I have a problem when I use Google Cloud Build. I can't pass the key into docker by cloudbuild.yaml
Google buildfile.yaml:
- name: 'gcr.io/cloud-builders/gcloud'
args:
- kms
- decrypt
- --ciphertext-file=A.enc
- --plaintext-file=/root/.ssh/id_rsa
- --location=global
- --keyring=keyringxxx
- --key=keyxxx
volumes:
- name: 'ssh'
path: /root/.ssh
- name: 'gcr.io/cloud-builders/docker'
args: [
'build', '.',
'-t', 'gcr.io/$PROJECT_ID/xxx:latest',
'--build-arg', 'READ_KEY=`cat /root/.ssh/id_rsa`'
]
volumes:
- name: 'ssh'
Dockerfile:
FROM golang:1.11 AS builder
ARG READ_KEY
RUN mkdir -p ~/.ssh && \
echo "$READ_KEY" > ~/.ssh/id_rsa && \
chmod 0600 ~/.ssh/id_rsa && \
ssh-keyscan github.com >> /root/.ssh/known_hosts && \
git config --global url.ssh://git@github.com/XXXX.insteadOf https://github.com/XXXX
......
The above code failed. cat does not work.
The GCloud Docker Builder is using the Exec form of ENTRYPOINT. Your arguments from the cloudbuild.yaml are not being passed to a shell, thus your cat will not be executed.
Why not direct KMS to write the id_rsa directly to the /workspace and do away with the ssh volume altogether?
- name: 'gcr.io/cloud-builders/gcloud'
args:
- kms
- decrypt
- --ciphertext-file=A.enc
- --plaintext-file=/workspace/id_rsa
- --location=global
- --keyring=keyringxxx
- --key=keyxxx
- name: 'gcr.io/cloud-builders/docker'
args: [
'build', '.',
'-t', 'gcr.io/$PROJECT_ID/xxx:latest'
]
And the Dockerfile becomes:
FROM golang:1.11 AS builder
RUN mkdir -p ~/.ssh
COPY id_rsa ~/.ssh/
RUN ssh-keyscan github.com >> ~/.ssh/known_hosts && \
chmod -R 0600 ~/.ssh/ && \
git config --global url.ssh://git@github.com:.insteadOf https://github.com
Don't forget to mount that .gitconfig into the additional build steps. I just make it part of my CI build script, rather than requiring the extra volume.
The .ssh directory needs to have the right permissions
RUN mkdir -m 700 -p ~/.ssh &&