I have a problem when I use Google Cloud Build. I can't pass the key into docker by cloudbuild.yaml
Google buildfile.yaml:
- name: 'gcr.io/cloud-builders/gcloud'
args:
- kms
- decrypt
- --ciphertext-file=A.enc
- --plaintext-file=/root/.ssh/id_rsa
- --location=global
- --keyring=keyringxxx
- --key=keyxxx
volumes:
- name: 'ssh'
path: /root/.ssh
- name: 'gcr.io/cloud-builders/docker'
args: [
'build', '.',
'-t', 'gcr.io/$PROJECT_ID/xxx:latest',
'--build-arg', 'READ_KEY=`cat /root/.ssh/id_rsa`'
]
volumes:
- name: 'ssh'
Dockerfile:
FROM golang:1.11 AS builder
ARG READ_KEY
RUN mkdir -p ~/.ssh && \
echo "$READ_KEY" > ~/.ssh/id_rsa && \
chmod 0600 ~/.ssh/id_rsa && \
ssh-keyscan github.com >> /root/.ssh/known_hosts && \
git config --global url.ssh://[email protected]/XXXX.insteadOf https://github.com/XXXX
......
The above code failed. cat
does not work.
The GCloud Docker Builder is using the Exec form of ENTRYPOINT. Your arguments from the cloudbuild.yaml are not being passed to a shell, thus your cat
will not be executed.
Why not direct KMS to write the id_rsa
directly to the /workspace
and do away with the ssh
volume altogether?
- name: 'gcr.io/cloud-builders/gcloud'
args:
- kms
- decrypt
- --ciphertext-file=A.enc
- --plaintext-file=/workspace/id_rsa
- --location=global
- --keyring=keyringxxx
- --key=keyxxx
- name: 'gcr.io/cloud-builders/docker'
args: [
'build', '.',
'-t', 'gcr.io/$PROJECT_ID/xxx:latest'
]
And the Dockerfile becomes:
FROM golang:1.11 AS builder
RUN mkdir -p ~/.ssh
COPY id_rsa ~/.ssh/
RUN ssh-keyscan github.com >> ~/.ssh/known_hosts && \
chmod -R 0600 ~/.ssh/ && \
git config --global url.ssh://[email protected]:.insteadOf https://github.com
Don't forget to mount that .gitconfig
into the additional build steps. I just make it part of my CI build script, rather than requiring the extra volume
.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments