GCP Cloud构建将秘密传递给docker arg [英] GCP Cloud build pass secret to docker arg

问题描述

我打算将我的npm令牌传递给gcp云构建，这样我就可以在多阶段构建中使用它来安装私有npm软件包.

I intend to pass my npm token to gcp cloud build, so that I can use it in a multistage build, to install private npm packages.

我有以下简短的Dockerfile:

I have the following abridged Dockerfile:

FROM ubuntu:14.04 AS build
ARG NPM_TOKEN

RUN echo "NPM_TOKEN:: ${NPM_TOKEN}"

以及以下简短的cloudbuild.yaml:

and the following abridged cloudbuild.yaml:

---
  steps:
  - name: gcr.io/cloud-builders/gcloud
    entrypoint: 'bash'
    args: [ '-c', 'gcloud secrets versions access latest --secret=my-npm-token > npm-token.txt' ]
  - name: gcr.io/cloud-builders/docker
    args:
    - build
    - "-t"
    - gcr.io/my-project/my-program
    - "."
    - "--build-arg NPM_TOKEN= < npm-token.txt"
    - "--no-cache"

我的cloudbuild.yaml基于文档，但似乎无法将两个和两个放在一起，因为该表达式"--build-arg NPM_TOKEN =< npm-token.txt"不起作用.当我直接传递npm令牌时，我已经测试了DockerFile，并且它可以工作.我只是在将gcloud机密中的令牌作为docker的构建参数传递给我时遇到了麻烦.

I based my cloudbuild.yaml on the documentation, but it seems like I am not able to put two and two together, as the expression: "--build-arg NPM_TOKEN= < npm-token.txt" does not work. I have tested the DockerFile, when I directly pass in the npm token, and it works. I simply have trouble passing in a token from gcloud secrets as a build argument to docker.

非常感谢您的帮助！

推荐答案

您的目标是将秘密文件的内容放入build参数中.因此，您必须使用 NPM_TOKEN ="$(cat npm-token.txt)" 或 NPM_TOKEN ="$(< npm-token.txt)" 读取文件内容.代码>.

Your goal is to get the secret file contents into the build argument. Therefore you have to read the file content using either NPM_TOKEN="$(cat npm-token.txt)"or NPM_TOKEN="$(< npm-token.txt)".

  name: gcr.io/cloud-builders/docker
  entrypoint: 'bash'
  args: [ '-c', 'docker build -t gcr.io/my-project/my-program . --build-arg NPM_TOKEN="$(cat npm-token.txt)" --no-cache' ]

注意:但是，gcr.io/cloud-builders/docker使用exec入口点形式.因此，您将入口点设置为bash.

Note: The gcr.io/cloud-builders/docker however use exec entrypoint form. Therefore you set entrypoint to bash.

还要注意，您将机密保存到构建工作区(/workspace/..).这也使您可以将秘密作为文件复制到容器中.

Also note that you save the secret to the build workspace (/workspace/..). This also allows you to copy the secret as a file into your container.

FROM ubuntu:14.04 AS build
ARG NPM_TOKEN

COPY npm-token.txt .
RUN echo "NPM_TOKEN:: $(cat npm-token.txt)"

这篇关于GCP Cloud构建将秘密传递给docker arg的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！