
2
+Slug: easier-drone-deploys-docker-images
3
+Summary: Custom Docker images for Drone CI can reduce redundancy and simplify setup of
4
+    new deployments. We'll look at incrementally building custom images for deploys,
5
+    and how that affects our Drone configuration.
6
+Date: 2018-06-16 12:23
7
+Category: Development
8
+Tags: docker, drone ci
9
+
10
+*Custom Docker images for Drone CI can reduce redundancy and simplify setup of
11
+new deployments. We'll look at incrementally building custom images for deploys,
12
+and how that affects our Drone configuration.*
13
+
14
+[Drone CI][1] configuration files have a straightforward syntax similar to that
15
+of a `docker-compose.yml` file: you specify different build stages, pick an image
16
+for each stage, and run commands against that image:
17
+
18
+```
19
+---
20
+pipeline:
21
+  build:
22
+    image: golang
23
+    commands:
24
+      - go get
25
+      - go build
26
+      - go test
27
+```
28
+
29
+Drone also supports [secrets][2], which keep sensitive information like SSH keys
30
+and API tokens out of your (possibly public) configuration file. A deploy step
31
+might look for credentials in environment variables, store those credentials in
32
+a file, and perform commands using those credentials:
33
+
34
+```
35
+---
36
+pipeline:
37
+  deploy:
38
+    image: alpine
39
+    secrets: [ ssh_private_key, ssh_host_key ]
40
+    commands:
41
+      - mkdir "$${HOME}/.ssh"
42
+      - echo -n "$${SSH_PRIVATE_KEY}" > "$${HOME}/.ssh/id_rsa"
43
+      - chmod 700 "$${HOME}/.ssh/id_rsa"
44
+      - echo "$${SSH_HOST_KEY}" >> "$${HOME}/.ssh/known_hosts"
45
+      - scp -r ./output user@deploy.example.com:/var/www/html
46
+```
47
+
48
+This is prone to repetition. For each new repository (at least without the paid
49
+[global secrets][3] feature), you have to inject secrets which may be the same
50
+as other projects in your CI environment, and perform the same setup steps to
51
+expose those secrets to shell commands.
52
+
53
+## Building custom deploy images
54
+
55
+Instead of all this repetition, let's build our secrets into images we control.
56
+We'll start with a generic image, [drone-rsync-ssh][4]:
57
+
58
+```
59
+FROM alpine:3.7
60
+COPY drone-ssh-keys.sh /usr/bin/drone-ssh-keys
61
+RUN apk add --no-cache openssh-client rsync
62
+```
63
+
64
+The mkdir/echo/chmod behavior from our verbose Drone config file is wrapped up
65
+in [drone-ssh-keys.sh][5], for easy calling in the future. Here's how
66
+`.drone.yml` changes under this image:
67
+
68
+```
69
+---
70
+pipeline:
71
+  deploy:
72
+    image: drone-rsync-ssh
73
+    secrets: [ ssh_private_key, ssh_host_key ]
74
+    commands:
75
+      - drone-ssh-keys
76
+      - scp -r ./output user@deploy.example.com:/var/www/html
77
+```
78
+
79
+We've already cleaned up this build stage, but there's still redundancy in
80
+adding secrets to the Drone repository. Plus, if our secrets change, we have to
81
+update every repository that uses them.
82
+
83
+We can go a step further if we have access to private Docker images. Let's
84
+bundle those credentials right in our image with a new Dockerfile:
85
+
86
+```
87
+FROM alpine:3.7
88
+COPY deploy-assets /deploy-assets
89
+RUN apk add --no-cache openssh-client rsync && \
90
+  mkdir /root/.ssh && \
91
+  cd /deploy-assets && \
92
+  cp deploy.key deploy.pub known_hosts config /root/.ssh && \
93
+  chmod 0600 /root/.ssh/deploy.key
94
+```
95
+
96
+The `deploy-assets` directory contains everything we need to run deploys,
97
+including secrets and file copying utilities. Our new `.drone.yml` is very
98
+compact, and we can call our commands without any additional setup:
99
+
100
+
101
+```
102
+---
103
+pipeline:
104
+  deploy:
105
+    image: drone-rsync-ssh-secrets
106
+    commands:
107
+      - scp -r ./output deploy:/var/www/html
108
+```
109
+
110
+This image is available in your environment for any pipeline that has similar
111
+deploy steps. No more setting up secrets every time you add a repository to
112
+Drone.
113
+
114
+## Security considerations
115
+
116
+As always, treat your secrets with care. At minimum, keep these things in mind:
117
+
118
+* Don't push your secrets to publicly available image repositories (e.g. public
119
+  Docker Hub) or Git repositories
120
+* When using Drone secrets, use [skip branches][6] to avoid exposing your
121
+  secrets to untrusted code
122
+
123
+<!-- links -->
124
+
125
+  [1]: https://drone.io/
126
+  [2]: http://readme.drone.io/usage/secret-guide/
127
+  [3]: http://docs.drone.io/global-secrets/
128
+  [4]: https://git.abackstrom.com/annika/drone-rsync-ssh
129
+  [5]: https://git.abackstrom.com/annika/drone-rsync-ssh/src/branch/master/drone-ssh-keys.sh
130
+  [6]: http://docs.drone.io/hooks/#skip-branches

Loading…
Cancel
Save