From c0daa8e9d6e3a4a4f95bce442ef29b83d35ff552 Mon Sep 17 00:00:00 2001 From: Florian Loitsch Date: Fri, 6 Oct 2023 16:43:44 +0200 Subject: [PATCH] Bake secrets in pod and show known hosts (#90) * Revert "Revert "Bake secrets into docker image. (#73)" (#89)" This reverts commit 9ff74feb3ce1c9b00ce22642cc3b758378d5822c. * Cat the known hosts. --- .github/workflows/ci.yml | 6 ++++++ Dockerfile | 14 ++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a14c5c..97b5252 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -97,6 +97,12 @@ jobs: with: project_id: infrastructure-220307 + - name: Create secrets + run: | + printf "%s" "${{ secrets.TOITWARE_REGISTRY_SSH_DEPLOY_KEY }}" > private_ssh_key + ssh-keyscan github.com > known_hosts + cat known_hosts + - name: Build Docker Image run: | gcloud config set project infrastructure-220307 diff --git a/Dockerfile b/Dockerfile index 443a965..970f280 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,4 +34,18 @@ ENV TOITDOCS_VIEWER_PATH /web_toitdocs ENV SDK_PATH /sdk ENV TOITDOCS_VIEWER_PATH /web_toitdocs +# We are baking in private data. +# As of 2022-07-08 the deployment overrides these values: +# https://github.com/toitware/deployment/blob/50d35c2498cb98f360c922a491c2c31e73cc403d/console/values.yaml#L437 +# However, by adding the key here, we can remove these lines from there. + +# When building locally, one can either get the real key from bitwarden, or use any key. +# It should only be necessary when pushing to the registry. (Not 100% certain.) +copy private_ssh_key /ssh_data/private_ssh_key +ENV REGISTRY_SSH_KEY_FILE /ssh_data/private_ssh_key + +# Same: we are baking in the known_hosts, which is, as of 2022-07-08, overridden by the deployment. +copy known_hosts /ssh_data/known_hosts +ENV SSH_KNOWN_HOSTS /ssh_data/known_hosts + ENTRYPOINT ["/registry_container"]