Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Use github private repo deploy key inside build stage in docker for npm install

Tags:

docker

My use case is that I have multiple express micro-services that use the same middleware and I would like to create a different repo in the format of an npm module for each middleware.

Every repo is a private repo and can have a deploy key attached (can be different keys or the same)

All of this works OK locally. However when I try to use this with my docker-compose setup it fails on the npm install step, in the build stage.

Dockerfile

FROM node:alpine
RUN npm install --production
CMD npm start

docker-compose.yml

services:
   node-api:
        build:
            context: .
            dockerfile: Dockerfile

I understand this doesn't work because I don't have the deploy key I use on my local system in the Docker context.

I've looked around for a solution and none seem very easy/non hacky

  1. Copy the key in and squash (CONS: not sure how I do this in a docker-compose file)http://blog.cloud66.com/pulling-git-into-a-docker-image-without-leaving-ssh-keys-behind/

  2. Copy the key in on the build step and add to image. (CONS: Not very secure :( )

  3. Use the key as a build argument. (CONS: see 2)

  4. Dockerise something like https://www.vaultproject.io/ run that up first, add the key and use that within the node containers to get the latest key. (CONS: probably lots of work, maybe other issues?)

  5. Use Docker secrets and docker stack deploy and store the key in docker secrets (CON: docker stack deploy has no support for docker volumes yet. See here https://docs.docker.com/compose/bundles/#producing-a-bundle unsupported key 'volumes')

My question is what is the most secure possible solution that is automated (minimal manual steps for users of the file)? Time of implementation is less of a concern. I'm trying to avoid checking in any sensitive data while making it easy for other people to run this locally.

like image 679
Peter Grainger Avatar asked Jun 26 '17 09:06

Peter Grainger


People also ask

How do I use GitHub deploy key?

In the upper-right corner of any GitHub page, click your profile photo, then click Your profile. On your profile page, click Repositories, then click the name of your repository. From your repository, click Settings. In the sidebar, click Deploy Keys, then click Add deploy key.

How do I make my Docker repo private?

log into your docker hub account, and go to your global settings. There is a setting that allows you to set what your default visability is for the repositories that you push. By default it is set to public, but if you change it to private, all of your repositories that you push will be marked as private by default.


1 Answers

Let's experiment with this new feature: Docker multi stage build

You can selectively copy artifacts from one stage to another, leaving behind everything you don’t want in the final image.

The idea is to build a temporary base image, then start the build again only taking what you want from the previous image. It uses multiple FROM in the same Dockerfile:

FROM node as base-node-modules
COPY your_secret_key /some/path
COPY package.json /somewhere
RUN npm install <Wich use your key>

FROM node #yes again!
...
...
COPY --from=base-node-modules /somewhere/node_modules /some/place/node_modules
...
... # the rest of your Dockerfile
...

Docker will discard everything what you don't save from the first FROM.

like image 160
Robert Avatar answered Oct 18 '22 14:10

Robert