语境
使用Container Builder构建并用于App Engine的Ruby on Rails应用程序。我们要求捆绑器能够使用SSH密钥从私有git存储库安装依赖项。
SSH密钥来自一个安全存储桶,它们通过KMS进行解密。这些步骤很好。但是,使用Docker构建容器的最后一步是无法访问SSH密钥。
我以前没有使用Docker的丰富经验,所以我认为这是一个简单的问题。
cloudbuild.yml
steps:
# Get and prepare Deploy Key
- name: 'gcr.io/cloud-builders/gsutil'
args: ['cp', 'gs://[PROJECT-BUCKET]/git_id_rsa.enc', '/root/.ssh/git_id_rsa.enc']
volumes:
- name: 'ssh-setup'
path: /root/.ssh
- name: 'gcr.io/cloud-builders/gcloud'
args:
- kms
- decrypt
- --ciphertext-file=/root/.ssh/git_id_rsa.enc
- --plaintext-file=/root/.ssh/git_id_rsa
- --location=global
- --keyring=[KEYRING]
- --key=[KEY]
volumes:
- name: 'ssh-setup'
path: /root/.ssh
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: /workspace/deploy/git-prepare.sh
volumes:
- name: 'ssh-setup'
path: /root/.ssh
# ... Omitted steps ...
# Docker build
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/$PROJECT_ID/[PROJECT-NAME]', '.'] …