How to `docker build` with secret from 'envFrom'

I try to set up a basic pipeline with .rancher-pipeline.yml. Step 1 is building a docker image which involves pulling a package from private packagist / private repo. So I thought I make the private key available via secrets (in rancher UI, scope: all namespaces). Here are some details of my config files:

From .rancher-pipeline.yml:

stages:
- name: Build
  steps:
  - publishImageConfig:
      dockerfilePath: ./Dockerfile
      buildContext: .
      tag: example/example:testk8
      pushRemote: true
      registry: example
      envFrom:
      - sourceName: gitlab-key
        sourceKey: gitlab
        targetKey: SSH_PRIVATE_KEY
    when:
      branch:
        include:
        - feature-kubernetes
      event:
        include:
        - push

From Dockerfile:

FROM composer:1.8 AS composer-build

ARG SSH_PRIVATE_KEY

RUN mkdir /root/.ssh/ && \
    echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa && \
    chmod 600 /root/.ssh/id_rsa && \
    echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > /root/.ssh/config && \
    chmod 400 /root/.ssh/config && \
    eval "$(ssh-agent -s)" && ssh-add -k /root/.ssh/id_rsa

WORKDIR /app
COPY composer.* ./
RUN composer install --no-dev



FROM php:7.2

COPY --from=composer-build /app .

While debugging, I realized that the var “SSH_PRIVATE_KEY” is empty though. I tested the build locally, and it worked flawlessly:

docker build -t example:test --build-arg SSH_PRIVATE_KEY="$(cat /root/.ssh/gitlab_system)" --no-cache .

I followed documentation but did not find any relevant details:

I’m stuck, any pointers for me?

I think you can pass in the SSH key to your pipeline YAML through the PLUGIN_BUILD_ARGS

stages:
- name: Publish Image
  steps:
  - publishImageConfig:
      dockerfilePath: ./Dockerfile
      buildContext: .
      tag: repo/app:v1
      pushRemote: true
      registry: example.com
    env:
      PLUGIN_BUILD_ARGS: <a comma separated list>

@catherineluse thanks for the pointer, I have a followup questions about this.

How can I load a secret and use it in the plugin build args? I tried the following but it doesn’t work:

- name: Deploy
  steps:
  - applyYamlConfig:
    path: ./deployment.yaml
  envFrom:
    - sourceName: fontawesome-npm-auth
      sourceKey: FONTAWESOME_NPM_AUTH_TOKEN
  env:
    PLUGIN_BUILD_ARGS: FONTAWESOME_NPM_AUTH_TOKEN=$FONTAWESOME_NPM_AUTH_TOKEN

Follow up:

  • sourceName refers to the name of the secret
  • sourceKey refers to a single key within a secret
  • multiple keys can ba added to one single secret

Hey I’m currently trying the same thing. This solution does not seem to work for me?

I already tried this notation.

Whats is the correct way to go?

1 Like

Hello there,
I found a way to achieve this using PLUGIN_BUILD_ARGS_FROM_ENV environment variable, eg:

stages:
  - name: Build
    steps:
      - publishImageConfig:
          dockerfilePath: ./Dockerfile
          buildContext: .
          tag: repo/app:latest
          pushRemote: true
          registry: index.docker.io
        envFrom:
          - sourceName: composer-creds
            sourceKey: COMPOSER_AUTH
        env:
          PLUGIN_BUILD_ARGS_FROM_ENV: COMPOSER_AUTH

Rancher uses the drone docker plugin under the hood: https://github.com/drone-plugins/drone-docker/blob/master/cmd/drone-docker/main.go#L148