Azure Devops nuget artifact feed and docker

Question

Is there a good way to create an authentication mechanism to Devops to be able to access the artifact NuGet feed? I would like to create a base image for my team that would allow them to just pull an image from our Azure Container Registry that has access to our devops nuget feed. Ideally people wouldn't have to have the same stock dockerfile code in every single project that grabs a PAT from their host build system. This would also allow us to CICD this a little more nicely.

My current solution

FROM mcr.microsoft.com/dotnet/core/sdk:3.1 AS build-env
WORKDIR /app

ARG IT_PAT
ENV VSS_NUGET_EXTERNAL_FEED_ENDPOINTS "{\"endpointCredentials\": [{\"endpoint\": \"https://pkgs.dev.azure.com/MNPIT/_packaging/MNP/nuget/v3/index.json\",\"username\": \"build\",\"password\": \"${IT_PAT}\"}]}"
RUN mkdir -p $HOME/.nuget/plugins
WORKDIR /deps

# Downloads and installs the NuGet credential plugin so we can login to the private NuGet feed
RUN curl https://github.com/microsoft/artifacts-credprovider/releases/download/v0.1.24/Microsoft.NetCore2.NuGet.CredentialProvider.tar.gz -L -o creds.tar.gz -s
RUN tar -xzf creds.tar.gz
RUN cp -r plugins/netcore/ ~/.nuget/plugins

Stock code in every build file
Each user configuring their environment variables with a PAT
Passing the PAT on every build
Does not work with an automated build system

Hi Did you get a chance to check out below workaround.How did it go? — Levi Lu-MSFT, Jul 31 '20 at 10:16
Not yet, apologies. Moved on to another issue, but I'll try to get back to this next week — greven, Jul 31 '20 at 20:28

score 18 · Answer 1 · answered Jan 19 '21 at 09:38

YAML

Run NuGetAuthenticate task to add VSS_NUGET_ACCESSTOKEN to environment variables (more info)
Pass token to Docker task as an argument

- task: NuGetAuthenticate@0

- task: Docker@2
  displayName: 'build docker image'
  inputs:
    command: build
    containerRegistry: 'happycodeacr'
    repository: 'hc-app-sample-api-dev'
    buildContext: '$(Pipeline.Workspace)/app'
    Dockerfile: '$(Pipeline.Workspace)/app/src/HappyCode.Api/Dockerfile'
    arguments: '--build-arg FEED_ACCESSTOKEN=$(VSS_NUGET_ACCESSTOKEN)'
    tags: |
      latest
      $(Build.BuildId)

Dockerfile

Download and install artifacts provider (more info)
Receive token
Set VSS_NUGET_EXTERNAL_FEED_ENDPOINTS environment variable with feed url and token for nuget restore process
Copy NuGet.config file
Run dotnet restore

FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build
WORKDIR /work

RUN curl -L https://raw.githubusercontent.com/Microsoft/artifacts-credprovider/master/helpers/installcredprovider.sh  | sh
ARG FEED_ACCESSTOKEN
ENV VSS_NUGET_EXTERNAL_FEED_ENDPOINTS \
    "{\"endpointCredentials\": [{\"endpoint\":\"https://happycode.pkgs.visualstudio.com/_packaging/hc-nuget-feed/nuget/v3/index.json\", \"password\":\"${FEED_ACCESSTOKEN}\"}]}"
COPY ["NuGet.config", "./"]

COPY ["src/*/*.csproj", "./"]
RUN for projectFile in $(ls *.csproj); \
    do \
      mkdir -p ${projectFile%.*}/ && mv $projectFile ${projectFile%.*}/; \
    done
RUN dotnet restore /work/HappyCode.Api/HappyCode.Api.csproj

