I am creating an automated Docker setup for my website. One step is to pull the data from GitLab, but this is a private repo and should not be shared with anyone therefor I hesitate to just add a deploy key directly in my Dockerfile.
Any good suggestions how I tackle this problem?
It's going to be hosted on AWS with an API call, so maybe there are some options here? Maybe I can use the environment keys? But how would I add the multiline private key? The public key isn't that necessary I guess. And how does it look in my Dockerfile to extract that variable?
Could setup CI/CD within gitlab using the registry thing. There should be details on gitlabs website for this.
Then in the local project include .gitlab-ci.yml and populate with repo info :).
I've not done it myself but I'm working on a project where a team mate has set it all up.
This method requires a gitlab login on the local side.
I have a suggestion myself, if it works and is legit I don't know.
On Amazon I add an environment variable SSHKEY with the base64 encoded private key. In my Dockerfile I import it by using this
RUN mkdir /root/.ssh/
RUN ssh-keyscan gitlab.com >> /root/.ssh/known_hosts
RUN echo SSHKEY | base64 --decode 2> nul > /root/.ssh/id_rsa
Secrets management in Docker is not fun. I've taken a couple of approaches in the past.
1) Store the secret in a file that is ignored by Git by adding a reference in .gitignore. Declare a build arg in the Dockerfile and inject the file path into the arg at build time. Instruct Docker to copy the file into the image. Remove the file when it's no longer necessary. Note that the key file must reside at location with the Docker context, so that usually means no higher than the project root. This approach is useful for a local development environment because you can avoid needing to set an environment variable again and again.
Dockerfile
FROM node:8.7.0 ARG GITLAB_KEY_FILE RUN mkdir -p /keys ADD $GITHUB_KEY_FILE /keys/gitlab_rsa RUN \ chmod 600 /keys/gitlab_rsa && \ eval $(ssh-agent) && \ ssh-add /keys/gitlab_rsa && \ mkdir ~/.ssh && \ ssh-keyscan gitlab.com >> ~/.ssh/known_hosts && \ ## Do the things && \ rm /keys/gitlab_rsaCommand
docker build --build-arg GITLAB_KEY_FILE=path_to_gitlab_key_file .2) Similar to how you described, declare a build arg into which the secret can be injected. Set the build arg from an environment variable at the command line or within docker-compose.yml. Use the value stored in the build arg to populate a key file within the image. Delete the key file with it is no longer needed. This approach is useful for CI/CD servers and usage with docker-compose because environment variables will remain static.
docker-compose.yml
version: '3.2' services: nginx: build: context: . args: GITLAB_KEY: ${GITLAB_KEY_FROM_ENV} ports: - 80:80Command
docker build --build-arg GITLAB_KEY=$GITLAB_KEY_FROM_ENV .Be mindful also of how Docker treats the
RUNdirective. Docker will create an intermediate partition in the resulting image for eachRUNdirective (this is how it can intelligently cache steps in the build process). Therefore, eachRUNbehaves like a new shell. Shell variables and certain processes, likessh-agent,will not persist betweenRUN's.