How to get rid of skip_verify: true during cloning?

Dear all,

first of all thanks for drone! It is just awesome.
I am running drone in k8s with the helm charts from:

Because we have an internal GitHub instance with private repositories my chart values mount the ca certificates as follows:

extraVolumes:
 - name: ca-bundle
   configMap:
     name: utils-ca-bundle
extraVolumeMounts:
 - name: ca-bundle
   mountPath: /etc/ssl/certs/ca-certificates.crt
   subPath: ca-bundle.pem

This solved a first issue with the web ui.

However I still need to provide skip_verify: true in the pipeline to get the clone working:

clone:
  skip_verify: true

What has to be done to get the clone working without skip_verify: true?
thanks - Chris

I recommend setting a global environment variable (passed to the kube runner) [1] to disable SSL verification globally during clone. This has the same effect as adding the skip_verify flag to every yaml.

DRONE_RUNNER_ENVIRON=GIT_SSL_NO_VERIFY=true

[1] https://docs.drone.io/runner/kubernetes/configuration/reference/drone-runner-environ/

Thanks Brad

to me this is basically the same issue as the verification is still skipped. If I get it right, then there is currently no way to mount /etc/ssl/certs/ca-certificates.crt into the containers of pipeline steps - may this be the automatic or customized clone (https://docs.drone.io/pipeline/kubernetes/syntax/cloning/) or the container of any other step.

Would it be reasonable to:

  1. Extend the helm chart to be able to write something like this:

    caCertifactes:
      <configMapName>: <configMapDataKey>
    
  2. Adjust the drone runtime (engine/kube/kube.go) to mount this into the pod-containers for each step?

If yes I’d like to invest some time here.

Adjust the drone runtime (engine/kube/kube.go) to mount this into the pod-containers for each step?

The challenge with config maps is they are per-namespace. You can configure a pipeline to run in different namespaces [1], in which case this approach may be less effective.

[1] https://docs.drone.io/pipeline/kubernetes/syntax/metadata/

Sorry to comment on something old, but I couldn’t find a good solution online, and had to learn the hard way.

I hit this problem while toying around in my setup; my fix was to clone the drone/drone-git repo, and make a small change to the appropriate Dockerfile:

diff --git a/docker/Dockerfile.linux.arm64 b/docker/Dockerfile.linux.arm64
index 73c2616..acfd84a 100644
--- a/docker/Dockerfile.linux.arm64
+++ b/docker/Dockerfile.linux.arm64
@@ -2,6 +2,7 @@ FROM arm64v8/alpine:3.12
 RUN apk add --no-cache ca-certificates git git-lfs openssh curl perl aws-cli sudo
 
 ADD posix/* /usr/local/bin/
+ADD myca.crt /etc/ssl/certs/ca-certificates.crt
 
 # RUN adduser -g Drone -s /bin/sh -D -u 1000 drone
 # RUN echo 'drone ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/drone

After building that image, I pushed it to my private registry.

Finally, I had to add a line to the helm chart (values.yaml)

env:
  DRONE_IMAGE_CLONE: myregistry:5000/drone/git