0

When I build a container on Google Cloud Build, I echo a secret from an environment variable into a cert file. The file is definitely there during the build process. I've echoed it after it was written and have done an ls on the directory and it's all correct. However, the final container image doesn't have the file. My .dockerignore ignores /tmp, /log and local dev DB files. Here is the dockerfile:

FROM alpine:3.14
ARG MASTER_KEY
ARG GCS_SECRET

RUN apk update && apk add --no-cache build-base libpq vips-dev postgresql-dev ruby-dev ruby-etc
RUN apk add nodejs

WORKDIR /app

COPY Gemfile Gemfile.lock ./

RUN gem install bundler && \
    bundle config set --local deployment 'true' && \
    bundle config set --local without 'development test' && \
    bundle install

COPY . /app

ENV RAILS_ENV=production \
    LANG=C.UTF-8 \
    BUNDLE_JOBS=4 \
    BUNDLE_RETRY=3 \
    RAILS_SERVE_STATIC_FILES=true \
    RAILS_LOG_TO_STDOUT=true

ENV RAILS_MASTER_KEY=$MASTER_KEY
RUN bundle exec rake assets:precompile

RUN echo "$GCS_SECRET" > config/gcs_secret.json
RUN ls config

EXPOSE 8080
CMD ["bin/rails", "server", "-b", "0.0.0.0", "-p", "8080"]

The file in question is the config/gcs_secret. I tried copying it to / and again, it's not there in the image.

ajmurmann
  • 1,605
  • 3
  • 16
  • 24
  • Could it be that "echo" needs to be replaced with /bin/echo as described here .... https://stackoverflow.com/questions/55431538/cannot-configure-code-with-echo-in-docker-with-alpine-os-but-can-in-ubuntu – Kolban Dec 31 '22 at 16:27
  • Do you map any volumes onto `/app` or `/app/config` at run-time? Can you explain how you've determined that the file isn't there? – Hans Kilian Dec 31 '22 at 16:28
  • 1
    How are you running the container? How do you verify the file is not in the image? (If you `docker inspect` the image, do you see the master key written out there in plain text; do you need to inject these secrets some other way?) – David Maze Dec 31 '22 at 16:29
  • @Kolban I don't think it's an issue with the echo, as I was able to do q `RUN cat config/gcs_secret.json` and in the build logs the expected content showed up. @HansKilian not that I am aware of. I run the container on Google Cloud Run with what should be the default config @DavidMaze I get an error from Rails because the file is missing expected content. I pulled the image and inspected it with `docker run -it --entrypoint /bin/sh card-app`. Ugh, the master key used to be there. Now it's not. I'll see which of my changes broke that. – ajmurmann Dec 31 '22 at 16:42
  • @DavidMaze Looking into the master key, comparing to my pre-debug efforts the only thing related to the master key that changed was that I had moved the declaration of the arg to the top of the file. Moving it back to its first usage, brings it back. So bottom line is that the master key is there when doing `docker inspect`, the json creds are there when I echo them or ls the dir during build time, but are gone when I execute the image on Google Cloud run or access it via shell locally. – ajmurmann Jan 01 '23 at 00:49
  • Hopefully I'm not misunderstanding what you're trying to do but you should avoid baking secrets into a docker container at build time. They should be suppled to the container when it's running as config. When a secret is baked into a container anyone that has access to the image can access your secret. – Jake Nelson Jan 01 '23 at 13:00
  • @JakeNelson Yes, you are understanding this right. I also agree that for a "real" project I should probably have Google Cloud Run provide the creds somehow at runtime. That said, this is a project for a little girl to share her craft projects with her friends. I've spent ~2 hours building the app and now am probably 20-30 hours into deploying it. God, how I miss the heroku of 2010! Nobody but me will have access to the image. – ajmurmann Jan 01 '23 at 18:55

0 Answers0