卓越飞翔博客
php小编草莓为您介绍如何使用 Docker 容器中的私有存储库进行身份验证。Docker 是一种流行的容器化平台,能够帮助开发人员在不同的环境中快速部署和运行应用程序。然而,对于一些敏感的应用程序或者私有的代码库,我们可能需要对容器中的存储库进行身份验证,以确保只有授权的人员可以访问。本文将向您展示如何设置和使用私有存储库的身份验证,以保护您的敏感数据和代码。
问题内容
我有一个 git 存储库,它是一个私有存储库,我需要能够对其进行身份验证,并能够在运行时在 container build 视角中查看它。有关一些背景信息,我有一个 github 工作流程,用于构建容器映像并将其发布到 ghcr.io 注册表。但是,因为我的包依赖的存储库是私有的,所以它不起作用。现在它可以在本地运行,我考虑过更改存储 github 身份验证的方式以允许我访问它,但我想知道是否有人知道更好的方法让我访问私有存储库。 p>
以下是发布到 ghcr.io 注册表的 github 操作:
name: docker dataeng_github_metrics
# run workflow on tags starting with v (eg. v2, v1.2.0)
on:
push:
branches: [ "master" ]
paths:
- ./data_pipelines/dataeng_github_metrics/*
pull_request:
branches: [ "master" ]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: checkout code
uses: actions/checkout@v1
- name: login to github container registry
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.ghcr_registry_token }}
- name: set up docker buildx
uses: docker/setup-buildx-action@v2
- name: build and push docker image
uses: docker/build-push-action@v3
with:
context: ./data_pipelines/dataeng_github_metrics/
file: ./data_pipelines/dataeng_github_metrics/dockerfile
push: true # will only build if this is not here
tags: |
ghcr.io/mirantis/dataeng_github_metrics:latest
# todo: i cannot use dataeng as public and need to change the way gitconfig is used in the dockerfile for authentication
secrets: |
token=${{ secrets.automation_pat}}
这是 dockerfile:
###############
# cache image #
###############
arg go_image=golang:1.17.3-alpine3.14
arg base_image=alpine:3.14.2
from ${go_image} as cache
# add the keys
arg github_id
env github_id=$github_id
arg github_token
env github_token=$github_token
# install git
run apk add git
# todo: encrypt the github_id and github_token
# make git configuration
run git config
--global
url."https://${github_id}:${github_token}@github.com/".insteadof
"https://github.com/"
workdir /src
copy go.mod go.sum /src/
run go mod download
##############
# base image #
##############
from cache as dataeng_github_metrics
copy . /bin
workdir /bin
# setup git terminal prompt & go build
run go build .
###############
# final image #
###############
from ${base_image}
copy --from=dataeng_github_metrics /bin/dataeng_github_metrics bin/
entrypoint [ "bin/dataeng_github_metrics" ]我认为让我困惑的重要部分是这个,但想知道是否有更好的方法来实现它:
# make git configuration
run git config
--global
url."https://${github_id}:${github_token}@github.com/".insteadof
"https://github.com/"如何访问私有存储库并避免工作流程中出现以下错误:
#14 9.438 remote: Repository not found.
#14 9.438 fatal: Authentication failed for 'https://github.com/Mirantis/dataeng/'
------
Dockerfile:26
--------------------
24 | WORKDIR /src
25 | COPY go.mod go.sum /src/
26 | >>> RUN go mod download
27 |
28 | ##############
--------------------
ERROR: failed to solve: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1
Error: buildx failed with: ERROR: failed to solve: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1解决方法
在 dockerfile 中,为了使用操作传递的密钥(称为 token),您应该按以下方式运行:
RUN --mount=type=secret,id=TOKEN
echo "machine github.com login x password $(head -n 1 /run/secrets/TOKEN)" > ~/.netrc &&
git config
--global
url."https://${GITHUB_ID}:${TOKEN}@github.com/".insteadOf
"https://github.com/"记得将 github_id 也传递给 dockerfile
