Provide list of injected secrets in environment variables

[bradrydzewski]

Plugin authors would like the ability to see a list of injected secrets. The proposal is that we would provide a PLUGIN_SECRETS environment variable that would include a comma-separated list of secrets passed to that plugin.

So for the below yaml:

docker:
  image: plugins/docker
  repo: octocat/hello-world
  secrets: [docker_username, docker_password]

the docker plugin would receive the following environment variables:

PLUGIN_SECRETS=DOCKER_USERNAME,DOCKER_PASSWORD

cc @stephansnyt @dellintosh

[dellintosh]

In the drone-marathon plugin we would like to inject secrets into the marathon.json file in order to leverage the Drone secret store. Since these values can be dynamic (unlike the DOCKER_USERNAME, for example), the plugin cannot be hard-coded with those secret names.

If the plugin could get a list of secrets then it can load those values from the environment by name and inject them into the marathon.json file without requiring additional configuration in the .drone.yml file.

in .drone.yml:

marathon:
  image: e20co/drone-marathon
  repo: octocat/hello-world
  secrets: [octocat_password, db_url, detonation_code]

in marathon.json:

...
  "env": {
    "SYSTEM_PASSWORD": "<<OCTOCAT_PASSWORD>>",
    "DATABASE_URI": "<<DB_URL>>",
    "DETONATION": "<<DETONATION_CODE>>"
  }
...

[stephansnyt]

@dellintosh I think this change would enable that.

I think the following would be a work-around for now: manually creating something like the PLUGIN_SECRETS variable until the change is implemented where drone does it automatically.

in .drone.yml:

marathon:
  image: e20co/drone-marathon
  repo: octocat/hello-world
  secret_names:
    - OCTOCAT_PASSWORD
    - DB_URL
    - DETONATION_CODE
  secrets: [octocat_password, db_url, detonation_code]

or even something like

secret_names: "OCTOCAT_PASSWORD,DB_URL,DETONATION_CODE"

[dellintosh]

@stephansnyt so you know, the latest version of drone-marathon has a values list which does essentially that. See the updated docs at http:https://plugins.drone.io/e20co/drone-marathon/ for details. This fix would essentially remove the need for the extra list, so that secrets would be automatically included. ;)

[tonglil]

@bradrydzewski I would like to tackle this if it's not WIP already.
I assume the work is to be done somewhere in cncd/pipeline?
https://github.com/cncd/pipeline/blob/master/pipeline/frontend/metadata.go#L96

[bradrydzewski]

The code for this capability is in place, and will be included in 0.9. Variable name is DRONE_SECRETS