search

mrsixw / concourse-rsync-resource

concourse.ci resource for persisting build artifacts on a shared storage location with rsync and ssh.
Apache License 2.0
18 stars 40 forks source link

Correct way of handling private_key through secrets #11

Closed mikebell closed 5 years ago

mikebell commented 5 years ago

Hi,

I'm trying to figure out how to pass a private_key via concourse secrets.

I have the following pipeline:

---
resource_types:
- name: rsync-resource
  type: docker-image
  source:
      repository: mrsixw/concourse-rsync-resource
      tag: latest

resources:
- name: mikebell-io
  type: git
  source:
    branch: master
    uri: https://github.com/mikebell/mikebell.io.git
- name: sync-resource
  type: rsync-resource
  source:
    server: mikebell.io
    base_dir: /var/www/mikebell.io-test
    user : digital
    private_key: ${CONCOURSEPRIV}
    disable_version_path: true

jobs:
- name: Build
  public: true
  plan:
  - get: mikebell-io
    trigger: true
  - task: Build site
    config:
      platform: linux
      inputs:
      - name: mikebell-io
      outputs:
      - name: site
      image_resource:
        type: docker-image
        source: {repository: jekyll/builder}
      run:
        path: sh
        args:
        - -exc
        - |
          ls -lash
          chown jekyll:jekyll site
          jekyll build -s mikebell-io -d site
          echo ${CONCOURSEPRIV}
      params:
        CONCOURSEPRIV: ((concourse-priv))
  - put: sync-resource
    params: {
      CONCOURSEPRIV: ((concourse-priv)),
      "sync_dir": "site"
      }
# - name: Publish
#   plan:
#     put: sync-resource

The first echo works and prints the private key to the console however adding it to the params of the sync-resource results in:

Load key "/root/.ssh/server_key": invalid format

If I replace the ${CONCOURSEPRIV} with the hardcoded key it works as expected.

Resources don't support params from what I can see so I can't add it directly to the resource.

I've tried adding the params to the resource type and no luck there.

Where is the right place to pass in the secret to the private_key?

mrsixw commented 5 years ago

The way I do it is with a params in the resource, like https://concourse-ci.org/setting-pipelines.html#pipeline-params so in your example it would be

- name: sync-resource
  type: rsync-resource
  source:
    server: mikebell.io
    base_dir: /var/www/mikebell.io-test
    user : digital
    private_key: ((CONCOURSEPRIV))
    disable_version_path: true

I've used this pattern with concourse 3.x without issue. I've not had cause to use newer versions so can't say for sure it still works, but from the link above I believe it still will.

Out of curiosity, what version of concourse are you using and why do you think that params are not supported in resources?

mikebell commented 5 years ago

Ah when I looked at the documentation (https://concourse-ci.org/resources.html) params isn't listed in the parameters supported.

I'm very new to Concourse so still trying to pull things together in a nice way and get my head around it. Unless I'm missing something the Pipelines params section doesn't mention that this can also be populated from a secrets provider as well.

Thanks for the help, it's greatly appreciated.