Bake secrets in pod and show known hosts (#90)

* Revert "Revert "Bake secrets into docker image. (#73)" (#89)" This reverts commit 9ff74fe. * Cat the known hosts.
toitware · Oct 6, 2023 · c0daa8e · c0daa8e
1 parent 9ff74fe
commit c0daa8e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -97,6 +97,12 @@ jobs:
         with:
           project_id: infrastructure-220307
 
+      - name: Create secrets
+        run: |
+          printf "%s" "${{ secrets.TOITWARE_REGISTRY_SSH_DEPLOY_KEY }}" > private_ssh_key
+          ssh-keyscan github.com > known_hosts
+          cat known_hosts
+
       - name: Build Docker Image
         run: |
           gcloud config set project infrastructure-220307

diff --git a/Dockerfile b/Dockerfile
@@ -34,4 +34,18 @@ ENV TOITDOCS_VIEWER_PATH /web_toitdocs
 ENV SDK_PATH /sdk
 ENV TOITDOCS_VIEWER_PATH /web_toitdocs
 
+# We are baking in private data.
+# As of 2022-07-08 the deployment overrides these values:
+# https://github.com/toitware/deployment/blob/50d35c2498cb98f360c922a491c2c31e73cc403d/console/values.yaml#L437
+# However, by adding the key here, we can remove these lines from there.
+
+# When building locally, one can either get the real key from bitwarden, or use any key.
+# It should only be necessary when pushing to the registry. (Not 100% certain.)
+copy private_ssh_key /ssh_data/private_ssh_key
+ENV REGISTRY_SSH_KEY_FILE /ssh_data/private_ssh_key
+
+# Same: we are baking in the known_hosts, which is, as of 2022-07-08, overridden by the deployment.
+copy known_hosts /ssh_data/known_hosts
+ENV SSH_KNOWN_HOSTS /ssh_data/known_hosts
+
 ENTRYPOINT ["/registry_container"]