My use case is that I have multiple express micro-services that use the same middleware and I would like to create a different repo in the format of an npm module for each middleware.
Every repo is a private repo and can have a deploy key attached (can be different keys or the same)
All of this works OK locally. However when I try to use this with my docker-compose setup it fails on the npm install step, in the build stage.
Dockerfile
FROM node:alpine
RUN npm install --production
CMD npm start
docker-compose.yml
services:
node-api:
build:
context: .
dockerfile: Dockerfile
I understand this doesn't work because I don't have the deploy key I use on my local system in the Docker context.
I've looked around for a solution and none seem very easy/non hacky
Copy the key in and squash (CONS: not sure how I do this in a docker-compose file)http://blog.cloud66.com/pulling-git-into-a-docker-image-without-leaving-ssh-keys-behind/
Copy the key in on the build step and add to image. (CONS: Not very secure :( )
Use the key as a build argument. (CONS: see 2)
Dockerise something like https://www.vaultproject.io/ run that up first, add the key and use that within the node containers to get the latest key. (CONS: probably lots of work, maybe other issues?)
Use Docker secrets and docker stack deploy and store the key in docker secrets (CON: docker stack deploy has no support for docker volumes yet. See here https://docs.docker.com/compose/bundles/#producing-a-bundle unsupported key 'volumes')
My question is what is the most secure possible solution that is automated (minimal manual steps for users of the file)? Time of implementation is less of a concern. I'm trying to avoid checking in any sensitive data while making it easy for other people to run this locally.
In the upper-right corner of any GitHub page, click your profile photo, then click Your profile. On your profile page, click Repositories, then click the name of your repository. From your repository, click Settings. In the sidebar, click Deploy Keys, then click Add deploy key.
log into your docker hub account, and go to your global settings. There is a setting that allows you to set what your default visability is for the repositories that you push. By default it is set to public, but if you change it to private, all of your repositories that you push will be marked as private by default.
Let's experiment with this new feature: Docker multi stage build
You can selectively copy artifacts from one stage to another, leaving behind everything you don’t want in the final image.
The idea is to build a temporary base image, then start the build again only taking what you want from the previous image. It uses multiple FROM in the same Dockerfile:
FROM node as base-node-modules
COPY your_secret_key /some/path
COPY package.json /somewhere
RUN npm install <Wich use your key>
FROM node #yes again!
...
...
COPY --from=base-node-modules /somewhere/node_modules /some/place/node_modules
...
... # the rest of your Dockerfile
...
Docker will discard everything what you don't save from the first FROM.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With