Let Docker plugin use custom CA certificates while running commands during docker build

Hello, I am an enterprise customer and I am improving my pipeline to build Docker containers containing Python web applications.

The Dockerfile starts from vanilla Python image, it adds code and it runs a pip install -r requirements.txt command to download python packages.

Now I want to configure Drone so that docker daemon builds the image downloading packages from our internal repository, which acts also as proxy for PyPi repository.

According to pip and experience, it is enough to set two environment variables as build-args:


The ca-certificates.crt files contains all the public and private CA’s and it is mounted by runners being in the Drone environment file:

DRONE_RUNNER_VOLUMES: "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"

Indeed, if I check the content of such file from a step running just a plain alpine image, I see the correct contents.

Anyway, when running the docker build in the docker plugin, I do see build-args, but the file is not available.

I also tried to mount the file and run priviledge as specified in the documentation, but PIP does not see the right file.

kind: pipeline
name: drone-docker-pip-example
type: docker


- name: check-env
  image: debian:buster-slim
    - env
    - cat /etc/ssl/certs/ca-certificates.crt

- name: build-push
  image: plugins/docker
  privileged: true
    HTTP_PROXY: "http://xx.xx.xx.xx:8080"
    HTTPS_PROXY: "http://xx.xx.xx.xx:8080"
    NO_PROXY: "localhost,, ...OMISSIS..."
    purge: false
    registry: my-docker-registry.localdomain.net
    repo: my-docker-registry.localdomain.net/xyz/drone-docker-pip-example
      from_secret: DOCKER_USERNAME
      from_secret: DOCKER_PASSWORD
      - ${DRONE_TAG}
    dockerfile: Dockerfile
      - HTTP_PROXY=http://xx.xx.xx.xx:8080"
      - HTTPS_PROXY=http://xx.xx.xx.xx:8080
      - NO_PROXY=localhost,, ...OMISSIS...
      - PIP_INDEX_URL=https://my-pip-registry.localdomain.net/repository/pypi-group/simple
      - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
      - name: ca-certificates
        path: /etc/ssl/certs/ca-certificates.crt

Any clue?