Drone provides the ability to store registry credentials. These credentials can be used to pull private pipeline images defined in your Yaml configuration file.
These credentials are never exposed to your pipeline, which means they cannot be used to push, and are safe to use with pull requests, for example. Pushing to a registry still require setting credentials for the appropriate plugin.
Image Caching Behavior
Pull private images with caution.
All images (including private images) are pulled and cached by the Docker daemon. Neither Docker nor Drone restrict the use of cached images. An image already in the local cache can be used by any pipeline.
It is possible for one repository to have credentials and pull a private image that is cached by Docker, and used by another repository that does not have registry credentials configured.
Keep this in mind when running Drone and jobs in a shared or public environment.
Configuration
Example configuration using a private image:
pipeline:
build:
+ image: gcr.io/custom/golang
commands:
- go build
- go test
Registries are added to your repository using the command line utility:
drone registry add \
--repository <repository> \
--hostname <image> \
--username <name> \
--password <value>
Example command to load the password from a file:
drone registry add \
--repository octocat/hello-world \
--hostname gcr.io \
--username _json_key \
--password @/absolute/path/to/keyfile.json
Please note that in the above examples the --repository flag should be set to your version control repository name (e.g. your github repository name).
Matching
Drone matches the registry hostname to each image in your yaml. If the hostnames match, the registry credentials are used to authenticate to your registry and pull the image. Note that registry credentials are used by the Drone agent and are never exposed to your build containers.
Example registry hostnames:
- Image
gcr.io/foo/barhas hostnamegcr.io - Image
foo/barhas hostnamedocker.io - Image
qux.com:8000/foo/barhas hostnamequx.com:8000
Example registry hostname matching logic:
- Hostname
gcr.iomatches imagegcr.io/foo/bar - Hostname
docker.iomatchesgolang - Hostname
docker.iomatcheslibrary/golang - Hostname
docker.iomatchesbradyrydzewski/golang - Hostname
docker.iomatchesbradyrydzewski/golang:latest
Registry Support
For specific details on configuring access to Google Container Registry, please view the docs here.
Questions?
We are always happy to help with questions you might have. Search our documentation or check out answers to common questions. You can also post questions or comments to our community forum.
Is there a mistake on this page? Please let us know or edit this page.