Question posted in
The official documentation can be found here.

How to integrate gitlab cicd, kankio-executor and ssh keys to build an image using Dockerfile

I want to build my golang project image using git cicd and kankio.
The problem is my golang project has some private git repo dependencies which require ssh key during go mod download or go build.

What I am doing is generating a key pair using ssh-keygen, and add the public key to my private gitlab repo, and last add the private key to my build image dir ~/.ssh/ when builing the go project.

To to this, I create a cicd variable PRIVATE_KEY with the ssh private key content on gitlab first. And then using the kaniko executor build-arg to pass the PRIVATE_KEY variable from cicd to executor. Finally in the docker file, echo the PRIVATE_KEY to ~/.ssh/id_ed25519.

But it doesn’t work, and kaniko throws an Error: unknown command "OPENSSH" for "executor" which confuses me a lot since I’m not using any OPENSSH command.

So I want to ask if I’m doing this correctly, and how to solve this problem, maybe the best practice for integrating git cicd, kankio, ssh key, thanks.

The simple git cicd yaml is :

build-image:
  stage: build_image
  image:
    name: xxxxx/kaniko-executor:release
    entrypoint: [""]
  script:
    - pwd
    - echo "start build images"
    - mkdir -p ~/.docker/
    - echo "{"auths":{"$CI_REGISTRY":{"username":"$CI_REGISTRY_USER","password":"$CI_REGISTRY_PASSWORD"}}}" > ~/.docker/config.json
    - cat ~/.docker/config.json   
    - cd $CI_PROJECT_DIR

    - IMAGE=$IMAGE_BASE/golang-test:$CI_COMMIT_SHORT_SHA
    - echo "generate docker image $IMAGE"
    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/docker/Dockerfile --destination $IMAGE --validate-image --build-arg KEY=$PRIVATE_KEY

  after_script:
    - echo "build images completed."
  when: on_success
  only:
    - tags

The Dockerfile is :

FROM  xxxxxx/golang:1.19.9-alpine as builder
# use KEY to hold the PRIVATE_KEY
ARG KEY
ENV CGO_ENABLED=0
ENV GOPRIVATE=xxxxxx
ENV GOPROXY=https://goproxy.cn,direct
RUN apk update
RUN apk add git openssh gcc g++
RUN git config --global url."git@xxxxx:".insteadOf https://xxxxx

# put the PRIVATE_KEY to .ssh
RUN mkdir -p ~/.ssh
RUN echo $KEY
RUN echo $KEY > ~/.ssh/id_ed25519
RUN chmod 600 ~/.ssh/id_ed25519
RUN ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
RUN ssh-keyscan -t rsa xxxxx >> ~/.ssh/known_hosts

RUN mkdir -p /app
WORKDIR /app

COPY ./* ./
RUN go mod download
RUN go build

FROM xxxxxx/alpine-base:0.1
RUN mkdir -p /home/work/bin/golang-test
WORKDIR /home/work
COPY --from=builder /app/golang-test /home/work/bin/golang-test/
COPY --from=builder /app/deploy/* /home/work/bin/golang-test/
RUN ls -l /home/work/bin/golang-test/

CMD ["/home/work/bin/golang-test/start.sh"]
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0
    1. Replace n with comma in my ssh private key file, and cicd variable looks like:
    -----BEGIN OPENSSH PRIVATE KEY-----,b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW,QyNTUxOQAAACCvuLD03y4Sxxxxxxxxxxx................FihIlhY,oQAAAAtzc2gtZWQyNTUxOQAAACCvuLD03y4SWo0AjHHVcpph+aebmVQ+................AAEBlmINM3qvbjwgm1htSc1Cc7/BJMMqEqMqs+lKhELYng6+4sPTfLhJajQCMcdVymmH5,p5uZVD4QgdZW8NPUb3LfAAAAEXJvb3RAZDQxNWM5MDlkOGU0AQIDBA==,-----END OPENSSH PRIVATE KEY-----
    1. Pass the key to docker file
    /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/docker/Dockerfile --destination $IMAGE --validate-image --build-arg KEY="$SSH_PRIVATE_KEY"
    1. Replace comma with n back in docker file. You can follow the instructions in this post Split a comma separated strings in Bash.

  2. 0

    It’s possible that is the argument KEY=$PRIVATE_KEY in write in multiple line.

    Can you encode your PRIVATE_KEY in base64 to be in one line:

    cat id_ed25519 | base64

    Store on Gitlab your new CI/CD variable PRIVATE_KEY and change your line kaniko by (decode base64):

    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/docker/Dockerfile --destination $IMAGE --validate-image --build-arg KEY=$(echo $PRIVATE_KEY | base64)

    You can also view the result adding for debugging at the beginning of the script

    - set -x

    The previous line show you in logs the command who is launch.

    The complete code:

    build-image:
  stage: build_image
  image:
    name: xxxxx/kaniko-executor:release
    entrypoint: [""]
  script:
    - set -x
    - pwd
    - echo "start build images"
    - mkdir -p ~/.docker/
    - echo "{"auths":{"$CI_REGISTRY":{"username":"$CI_REGISTRY_USER","password":"$CI_REGISTRY_PASSWORD"}}}" > ~/.docker/config.json
    - cat ~/.docker/config.json   
    - cd $CI_PROJECT_DIR

    - IMAGE=$IMAGE_BASE/golang-test:$CI_COMMIT_SHORT_SHA
    - echo "generate docker image $IMAGE"
    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/docker/Dockerfile --destination $IMAGE --validate-image --build-arg KEY=$(echo $PRIVATE_KEY | base64)

  after_script:
    - echo "build images completed."
  when: on_success
  only:
    - tags
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search