php小編草莓為您介紹如何使用 Docker 容器中的私有存儲(chǔ)庫(kù)進(jìn)行身份驗(yàn)證。Docker 是一種流行的容器化平臺(tái),能夠幫助開(kāi)發(fā)人員在不同的環(huán)境中快速部署和運(yùn)行應(yīng)用程序。然而,對(duì)于一些敏感的應(yīng)用程序或者私有的代碼庫(kù),我們可能需要對(duì)容器中的存儲(chǔ)庫(kù)進(jìn)行身份驗(yàn)證,以確保只有授權(quán)的人員可以訪問(wèn)。本文將向您展示如何設(shè)置和使用私有存儲(chǔ)庫(kù)的身份驗(yàn)證,以保護(hù)您的敏感數(shù)據(jù)和代碼。
問(wèn)題內(nèi)容
我有一個(gè) git 存儲(chǔ)庫(kù),它是一個(gè)私有存儲(chǔ)庫(kù),我需要能夠?qū)ζ溥M(jìn)行身份驗(yàn)證,并能夠在運(yùn)行時(shí)在 container build 視角中查看它。有關(guān)一些背景信息,我有一個(gè) github 工作流程,用于構(gòu)建容器映像并將其發(fā)布到 ghcr.io 注冊(cè)表。但是,因?yàn)槲业陌蕾?lài)的存儲(chǔ)庫(kù)是私有的,所以它不起作用。現(xiàn)在它可以在本地運(yùn)行,我考慮過(guò)更改存儲(chǔ) github 身份驗(yàn)證的方式以允許我訪問(wèn)它,但我想知道是否有人知道更好的方法讓我訪問(wèn)私有存儲(chǔ)庫(kù)。 p>
以下是發(fā)布到 ghcr.io 注冊(cè)表的 github 操作:
name: docker dataeng_github_metrics
# run workflow on tags starting with v (eg. v2, v1.2.0)
on:
push:
branches: [ "master" ]
paths:
- ./data_pipelines/dataeng_github_metrics/*
pull_request:
branches: [ "master" ]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: checkout code
uses: actions/checkout@v1
- name: login to github container registry
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.ghcr_registry_token }}
- name: set up docker buildx
uses: docker/setup-buildx-action@v2
- name: build and push docker image
uses: docker/build-push-action@v3
with:
context: ./data_pipelines/dataeng_github_metrics/
file: ./data_pipelines/dataeng_github_metrics/dockerfile
push: true # will only build if this is not here
tags: |
ghcr.io/mirantis/dataeng_github_metrics:latest
# todo: i cannot use dataeng as public and need to change the way gitconfig is used in the dockerfile for authentication
secrets: |
token=${{ secrets.automation_pat}}
登錄后復(fù)制
這是 dockerfile:
###############
# cache image #
###############
arg go_image=golang:1.17.3-alpine3.14
arg base_image=alpine:3.14.2
from ${go_image} as cache
# add the keys
arg github_id
env github_id=$github_id
arg github_token
env github_token=$github_token
# install git
run apk add git
# todo: encrypt the github_id and github_token
# make git configuration
run git config \
--global \
url."https://${github_id}:${github_token}@github.com/".insteadof \
"https://github.com/"
workdir /src
copy go.mod go.sum /src/
run go mod download
##############
# base image #
##############
from cache as dataeng_github_metrics
copy . /bin
workdir /bin
# setup git terminal prompt & go build
run go build .
###############
# final image #
###############
from ${base_image}
copy --from=dataeng_github_metrics /bin/dataeng_github_metrics bin/
entrypoint [ "bin/dataeng_github_metrics" ]
登錄后復(fù)制
我認(rèn)為讓我困惑的重要部分是這個(gè),但想知道是否有更好的方法來(lái)實(shí)現(xiàn)它:
# make git configuration
run git config \
--global \
url."https://${github_id}:${github_token}@github.com/".insteadof \
"https://github.com/"
登錄后復(fù)制
如何訪問(wèn)私有存儲(chǔ)庫(kù)并避免工作流程中出現(xiàn)以下錯(cuò)誤:
#14 9.438 remote: Repository not found. #14 9.438 fatal: Authentication failed for 'https://github.com/Mirantis/dataeng/' ------ Dockerfile:26 -------------------- 24 | WORKDIR /src 25 | COPY go.mod go.sum /src/ 26 | >>> RUN go mod download 27 | 28 | ############## -------------------- ERROR: failed to solve: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1 Error: buildx failed with: ERROR: failed to solve: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1
登錄后復(fù)制
解決方法
在 dockerfile 中,為了使用操作傳遞的密鑰(稱(chēng)為 token),您應(yīng)該按以下方式運(yùn)行:
RUN --mount=type=secret,id=TOKEN \
echo "machine github.com login x password $(head -n 1 /run/secrets/TOKEN)" > ~/.netrc && \
git config \
--global \
url."https://${GITHUB_ID}:${TOKEN}@github.com/".insteadOf \
"https://github.com/"
登錄后復(fù)制
記得將 github_id 也傳遞給 dockerfile
