4

We use Sinopia for our npm repo and the credentials (.npmrc file in Home or current dir.) are nec. for a build.... Up until today, I've avoided persisting these cred's in the code, of course, and also kept them out of docker image layers by passing an env var that is set with contents of the .npmrc credentials file. Then during the build:

RUN cat $NPMRC>.npmrc && npm install ; rm .npmrc

... all in one RUN avoids a layer persisted with the secret in it.....

But I'm trying to setup container build requests using YAML files to set up the env. var but failing. The build-request.yaml has to be in the code so I can't put it in there and I've tried to add --build-arg NPMRC="$(<.npmrc)"... after copying it from buckets.... no errors but auth fails

I'm trying create the build args using an incantation like this: [..., '--build-arg', 'NPMRC=\""$(< ./.npmrc)"\"', ....] this shows in the build history as

... build --build-arg "NPMRC=\""$(cat ./.npmrc)"\"" -t

... which afaict is correct if bash gets hold of the subshell like I think it should:

echo "NPMRC=\""$(cat ./.npmrc)"\"" -> NPMRC="_auth=...."

Looking for solutions others may have found

ahmet alp balkan
  • 42,679
  • 38
  • 138
  • 214
Rondo
  • 3,458
  • 28
  • 26
  • In general, setting secrets on build arguments or environment variables is not a good idea. Those persist on metadata of the image and can be viewed very easily. – ahmet alp balkan Jul 20 '17 at 15:25
  • 1
    We have a feature in the works that should help you a lot with this. Stay tuned! – Jason Hall Jul 20 '17 at 16:45
  • @AhmetAlpBalkan Docker inspect does *not* reveal the NPMRC env variable.... is there someplace else you think I should be looking? – Rondo Jul 21 '17 at 20:38
  • 1
    See https://stackoverflow.com/a/51921954/6309 and **`docker build --secret id=mysecret,src=/secret/file`** – VonC Aug 19 '18 at 21:27
  • Thanks @VonC .... I'll see if that works for me – Rondo Aug 24 '18 at 17:39

1 Answers1

0

I think this page is right on the money so I'd say it's safe to answer my own question with reference to it (I won't accept, I guess?):

https://cloud.google.com/container-builder/docs/tutorials/using-encrypted-files

Summary: Encrypt .npmrc using Cloud Key Management Service and commit the encrypted file in src home directory (or copy to bucket and add a gsutil build step).. then add the decrypt as a build step: steps: - name: gcr.io/cloud-builders/gcloud args: - kms - decrypt - --ciphertext-file=npmrc.enc - --plaintext-file=.npmrc - --location=global - --keyring=[KEYRING-NAME] - --key=[KEY-NAME]

Rondo
  • 3,458
  • 28
  • 26
  • 1
    This did not solve the final step of the problem: getting this value into the container for the build in a way that would not persist it in a layer – Rondo Jul 25 '17 at 01:53