I’m building an app that pulls dependencies from private git repos during the docker build phase.
I’m planning to do a multi-stage build and only provide the necessary git ssh keys to the “builder” stage of the build.
I’ve started by adding an ssh key as a secret using
.balena secrets in
build-secrets: global: - source: id_rsa dest: id_rsa
I’m then using the ssh key secret in my Dockerfile like this:
FROM wlisac/raspberrypi3-swift:5.0 as builder # Add credentials and known hosts to builder RUN mkdir /root/.ssh/ \ && cp /run/secrets/id_rsa /root/.ssh/id_rsa \ && chmod 400 /root/.ssh/id_rsa \ && touch /root/.ssh/known_hosts \ && ssh-keyscan github.com >> /root/.ssh/known_hosts # Do stuff that uses a private github.com repo FROM wlisac/raspberrypi3-swift:5.0 # Copy build artifacts from builder CMD ["./start.sh"]
This is working with
balena push, but it would be nice to find a solution that also works with
balena build. A best case scenario would be a “fully portable” Dockerfile that would even work with raw
docker build command, too.
Any suggestions on a “portable” approach that works with
balena build, and maybe even
I’m considering using
ARG instead of a mounted secret to allow the Dockerfile to be more portable. This should allow me to pass the ssh key as a build arg to
balena build or
docker build commands. Although
balena push looks like it still requires build args to be defined in the
The documentation says that secrets are more secure than build args, but I’m not sure it makes a difference in this case since I need(?) to copy the ssh key to the builder image either way (I can’t
chmod 400 the ssh key on the secrets mount since it’s a read-only file system).
Any suggestions or best practices folks could share would be very helpful.
The balena secrets looks like a great new feature – hoping I can figure out how to use it correctly