Use github private repo to deploy key inside docker build step for npm install
My use case is that I have multiple express microservices that use the same middleware and I would like to create a different repo in npm module format for each middleware.
Each repo is a private repo and can have a deployment key attached (can be different keys or the same)
This all works fine locally. However, when I try to use this with a docker compose setup, it fails in the npm install stage in the build stage.
Dockerfile
FROM node:alpine
RUN npm install --production
CMD npm start
Docker-compose.yml
services:
node-api:
build:
context: .
dockerfile: Dockerfile
I realize this doesn't work because I don't have a deployment key that I use on my local system in the Docker context.
I was looking for a solution and none of them seem very lightweight / not hacky
-
Copy key and squash (CONS: not sure how I do this in docker build file) http://blog.cloud66.com/pulling-git-into-a-docker-image-without-leaving-ssh-keys- behind /
-
Copy the key during the build step and add the image. (CONS: Not very secure :()
-
Use the key as a build argument. (CONS: see 2)
-
Connect something like https://www.vaultproject.io/ run first, add the key and use it in node containers to get the last key. (CONS: maybe a lot of work, maybe other problems?)
-
Using Docker secrets and docker stack deploy and store key in docker secrets (CON: Docker stack deploy doesn't support docker yet. See here https://docs.docker.com/compose/bundles/#producing-a-bundle unsupported key volumes ")
My question is the most efficient safe possible solution, automatic (minimum manual steps for file users)? Exercise timing is not a concern. I try to avoid checking any sensitive data by letting other people run this locally.
source to share
Experiment with this new feature: Docker multistage build
You can selectively copy artifacts from one stage to another, leaving behind anything you don't want in the final image.
The idea is to create a temporary base image and then run the build again, only taking what you want from the previous image. It uses multiple FROMs in the same Dockerfile:
FROM node as base-node-modules
COPY your_secret_key /some/path
COPY package.json /somewhere
RUN npm install <Wich use your key>
FROM node #yes again!
...
...
COPY --from=base-node-modules /somewhere/node_modules /some/place/node_modules
...
... # the rest of your Dockerfile
...
Docker will discard anything you don't keep from the first FROM.
source to share