stocky-hair-84003
04/05/2024, 1:31 AMcluster-buildkit
remote environment so that I can pull from a private repo during a build?
I've been researching using Garden for building our enterprise applications which use Node's NPM and PHP Composer with lots of packages pulled from private repositories during the build.
Ideally I'd like to use cluster-buildkit
to build inside our remote k8s cluster, however I haven't been able to find a way to pass secrets into a remote build.
We currently build in Jenkins using buildkit's experiental SSH mounts in the Dockerfile (eg RUN --mount=type=ssh composer install
) which avoids pushing ssh keys into images during the build, and we'd like to retain that method.
Am I missing something obvious or is this method not currently supported?brief-restaurant-63679
04/09/2024, 2:08 PMbuildMode: local-docker
)
You can however mount secrets as you normally would using the extraFlags
field.
So if you have a Docker command like:
docker build --secret id=my-token,src=./my-token.txt .
then with Garden you'd do:
kind: Build
name: my-build
type: container
spec:
extraFlags:
- --secret=id=my-token,src=./my-token.txt
And from the Dockerfile you could now reference it like so:
RUN --mount=type=secret,id=my-token \
set "//<registry>/:_authToken=$(cat /run/secrets/my-token)"
stocky-hair-84003
04/15/2024, 1:41 AM--ssh default=<keyfile|socket|etc>
(https://github.com/AkihiroSuda/buildkit_poc/blob/b5003d53eb522f629c41ad8c48b31c2d6c340afc/frontend/dockerfile/docs/experimental.md#example-access-to-gitlab) which we can do under extraFlags
in garden, for example:
spec:
extraFlags:
- --ssh=/keys/id_rsa
The problem with this approach is Garden doesn't expose a method of mounting the key inside the buildctl container on the remote; the k8s deployment which runs the buildctl
command only mounts secrets for Docker, and doesn't provide an avenue for other secrets:
https://github.com/garden-io/garden/blob/c4e6982cb45640ae51f0515d6cc5e7a514562d5d/core/src/plugins/kubernetes/container/build/buildkit.ts#L493
Citing the way Docker Registry secrets are added to k8s and mounted for buildctl
, I can't see an obvious reason why an SSH Key couldn't be mounted in the same manner, using a separate secret and volume? Securing the k8s Secret and limiting the scope of the SSH Key is entirely my responsibility as an end-user.brief-restaurant-63679
04/16/2024, 7:00 PMbuildkit
Deployment.
Another approach could be to use the "cloud builder" which is an alternative to in-cluster building that we're working on and should solve this issue, but may or may not fit your use case.
I hope it's all right that I reach out over DM to discuss further. I'd love to learn more about your use case and try to figure out what the best approach would be since every stack is different and there tend to be unexpected gotchas.stocky-hair-84003
04/17/2024, 12:13 AM