Add support for securely passing ssh identity to docker build

ericb-summit · ericb-summit · commit e76718fac25a · 2021-03-30T18:57:58.000-04:00
Signed-off-by: Eric Bellotti &lt;ericb@summit-tech.ca&gt;
diff --git a/README.md b/README.md
@@ -260,6 +260,11 @@ version is the image's digest.
 * `pull_tag`: *Optional.*  **DEPRECATED. Use `get` and `load` instead.** Default
   `latest`. The tag of the repository to pull down via `pull_repository`.
 
+* `ssh_identity`: *Optional.* Only applies when `docker_buildkit` is set to `1`.
+  Set to an openssh private SSH key (i.e. -----BEGIN OPENSSH PRIVATE KEY----- ...),
+  this identity will be passed to `docker build` via the `--ssh default` argument
+  through a temporary `ssh-agent` instance.
+
 * `tag`: **DEPRECATED - Use `tag_file` instead**
 * `tag_file`: *Optional.* The value should be a path to a file containing the name
   of the tag. When not set, the Docker build will be pushed with tag value set by
diff --git a/assets/out b/assets/out
@@ -113,6 +113,7 @@ import_file=$(jq -r '.params.import_file // ""' < $payload)
 
 pull_repository=$(jq -r '.params.pull_repository // ""' < $payload)
 pull_tag=$(jq -r '.params.pull_tag // "latest"' < $payload)
+ssh_identity=$(jq -r '.params.ssh_identity // ""' < $payload)
 target_name=$(jq -r '.params.target_name // ""' < $payload)
 
 if [ -n "$load" ]; then
@@ -224,6 +225,15 @@ elif [ -n "$build" ]; then
     fi
   fi
 
+  ssh_args=()
+  if [ -n "$ssh_identity" ] && [ "$DOCKER_BUILDKIT" -eq 1 ]; then
+    eval "$(ssh-agent)"
+    trap "ssh-agent -k; $( trap -p EXIT | cut -f2 -d \' )" EXIT
+    ssh-add <(echo "$ssh_identity")
+    ssh_args+=("--ssh")
+    ssh_args+=("default")
+  fi
+
   target=()
   if [ -n "${target_name}" ]; then
    target+=("--target")
diff --git a/dockerfiles/alpine/Dockerfile b/dockerfiles/alpine/Dockerfile
@@ -30,6 +30,7 @@ RUN apk --no-cache add \
       xz \
       util-linux \
       tar \
+      openssh-client \
     ;
 COPY --from=builder /assets /opt/resource
 RUN ln -s /opt/resource/ecr-login /usr/local/bin/docker-credential-ecr-login
diff --git a/dockerfiles/ubuntu/Dockerfile b/dockerfiles/ubuntu/Dockerfile
@@ -30,7 +30,8 @@ RUN apt-get update; \
     ca-certificates \
     curl \
     gnupg-agent \
-    software-properties-common; \
+    software-properties-common \
+    openssh-client; \
   curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - ; \
   add-apt-repository \
    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ RUN apk --no-cache add \`
`30`	`30`	`xz \`
`31`	`31`	`util-linux \`
`32`	`32`	`tar \`
	`33`	`+ openssh-client \`
`33`	`34`	`;`
`34`	`35`	`COPY --from=builder /assets /opt/resource`
`35`	`36`	`RUN ln -s /opt/resource/ecr-login /usr/local/bin/docker-credential-ecr-login`