Docker: cloning private GitHub repo at build time

Question

I am trying to clone a private GitHub repo inside a docker image

# this is our first build stage
FROM ubuntu as intermediate

# install git
RUN apt-get update \
  && apt-get install -y --no-install-recommends openssh-client git

RUN mkdir -p -m 0600 /root/.ssh/ \
  && ln -s /run/secrets/id_rsa /root/.ssh/id_rsa

# make sure your domain is accepted
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts

RUN git clone git@github.com:username/repo_name.git

CMD /bin/bash

This is how I am configuring the ssh secret in the compose file:

version: "3.7"

secrets:
  id_rsa:
    file: ~/.ssh/id_rsa

services:
  maven:
    image: image_tag
    profiles: ["test"]
    build:
      context: ./maven
    secrets:
    - id_rsa

If I build this with docker-compose build maven it fails when cloning the repo with this exist status.

Cloning into 'repo_name'...
Warning: Permanently added the RSA host key for IP address '140.82.121.3' to the list of known hosts.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
The command '/bin/sh -c git clone git@github.com:username/repo_name.git' returned a non-zero code: 128

However, if I removed the RUN git clone git@github.com:dxpr/dxpr_maven.git from the docker file and build the image then run a terminal inside the container with this command git clone git@github.com:dxpr/dxpr_maven.git manually, it's successfully cloning.

What I am doing wrong here?

Answer 1

At the time of posting this question, I was just starting learning Dockers. This is so simple and straightforward, secrets are only available at container runtime and not at build time.

Answer 2

Try adding:

ssh-agent -s
ssh-add ~/.ssh/id_rsa

to make sure your key is "seen".

You can also use the http url for cloning instead