Add auth-wrapped docker

connectedcars · Feb 19, 2021 · ab649b7 · ab649b7
1 parent 37b47ae
commit ab649b7
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -54,6 +54,24 @@ ENV SSH_KEY_PATH=${SSH_KEY_PATH}
 ENTRYPOINT ["/opt/bin/auth-wrapper"]
 
 
+#
+# Authwrapped docker with KMS keys
+#
+FROM gcr.io/cloud-builders/docker as docker-kms
+
+ARG SSH_KEY_PATH
+
+COPY --from=builder /app/auth-wrapper /opt/bin/auth-wrapper
+RUN ln -s /opt/bin/auth-wrapper /opt/bin/docker
+
+ENV GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+ENV PATH=/opt/bin:${PATH}
+ENV WRAP_COMMAND=docker
+ENV SSH_KEY_PATH=${SSH_KEY_PATH}
+ENV DOCKER_BUILDKIT=1
+ENTRYPOINT ["/opt/bin/auth-wrapper"]
+
 #
 # Authwrapped git with local keys
 #

diff --git a/cloudbuild.yaml b/cloudbuild.yaml
@@ -14,7 +14,9 @@ steps:
       '--tag=gcr.io/$PROJECT_ID/$REPO_NAME.$BRANCH_NAME:latest', 
       '.'
       ]
+  #
   # Build auth wrapped git
+  #
   - name: 'gcr.io/cloud-builders/docker'
     args: [
       'build',
@@ -31,6 +33,21 @@ steps:
     entrypoint: 'bash'
     args: ['-c', 'rm -rf private-module']
   #
+  # Build auth wrapped docker
+  #
+  - name: 'gcr.io/cloud-builders/docker'
+    args: [
+      'build',
+      '--target=docker-kms',
+      '--build-arg=SSH_KEY_PATH=kms://projects/connectedcars-staging/locations/global/keyRings/cloudbuilder/cryptoKeys/ssh-key/cryptoKeyVersions/3',
+      '--tag=gcr.io/$PROJECT_ID/$REPO_NAME-docker.$BRANCH_NAME:$COMMIT_SHA', 
+      '--tag=gcr.io/$PROJECT_ID/$REPO_NAME-docker.$BRANCH_NAME:latest', 
+      '.'
+      ]
+  # Test auth wrapped docker using KSM key
+  - name: 'gcr.io/$PROJECT_ID/$REPO_NAME-docker.$BRANCH_NAME:$COMMIT_SHA'
+    args: ['build', '--progress=plain', '--ssh', 'default', 'resources/docker-kms-test']
+  #
   # Build embedded key auth wrappers
   #
   # Copy build key to workspace

diff --git a/resources/docker-kms-test/Dockerfile b/resources/docker-kms-test/Dockerfile
@@ -0,0 +1,11 @@
+# syntax=docker/dockerfile:experimental
+FROM alpine
+
+# Install ssh client and git
+RUN apk add --no-cache openssh-client git
+
+# Download public key for github.com
+RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
+
+# Clone private repository
+RUN --mount=type=ssh git clone [email protected]:connectedcars/private-module.git