# further instructions

Don't forget to give the build agent that is building your docker container a reader role in the artifact library - especially if the artifact library is at the organization level or in a different project. Hope that saves someone a few hours of debugging! — krb224, Mar 19 '21 at 02:12
A problem I had here, when using classical Azure DevOps build pipelines was that in Docker task "Build an image", in Build Arguments I had to pass `FEED_ACCESSTOKEN=$(VSS_NUGET_ACCESSTOKEN)` instead of `--build-arg FEED_ACCESSTOKEN=$(VSS_NUGET_ACCESSTOKEN)` copied from YAML. — piotr.gradzinski, Jan 19 '22 at 14:48

Levi Lu-MSFT · Accepted Answer · 2020-07-30T05:42:23.573

I would like to create a base image for my team that would allow them to just pull an image from our Azure Container Registry that has access to our devops nuget feed.

You can include the credentials inside your image to achieve this, But for security concern, you've better add some extra steps or codes to pass the credentials from outside the image.

Based on your current solution, you can use the system predefined variable $(System.AccessToken) to get the security token in the azure devops CICD pipeline. Then in the docker build task, you pass the access token to the ARG IT_PAT as arguement,

--build-arg IT_PAT=$(System.AccessToken)

Besides using the NuGet credential plugin, You can also use the dotnet cli to add credentials to the nuget source. And then pass the $(System.AccessToken) in the build arguements. See below:

ARG PAT
COPY . .
RUN dotnet nuget add source "your-source-url" --name "source-name" --username "useless" --password "$PAT" --store-password-in-clear-text
RUN dotnet restore

Another workaround is to include the nuget.config in the build context. But you need to include a nuget.config file without the credentials first, and then add an extra nuget task to add the credentials to the config file. Then copy the nuget.config in your docker file . See below:

Add a nuget task to run below custom command to add the credentials to the nuget.config file.

sources Add -Name "MyPackages" -Source "https://my.pkgs.visualstudio.com/_packaging/MyPackages/nuget/v3/index.json" -username any -password $(System.AccessToken) -ConfigFile Source/Nuget.config -StorePasswordInClearText

Copy the nuget.config in the docker file, Donot forget to delete the nuget.config file when the restore is complete:

COPY *.csproj .
COPY ./nuget.config .
RUN dotnet restore
RUN rm nuget.config

If you are using Yaml based pipeline. You can also check out container jobs. Then you use your private container by setting up the container endpoints. And then you can directly use the restore tasks in your pipeline. See below example, the nuget restore task will run in your private container, and it can access to your azure feeds directly by specifying attribute vstsFeed to your nuget feed:

When you specify a container in your pipeline, the agent will first fetch and start the container. Then, each step of the job will run inside the container.

container:
  image: myprivate/registry:ubuntu1604
  endpoint: private_dockerhub_connection

steps:
- task: NuGetCommand@2
  inputs:
    command: 'restore'
    feedsToUse: 'select'
    vstsFeed: 'my-azure-nuget-feed'
    restoreSolution: '**/*.sln'

For more information you can check out this thread.

I had originally considered setting up a system like this (using the CICD Access Token) but had dismissed it as exposing sensitive data. I suppose in a private ACR that's ok though. The PAT probably goes stale pretty quickly though, yes? — greven, Aug 05 '20 at 14:38
Yes, This token is valid for 48 hours, see [this thread](https://developercommunity.visualstudio.com/content/problem/618929/what-is-the-scope-of-the-token-in-systemaccesstoke.html). — Levi Lu-MSFT, Aug 06 '20 at 02:08

ironic · Answer 3 · 2023-02-07T16:51:28.123

1

Adding to other replies - you can avoid modifying nuget.config in runtime and use environment variable instead. During authentication nuget checks environmental variables of format

NuGetPackageSourceCredentials_'name', where 'name' is the key of the feed in the nuget.config file.

For example

NuGetPackageSourceCredentials_MyPackages="Username=unused_but_required_by_nuget;Password=$(System.AccessToken)"

edited Feb 07 '23 at 16:51

answered Feb 07 '23 at 15:47

ironic

8,368
7
35
44

Azure Devops nuget artifact feed and docker

3 Answers3

YAML

Dockerfile

Linked