diff --git a/Dockerfile b/Dockerfile index 328871d7..fed8e574 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,6 +45,7 @@ RUN apt update && apt install -y --no-install-recommends \ docker-ce \ docker-buildx-plugin \ jq \ + openssh-client \ ca-certificates \ xz-utils \ iproute2 \ diff --git a/README.md b/README.md index 2695443d..9edfb189 100644 --- a/README.md +++ b/README.md @@ -277,6 +277,27 @@ version is the image's digest. * `pull_tag`: *Optional.* **DEPRECATED. Use `get` and `load` instead.** Default `latest`. The tag of the repository to pull down via `pull_repository`. +* `ssh_identity`: *Optional.* Set to an openssh private SSH key (it can be a file + or an inline key). This identity will be passed to `docker build` via the + `--ssh default` argument through a temporary `ssh-agent` instance. + + Examples: + + ```yaml + ssh_identity: | + -----BEGIN OPENSSH PRIVATE KEY----- + 0000000000000000000000000000000000000000000000000000000000000000000000 + 0000000000000000000000000000000000000000000000000000000000000000000000 + 0000000000000000000000000000000000000000000000000000000000000000000000 + 0000000000000000000000000000000000000000000000000000000000000000000000 + 000000000000000000000000000000000000000000000000000000== + -----END OPENSSH PRIVATE KEY----- + ``` + + ```yaml + ssh_identity: /path/to/key + ``` + * `tag`: **DEPRECATED - Use `tag_file` instead** * `tag_file`: *Optional.* The value should be a path to a file containing the name of the tag. When not set, the Docker build will be pushed with tag value set by diff --git a/assets/out b/assets/out index e605e268..57e39231 100755 --- a/assets/out +++ b/assets/out @@ -126,6 +126,7 @@ import_file=$(jq -r '.params.import_file // ""' < $payload) pull_repository=$(jq -r '.params.pull_repository // ""' < $payload) pull_tag=$(jq -r '.params.pull_tag // "latest"' < $payload) +ssh_identity=$(jq -r '.params.ssh_identity // ""' < $payload) target_name=$(jq -r '.params.target_name // ""' < $payload) if [ -n "$load" ]; then @@ -237,6 +238,20 @@ elif [ -n "$build" ]; then fi fi + ssh_args=() + if [ -n "$ssh_identity" ]; then + export DOCKER_BUILDKIT=1 + eval "$(ssh-agent)" + trap "ssh-agent -k; $( trap -p EXIT | cut -f2 -d \' )" EXIT + if [ -f "$ssh_identity" ]; then + ssh-add "$ssh_identity" + else + ssh-add <(echo "$ssh_identity") + fi + ssh_args+=("--ssh") + ssh_args+=("default") + fi + target=() if [ -n "${target_name}" ]; then target+=("--target") diff --git a/tests/fixtures/ssh_identity b/tests/fixtures/ssh_identity new file mode 100644 index 00000000..695743b0 --- /dev/null +++ b/tests/fixtures/ssh_identity @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACCTcY7/Q4JTr+zc5uuLSndCM8uiMBdf2H3JHTaCw1POrQAAAJiSPsoAkj7K +AAAAAAtzc2gtZWQyNTUxOQAAACCTcY7/Q4JTr+zc5uuLSndCM8uiMBdf2H3JHTaCw1POrQ +AAAEBhwFGOegUZ/wTf18i/9SNbDgZ0P/BJtPUoGHdvi2bNtJNxjv9DglOv7Nzm64tKd0Iz +y6IwF1/YfckdNoLDU86tAAAAE3NvbWVvbmVAZXhhbXBsZS5jb20BAg== +-----END OPENSSH PRIVATE KEY----- diff --git a/tests/out_test.go b/tests/out_test.go index 802df105..a263a991 100644 --- a/tests/out_test.go +++ b/tests/out_test.go @@ -484,6 +484,24 @@ var _ = Describe("Out", func() { }) }) + Context("When specifying ssh_identity", func() { + It("should set ssh args", func() { + session := put(map[string]interface{}{ + "source": map[string]interface{}{ + "repository": "test", + }, + "params": map[string]interface{}{ + "build": "/docker-image-resource/tests/fixtures/build", + "additional_tags": "/docker-image-resource/tests/fixtures/tags", + "ssh_identity": "/docker-image-resource/tests/fixtures/ssh_identity", + }, + }, + ) + Expect(session.Err).To(gbytes.Say(dockerarg(`--ssh`))) + Expect(session.Err).To(gbytes.Say(dockerarg(`default`))) + }) + }) + Context("When passing additional_tags ", func() { It("should push add the additional_tags", func() { session := put(map[string]interface{}{