Add support for securely passing ssh identity to docker build

concourse · Mar 30, 2021 · ab8f021 · ab8f021
1 parent 6468b14
commit ab8f021
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -260,6 +260,11 @@ version is the image's digest.
 * `pull_tag`: *Optional.*  **DEPRECATED. Use `get` and `load` instead.** Default
   `latest`. The tag of the repository to pull down via `pull_repository`.
 
+* `ssh_identity`: *Optional.* Only applies when `docker_buildkit` is set to `1`.
+  Set to an openssh private SSH key (i.e. -----BEGIN OPENSSH PRIVATE KEY----- ...),
+  this identity will be passed to `docker build` via the `--ssh default` argument
+  through a temporary `ssh-agent` instance.
+
 * `tag`: **DEPRECATED - Use `tag_file` instead**
 * `tag_file`: *Optional.* The value should be a path to a file containing the name
   of the tag. When not set, the Docker build will be pushed with tag value set by

diff --git a/assets/out b/assets/out
@@ -113,6 +113,7 @@ import_file=$(jq -r '.params.import_file // ""' < $payload)
 
 pull_repository=$(jq -r '.params.pull_repository // ""' < $payload)
 pull_tag=$(jq -r '.params.pull_tag // "latest"' < $payload)
+ssh_identity=$(jq -r '.params.ssh_identity // ""' < $payload)
 target_name=$(jq -r '.params.target_name // ""' < $payload)
 
 if [ -n "$load" ]; then
@@ -224,6 +225,15 @@ elif [ -n "$build" ]; then
     fi
   fi
 
+  ssh_args=()
+  if [ -n "$ssh_identity" ] && [ "$DOCKER_BUILDKIT" -eq 1 ]; then
+    eval "$(ssh-agent)"
+    trap "ssh-agent -k; $( trap -p EXIT | cut -f2 -d \' )" EXIT
+    ssh-add <(echo "$ssh_identity")
+    ssh_args+=("--ssh")
+    ssh_args+=("default")
+  fi
+
   target=()
   if [ -n "${target_name}" ]; then
    target+=("--target")

diff --git a/dockerfiles/alpine/Dockerfile b/dockerfiles/alpine/Dockerfile
@@ -30,6 +30,7 @@ RUN apk --no-cache add \
       xz \
       util-linux \
       tar \
+      openssh-client \
     ;
 COPY --from=builder /assets /opt/resource
 RUN ln -s /opt/resource/ecr-login /usr/local/bin/docker-credential-ecr-login

diff --git a/dockerfiles/ubuntu/Dockerfile b/dockerfiles/ubuntu/Dockerfile
@@ -30,7 +30,8 @@ RUN apt-get update; \
     ca-certificates \
     curl \
     gnupg-agent \
-    software-properties-common; \
+    software-properties-common \
+    openssh-client; \
   curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - ; \
   add-apt-repository \
    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \