如何在Docker容器中使用私有仓库进行身份验证

huangapple go评论79阅读模式
英文:

How To Authenticate with Private Repository in Docker Container

问题

我有一个私有的git仓库,我需要能够在“容器构建”视角下进行身份验证,并在运行时查看它。为了提供一些背景信息,我有一个GitHub工作流程,用于构建容器镜像并将其发布到ghcr.io注册表。然而,由于我包依赖的仓库是私有的,所以它无法工作。目前它在本地可以工作,我考虑过改变存储GitHub身份验证的方式,以允许我访问它,但我想知道是否有更好的方法让我访问私有仓库。

这是GitHub Action发布到ghcr.io注册表的部分代码:

name: Docker dataeng_github_metrics

# Run workflow on tags starting with v (eg. v2, v1.2.0)
on:
  push:
    branches: ["master"]
    paths:
      - ./data_pipelines/dataeng_github_metrics/*
  pull_request:
    branches: ["master"]

jobs:
  Deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v1
        
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GHCR_REGISTRY_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build and Push Docker Image
        uses: docker/build-push-action@v3
        with:
          context: ./data_pipelines/dataeng_github_metrics/
          file: ./data_pipelines/dataeng_github_metrics/Dockerfile
          push: true # Will only build if this is not here
          tags: |
                        ghcr.io/mirantis/dataeng_github_metrics:latest
          # TODO: I CANNOT USE DATAENG AS PUBLIC AND NEED TO CHANGE THE WAY GITCONFIG IS USED IN THE DOCKERFILE FOR AUTHENTICATION
          secrets: |
                        TOKEN=${{ secrets.AUTOMATION_PAT}}

这是Dockerfile的内容:

###############
# CACHE IMAGE #
###############
ARG GO_IMAGE=golang:1.17.3-alpine3.14
ARG BASE_IMAGE=alpine:3.14.2

FROM ${GO_IMAGE} AS cache
# Add the keys
ARG GITHUB_ID
ENV GITHUB_ID=$GITHUB_ID
ARG GITHUB_TOKEN
ENV GITHUB_TOKEN=$GITHUB_TOKEN

# Install Git
RUN apk add git

# TODO: ENCRYPT THE GITHUB_ID AND GITHUB_TOKEN
# Make Git Configuration
RUN git config \
    --global \
    url."https://${GITHUB_ID}:${GITHUB_TOKEN}@github.com/".insteadOf \
    "https://github.com/"

WORKDIR /src
COPY go.mod go.sum /src/
RUN go mod download

##############
# BASE IMAGE #
##############
FROM cache AS dataeng_github_metrics
COPY . /bin
WORKDIR /bin

# Setup Git Terminal Prompt & Go Build
RUN go build .

###############
# FINAL IMAGE #
###############
FROM ${BASE_IMAGE}
COPY --from=dataeng_github_metrics /bin/dataeng_github_metrics bin/
ENTRYPOINT [ "bin/dataeng_github_metrics" ]

我认为让我困惑的重要部分是这一部分,但我想知道是否有更好的实现方式:

# Make Git Configuration
RUN git config \
    --global \
    url."https://${GITHUB_ID}:${GITHUB_TOKEN}@github.com/".insteadOf \
    "https://github.com/"

我该如何访问私有仓库并避免工作流程中出现以下错误:

#14 9.438  remote: Repository not found.
#14 9.438  fatal: Authentication failed for 'https://github.com/Mirantis/dataeng/'
------
Dockerfile:26
--------------------
  24 |     WORKDIR /src
  25 |     COPY go.mod go.sum /src/
  26 | >>> RUN go mod download
  27 |     
  28 |     ##############
--------------------
ERROR: failed to solve: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1
Error: buildx failed with: ERROR: failed to solve: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1
英文:

I have a git repository that is a private repository and I need the ability to authenticate with it and be able to see it at run time within the container build perspective. For a little background information, I have a GitHub Workflow that builds a container image and publishes it to the ghcr.io registry. However, because the repository my package depends on is private it doesn't work. Right now it works locally, and I have thought about changing the way I have stored my GitHub Authentication to allow access to it for me, but was wanting to know if anyone knew a better way for me to get at the private repository.

Here is the GitHub Action Publish to ghcr.io registry:

name: Docker dataeng_github_metrics

# Run workflow on tags starting with v (eg. v2, v1.2.0)
on:
  push:
    branches: [ "master" ]
    paths:
      - ./data_pipelines/dataeng_github_metrics/*
  pull_request:
    branches: [ "master" ]

jobs:
  Deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v1
        
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GHCR_REGISTRY_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build and Push Docker Image
        uses: docker/build-push-action@v3
        with:
          context: ./data_pipelines/dataeng_github_metrics/
          file: ./data_pipelines/dataeng_github_metrics/Dockerfile
          push: true # Will only build if this is not here
          tags: |
                        ghcr.io/mirantis/dataeng_github_metrics:latest
          # TODO: I CANNOT USE DATAENG AS PUBLIC AND NEED TO CHANGE THE WAY GITCONFIG IS USED IN THE DOCKERFILE FOR AUTHENTICATION
          secrets: |
                        TOKEN=${{ secrets.AUTOMATION_PAT}}

Here is the Dockerfile:

###############
# CACHE IMAGE #
###############
ARG GO_IMAGE=golang:1.17.3-alpine3.14
ARG BASE_IMAGE=alpine:3.14.2
FROM ${GO_IMAGE} AS cache
# Add the keys
ARG GITHUB_ID
ENV GITHUB_ID=$GITHUB_ID
ARG GITHUB_TOKEN
ENV GITHUB_TOKEN=$GITHUB_TOKEN
# Install Git
RUN apk add git
# TODO: ENCRYPT THE GITHUB_ID AND GITHUB_TOKEN
# Make Git Configuration
RUN git config \
--global \
url."https://${GITHUB_ID}:${GITHUB_TOKEN}@github.com/".insteadOf \
"https://github.com/"
WORKDIR /src
COPY go.mod go.sum /src/
RUN go mod download
##############
# BASE IMAGE #
##############
FROM cache AS dataeng_github_metrics
COPY . /bin
WORKDIR /bin
# Setup Git Terminal Prompt & Go Build
RUN go build .
###############
# FINAL IMAGE #
###############
FROM ${BASE_IMAGE}
COPY --from=dataeng_github_metrics /bin/dataeng_github_metrics bin/
ENTRYPOINT [ "bin/dataeng_github_metrics" ]

I think the important part that is messing me up is this but was wondering if there was a better way to implement it:

# Make Git Configuration
RUN git config \
--global \
url."https://${GITHUB_ID}:${GITHUB_TOKEN}@github.com/".insteadOf \
"https://github.com/"

How can I get to the private repository and avoid the following error within the workflow:

#14 9.438 	remote: Repository not found.
#14 9.438 	fatal: Authentication failed for 'https://github.com/Mirantis/dataeng/'
------
Dockerfile:26
--------------------
24 |     WORKDIR /src
25 |     COPY go.mod go.sum /src/
26 | >>> RUN go mod download
27 |     
28 |     ##############
--------------------
ERROR: failed to solve: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1
Error: buildx failed with: ERROR: failed to solve: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1

答案1

得分: 1

Dockerfile中,为了使用由操作传递的密钥(称为TOKEN),你应该按照以下方式运行:

RUN --mount=type=secret,id=TOKEN \
echo "machine github.com login x password $(head -n 1 /run/secrets/TOKEN)" > ~/.netrc && \
git config \
--global \
url."https://${GITHUB_ID}:${TOKEN}@github.com/".insteadOf \
"https://github.com/"

记得也将GITHUB_ID传递给Dockerfile。

英文:

In the Dockerfile, in order to use the secret passed by the action (called TOKEN), you should RUN as the following:

RUN --mount=type=secret,id=TOKEN \
echo "machine github.com login x password $(head -n 1 /run/secrets/TOKEN)" > ~/.netrc && \
git config \
--global \
url."https://${GITHUB_ID}:${TOKEN}@github.com/".insteadOf \
"https://github.com/"

Remember to pass the GITHUB_ID to the dockerfile also

huangapple
  • 本文由 发表于 2022年11月22日 00:29:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/74522014.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定