Bake secrets into docker image. (#73)

No need to have the deployment mount the secrets. This makes it easier to develop locally, and to host the registry server in a different environment.
toitware · Jul 27, 2022 · d6d7d8b · d6d7d8b
1 parent 86063d9
commit d6d7d8b
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -97,13 +97,23 @@ jobs:
         with:
           project_id: infrastructure-220307
 
+      - name: Create secrets
+        run: |
+          printf "%s" "${{ secrets.TOITWARE_REGISTRY_SSH_DEPLOY_KEY }}" > private_ssh_key
+          ssh-keyscan github.com > known_hosts
+
       - name: Build Docker Image
         run: |
           gcloud config set project infrastructure-220307
           gcloud auth configure-docker
 
           make image
 
+      - name: Delete secrets
+        if: always()
+        run: |
+          rm -f private_ssh_key
+
       - name: Upload image
         if: |
           github.event_name == 'release' ||

diff --git a/Dockerfile b/Dockerfile
@@ -34,4 +34,18 @@ ENV TOITDOCS_VIEWER_PATH /web_toitdocs
 ENV SDK_PATH /sdk
 ENV TOITDOCS_VIEWER_PATH /web_toitdocs
 
+# We are baking in private data.
+# As of 2022-07-08 the deployment overrides these values:
+# https://github.com/toitware/deployment/blob/50d35c2498cb98f360c922a491c2c31e73cc403d/console/values.yaml#L437
+# However, by adding the key here, we can remove these lines from there.
+
+# When building locally, one can either get the real key from bitwarden, or use any key.
+# It should only be necessary when pushing to the registry. (Not 100% certain.)
+copy private_ssh_key /ssh_data/private_ssh_key
+ENV REGISTRY_SSH_KEY_FILE /ssh_data/private_ssh_key
+
+# Same: we are baking in the known_hosts, which is, as of 2022-07-08, overridden by the deployment.
+copy known_hosts /ssh_data/known_hosts
+ENV SSH_KNOWN_HOSTS /ssh_data/known_hosts
+
 ENTRYPOINT ["/registry_container"]