在docker的构建阶段内使用github私有仓库部署密钥进行npm安装 [英] Use github private repo deploy key inside build stage in docker for npm install
问题描述
我的用例是,我有多个使用相同中间件的快速微服务,并且我想为每个中间件以npm模块的格式创建一个不同的存储库。
My use case is that I have multiple express micro-services that use the same middleware and I would like to create a different repo in the format of an npm module for each middleware.
每个存储库都是一个私有存储库,可以附加一个部署密钥(可以是不同的密钥,也可以是相同的密钥)
Every repo is a private repo and can have a deploy key attached (can be different keys or the same)
所有这些操作在本地都可以。但是,当我尝试在docker-compose安装程序中使用它时,在构建阶段的npm安装步骤中失败。
All of this works OK locally. However when I try to use this with my docker-compose setup it fails on the npm install step, in the build stage.
Dockerfile
Dockerfile
FROM node:alpine
RUN npm install --production
CMD npm start
docker-compose.yml
docker-compose.yml
services:
node-api:
build:
context: .
dockerfile: Dockerfile
我知道这是行不通的,因为我没有
I understand this doesn't work because I don't have the deploy key I use on my local system in the Docker context.
我一直在寻找一种解决方案,但似乎没有一个非常容易/不hacky
I've looked around for a solution and none seem very easy/non hacky
-
复制密钥并压入(CONS:不确定我如何在docker-compose文件中执行此操作) http://blog.cloud66.com/pulling-git-into -a-docker-image-without-leaving-ssh-keys-behind /
在构建步骤中复制密钥并添加到图片。 (缺点:不太安全:()
Copy the key in on the build step and add to image. (CONS: Not very secure :( )
使用密钥作为构建参数。(缺点:请参阅2)
Use the key as a build argument. (CONS: see 2)
Dockerise之类的 https://www.vaultproject.io/ 运行首先,添加密钥并在节点容器中使用它来获取最新密钥(CONS:可能需要很多工作,也许还有其他问题?)
Dockerise something like https://www.vaultproject.io/ run that up first, add the key and use that within the node containers to get the latest key. (CONS: probably lots of work, maybe other issues?)
使用Docker机密和Docker堆栈部署并将密钥存储在Docker机密中(CON:Docker堆栈部署尚不支持Docker卷。请参见此处 https://docs.docker.com/compose/bundles/#production-a-bundle 不支持的键'volumes')
Use Docker secrets and docker stack deploy and store the key in docker secrets (CON: docker stack deploy has no support for docker volumes yet. See here https://docs.docker.com/compose/bundles/#producing-a-bundle unsupported key 'volumes')
我的问题是最最安全的自动化解决方案是什么(文件用户的最小手动操作)?实施时间无关紧要,我试图避免检入任何敏感数据
My question is what is the most secure possible solution that is automated (minimal manual steps for users of the file)? Time of implementation is less of a concern. I'm trying to avoid checking in any sensitive data while making it easy for other people to run this locally.
推荐答案
让我们尝试以下新功能: Docker多阶段构建
Let's experiment with this new feature: Docker multi stage build
您可以有选择地将工件从一个阶段复制到另一个阶段,从而在最终图像中留下不需要的所有内容。
You can selectively copy artifacts from one stage to another, leaving behind everything you don’t want in the final image.
想法是构建一个临时的基础映像,然后仅从上一个映像中获取您想要的内容,然后再次开始构建。它在相同 Dockerfile中使用多个FROM:
The idea is to build a temporary base image, then start the build again only taking what you want from the previous image. It uses multiple FROM in the same Dockerfile:
FROM node as base-node-modules
COPY your_secret_key /some/path
COPY package.json /somewhere
RUN npm install <Wich use your key>
FROM node #yes again!
...
...
COPY --from=base-node-modules /somewhere/node_modules /some/place/node_modules
...
... # the rest of your Dockerfile
...
Docker将丢弃所有内容不要从第一个FROM中保存。
Docker will discard everything what you don't save from the first FROM.
这篇关于在docker的构建阶段内使用github私有仓库部署密钥进行npm安装的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!