CODEWITHSUNDEEP
node.jsgitdockerjenkinsssh
Richlewis
Richlewis

Reputation: 15374

Access private git repos via npm install in a Docker container

I am in the process of setting up a Docker container that will pull private repos from GitHub as part of the process. At the moment I am using an Access Token that I pass from the command line (will change once build gets triggered via Jenkins).

docker build -t my-container --build-arg GITHUB_API_TOKEN=123456 .

# Dockerfile
# Env Vars
ARG GITHUB_API_TOKEN
ENV GITHUB_API_TOKEN=${GITHUB_API_TOKEN}

RUN git clone https://${GITHUB_API_TOKEN}@github.com/org/my-repo

This works fine and seems to be a secure way of doing this? (though need to check the var GITHUB_API_TOKEN only being available at build time)

I am looking to find out how people deal with ssh keys or access tokens when running npm install and dependencies pull from github

"devDependencies": {
  "my-repo": "[email protected]:org/my-repo.git",
  "electron": "^1.7.4"
}

At the moment I cannot pull this repo as I get the error Please make sure you have the correct access rights as I have no ssh keys setup in this container

Upvotes: 8

Views: 7216

Answers (2)

Robert
Robert

Reputation: 36733

Use the multi-stage build approach.

Your Dockerfile should look something like this:

FROM alpine/git as base_clone
ARG GITHUB_API_TOKEN
WORKDIR /opt
RUN git clone https://${GITHUB_API_TOKEN}@github.com/org/my-repo

FROM <whatever>
COPY --from=base_clone /opt/my-repo /opt
...
...
...

Build:

docker build -t my-container --build-arg GITHUB_API_TOKEN=123456 .

The Github API Token secret won't be present in the final image.

Upvotes: 7

bluescores
bluescores

Reputation: 4677

docker secrets is a thing, but it's only available to containers that are part of a docker swarm. It is meant for handling things like SSH keys. You could do as the documentation suggests and create a swarm of 1 to utilize this feature.

docker-compose also supports secrets, though I haven't used them with compose.

Upvotes: 1

Related Questions