Bitbucket Pipeline deploy using SSH keys on private repo

Tiago Menegaz September 10, 2018

Hi all, I'm building a docker pipeline for my project to be deployed on Google Clould Services based on this example. On my Dockerfile I have to build some gems which are hosted on my private repository on bitbucket. However, during the build step, the Docker container generated by the Pipeline can't see my SSH keys saved on my repository.

My question is how can I send the SSH keys configured on the pipeline to be used during by my container?

 

bitbucket-pipelines.yml:

At the #BUILD IMAGE comment I can get the private SSH correctly configured on my repo

 

options:
   docker: true

pipelines:
  default:
    - step:
      name: Deploy to Container Registry
      image: google/cloud-sdk:latest
      caches:
        - docker
      script:

         - export PRIVATE_KEY=`cat /opt/atlassian/pipelines/agent/data/id_rsa`
        - export IMAGE_NAME=gcr.io/$GOOGLE_PROJECT/$GCLOUD_REPO_SLUG:$BITBUCKET_COMMIT
        - export ENVIRONMENT=staging
        - echo $GOOGLE_CREDENTIALS | base64 -d > ~/.gcloud-api-key.json
        - gcloud auth activate-service-account --key-file ~/.gcloud-api-key.json
        - gcloud config set project $GOOGLE_PROJECT
        - gcloud container clusters get-credentials $GOOGLE_CLUSTER --region=$GOOGLE_REGION --project $GOOGLE_PROJECT
        - gcloud auth configure-docker --quiet
        # BUILD IMAGE
        - docker build -t $IMAGE_NAME --build-arg SSH_PRIVATE_KEY="$PRIVATE_KEY" .
        # PUBLISH IMAGE
        - docker push $IMAGE_NAME

 

 

Dockerfile:

FROM ruby:2.5.1-alpine3.7

ARG SSH_PRIVATE_KEY

RUN \
    echo "http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
    && apk update && apk upgrade \
    && apk add bash build-base libxml2-dev libxslt-dev openssh-client git
    && apk upgrade --available \
    && rm -rf /var/cache/apk/* \
    && mkdir /usr/app \
    mkdir /root/.ssh/ \
    && echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa \
    && eval $(ssh-agent -s) \
    && chmod 600 /root/.ssh/id_rsa \
    && ssh-add ~/.ssh/id_rsa \
    && touch /root/.ssh/known_hosts \
    && ssh-keyscan bitbucket.org > /root/.ssh/known_hosts

# This line fails with

# RUN ssh-add /root/.ssh/id_rsa ---> Running in 9d6b522d6355Could

# not open a connection to your authentication agent.The command

# '/bin/sh -c ssh-add /root/.ssh/id_rsa' returned a non-zero

# code: 2

WORKDIR /usr/app

COPY Gemfile /usr/app/
COPY Gemfile.lock /usr/app/

RUN bundle config build.nokogiri --use-system-libraries \
&& bundle install

OBS: I can do an ugly alternative solution which is generating a new key and overwriting the new key with the value from the args (SSH_PRIVATE_KEY). But this also fails when it tries to run the bundle install.

 

I'd appreciate any help. Cheers.

1 answer

2 votes
Raimundas Rimkus January 26, 2022

You can send it wih --build-args

docker build account/image_name:tag --build-arg SSH_PRIVATE_KEY="`cat /opt/atlassian/pipelines/agent/data/id_rsa`"

and the pass it into Dockerfile --> example:

FROM alpine:latest
ARG SSH_PRIVATE_KEY

RUN mkdir /root/.ssh/ && \
apk add --no-cache openssh-client git && \
echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa && \
chmod 600 /root/.ssh/id_rsa && \
cd /your_application_path_in_docker && \
eval "$(ssh-agent -s)" && \
ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts && \
ssh-add ~/.ssh/id_rsa && \
yarn install




 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events