Authenticate to git inside Docker build

Drone Support
1

We have specific issue. Because of legacy things we have decided to run all build tasks inside container build with ECR plugin. The problem we have is that we don’t know how to grant access to our private repositories on build. We know that we can do the same thing with just moving building parts into steps, but It would require changing not only code, but also developers local workflow which we would like to avoid for now.

We know that Drone is using .netrc file to authenticate to repositories, but this obviously doesn’t work by default with Dockerfiles. Our goal is to not store git credentials inside docker container, so adding command like COPY .netrc inside Dockerfile is not an option.

Does anybody have problem like this? Maybe somebody have any suggestion to this issue?

2

@wszychta,

If possible could you please share your drone yaml file for our review, as I am not clear with use case here so after looking into yaml we can suggest acordingly.

As I can think of one way is to pass below as env variable:

DRONE_GIT_USERNAME=x-oauth-token
DRONE_GIT_PASSWORD=<password>

https://docs.drone.io/server/reference/drone-git-username/
http://discuss.harness.io/t/how-drone-clones-a-repository/3135

3

@csgit I will provide my PoC code.

.drone.yml:

- name: test ECR
  image: plugins/ecr
  settings:
    access_key:
      from_secret: XXXXXXXXXX
    secret_key:
      from_secret: XXXXXXXXXX
    region: eu-west-1
    repo: ci-production-drone-ecr/testing-image
    registry: XXXXXXXX.dkr.ecr.eu-west-1.amazonaws.com
    dockerfile: Dockerfile

Dockerfile:

FROM docker:git
RUN git clone https://github.com/path/to/private/repo.git

Do you know how to use described variables inside Dockerfile to authenticate?

4

By default this is everything what we have when we are using amazonlinux image to build:

Step 3/8 : RUN env
 ---> Running in 5792c735e97a
HOSTNAME=5792c735e97a
SHLVL=1
HOME=/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DOCKER_VERSION=20.10.7
DOCKER_TLS_CERTDIR=/certs
PWD=/
Removing intermediate container 5792c735e97a
---> 61864738e9a5
Step 4/8 : RUN find / -type f -name ".netrc"
Running in fa4c230b43b0

We would like to have .netrc file mounted in tmpfs or git token inside build container as environment variable.

5

just asking a clarifying question here.
You want your dockerfile that is being built to do the checkout of the private git repository.

6

If that is the case you could use build_args as mentioned here Docker | Drone to pass through information to the docker plugin, then into your dockerfile

7

@TP_Honey I was able to pass credentials with build_args. The problem I can see with that aproach is that It needs to persist somewhere in the container. Honestly I don’t believe that all teams will remember to remove credentials file from created image. I need solution like the one described in this PR: Add build secret flag by nashiox · Pull Request #264 · drone-plugins/drone-docker · GitHub

To enable this feature we also need to enable DockerBuildKit: Build images with BuildKit | Docker Documentation inside the plugin.

This will solve my issue, because I will be able to pass .netrc file as a secret in Docker build and it will not persist on container image.

Can you look again at provided PR or just think about your implementation of this feature. I think that there will be a lot of people which will like to use it in their pipelines.

8

I have created PR with support for secrets and also I have added comment to existing secret issue