search

AGWA / git-crypt

Transparent file encryption in git
https://www.agwa.name/projects/git-crypt/
GNU General Public License v3.0
8.11k stars 472 forks source link

how to unlock during ci/cd pipeline building docker image #225

Closed Daxcor69 closed 3 years ago

Daxcor69 commented 3 years ago

Ok first off I love this product. Thank you.

I am on a steep learning curve but making head way. I am using gitlab to store my repo, I have a pipeline that builds my docker image. I can't for the life of me figure out how to edit the pipeline to unlock the files.. during the build. Here is a template that I am using to build the image. Btw, I am using just the simple key file, for the key. This is using the shared running on gitlab. I am guessing I have to add something to the docker build line. Thank you again for any help you can provide.

Brad

docker-build:
  # Use the official docker image.
  image: docker:latest
  stage: build
  services:
    - docker:dind
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  # Default branch leaves tag empty (= latest tag)
  # All other branches are tagged with the escaped branch name (commit ref slug)
  script:
    - |
      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
        tag=""
        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
      else
        tag=":$CI_COMMIT_REF_SLUG"
        echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
      fi
      echo $CI_REGISTRY_IMAGE${tag}
    - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
    - docker push "$CI_REGISTRY_IMAGE${tag}"
  # Run this job in a branch where a Dockerfile exists
  rules:
    - if: $CI_COMMIT_BRANCH
      exists:
        - Dockerfile
alerque commented 3 years ago

I use git-crypt to unlock repos inside Docker containers running in GitLab CI runners (self hosted and shared) all the time. This project itself isn't really responsible for that end of things though, the usage in that case is pretty much just like it is in your own host computer.

  1. You need a working git-crypt binary.
  2. You need access to an unlocked GPG key (or whatever secret you used to lock with).
  3. You need to run the commands to unlock.

It's really hard to tell you what to do it your .gitlab-ci.yml or similar because there are so many ways to implement pipelines and pull tools and secrets together. You really need to understand what the rest of your project does and design the workflow around that, then figure out where you need the secrets and what the best injection point is. GitLab CI has a way to pass secret env vars to runners that you can use to unlock private keys and thus enable access to GPG keys or whatever else.

The workflow file you show above doesn't seem to accomplish anything and I can't figure out what step you are even trying to solve. You're building some docker image, but why? Because it has the tooling for your project? Because you project is a container? Because you want to build a containerized tool to manager your secrets? Until we know better what stage of the problem your are even trying to solve it's not really possible to recommend a solution.