雲構建將秘密環境傳遞給 dockerfile

Question

我正在使用 google cloud build 構建一個 docker 圖像並在雲運行中部署。 該模塊依賴於私有的 Github。 在cloudbuild.yaml文件中，我可以訪問秘密密鑰，例如 Github 令牌，但我不知道將此令牌傳遞給Dockerfile的正確和安全方法是什么。

我正在關注這個官方指南，但它只適用於cloudbuild.yaml scope 而不是Dockerfile 。通過 SSH 密鑰從構建中訪問 GitHub

cloudbuild.yaml

steps:
  - name: gcr.io/cloud-builders/docker
    args: ["build", "-t", "gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA", "."]

  - name: gcr.io/cloud-builders/docker
    args: [ "push", "gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA" ]

  - name: gcr.io/google.com/cloudsdktool/cloud-sdk
    entrypoint: gcloud
    args: [
      "run", "deploy", "$REPO_NAME",
      "--image", "gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA",
      "--platform", "managed",
      "--region", "us-east1",
      "--allow-unauthenticated",
      "--use-http2",
    ]

images:
  - gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA

availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/GITHUB_USER/versions/1
      env: "GITHUB_USER"
    - versionName: projects/$PROJECT_ID/secrets/GITHUB_TOKEN/versions/1
      env: "GITHUB_TOKEN"

Dockerfile

# [START cloudrun_grpc_dockerfile]
# [START run_grpc_dockerfile]
FROM golang:buster as builder

# Create and change to the app directory.
WORKDIR /app

# Create /root/.netrc cred github
RUN echo machine github.com >> /root/.netrc
RUN echo login "GITHUB_USER" >> /root/.netrc
RUN echo password "GITHUB_PASSWORD" >> /root/.netrc

# Config Github, this create file /root/.gitconfig
RUN git config --global url."ssh://git@github.com/".insteadOf "https://github.com/"

# GOPRIVATE
RUN go env -w GOPRIVATE=github.com/org/repo

# Do I need to remove the /root/.netrc file? I do not want this information to be propagated and seen by third parties.

# Retrieve application dependencies.
# This allows the container build to reuse cached dependencies.
# Expecting to copy go.mod and if present go.sum.
COPY go.* ./
RUN go mod download

# Copy local code to the container image.
COPY . ./

# Build the binary.
# RUN go build -mod=readonly -v -o server ./cmd/server
RUN go build -mod=readonly -v -o server

# Use the official Debian slim image for a lean production container.
# https://hub.docker.com/_/debian
# https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
FROM debian:buster-slim
RUN set -x && apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    ca-certificates && \
    rm -rf /var/lib/apt/lists/*

# Copy the binary to the production image from the builder stage.
COPY --from=builder /app/server /server

# Run the web service on container startup.
CMD ["/server"]

# [END run_grpc_dockerfile]
# [END cloudrun_grpc_dockerfile]

嘗試了 2 天后我還沒有找到解決方案，我能做的最簡單的事情就是生成vendor文件夾並將其提交到存儲庫並避免go mod download 。

Answer 1

你有幾種做事的方法。

使用 Docker，當您運行構建時，您在隔離環境中運行它（這是隔離原則）。 因此，您無法從構建過程中訪問環境變量。

要解決這個問題，您可以使用構建參數並將您的秘密值放入該參數中。

但是，有一個陷阱：您必須使用 bash 代碼，而不是在 Cloud Build 中內置的步驟代碼。 讓我演示給你看

# Doesn't work
  - name: gcr.io/cloud-builders/docker
    secretEnv: ["GITHUB_USER","GITHUB_TOKEN"]
    args: ["build", "-t", "gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA", "--build-args=GITHUB_USER=$GITHUB_USER,GITHUB_TOKEN=$GITHUB_TOKEN","."]

# Working version
  - name: gcr.io/cloud-builders/docker
    secretEnv: ["GITHUB_USER","GITHUB_TOKEN"]
    entrypoint: bash
    args: 
     - -c
     - |
        docker build -t gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA --build-args=GITHUB_USER=$$GITHUB_USER,GITHUB_TOKEN=$$GITHUB_TOKEN .

也可以執行Dockerfile之外的動作，大致是一樣的：加載一個容器，執行操作，加載另一個容器，繼續。

雲構建將秘密環境傳遞給 dockerfile

問題描述

1 個解決方案

解決方案1
8 2022-04-29 09:53:18

雲構建將秘密環境傳遞給 dockerfile

問題描述

1 個解決方案

解決方案1 8 2022-04-29 09:53:18

解決方案1
8 2022-04-29 09:53:18