Skip to content

Commit

Permalink
changed method, secrets mount only for build secrets use. does not pe…
Browse files Browse the repository at this point in the history
…rsist.

Signed-off-by: Duncan Ragsdale <[email protected]>
  • Loading branch information
Thistleman committed Mar 8, 2024
1 parent 96219f5 commit 1ce6308
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 8 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/deployapi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,9 @@ jobs:
--build-arg admin_password=${{ env.ADP }} \
--build-arg admin_email=${{ env.ADE }} \
--build-arg region=${{ env.AWS_REGION }} \
--secret id=ak,env=${{ secrets.API_AK }} \
--secret id=sak,env=${{ secrets.API_SAK }} \
--build-arg ak=${{ secrets.API_AK }} \
--build-arg sak=${{ secrets.API_SAK }} \
--build-arg PEM=${{ secrets.PEM }} \
-f Dockerfile.prod .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
echo "IMAGE=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_ENV
Expand Down
12 changes: 6 additions & 6 deletions valhub/Dockerfile.prod
Original file line number Diff line number Diff line change
Expand Up @@ -6,25 +6,25 @@ WORKDIR /root
RUN apt-get update && apt-get install -y gawk

ARG region=us-west-2
ARG ak
ARG sak
ARG PEM
# Copy AWS and PEM configuration if needed
# Manually add the files to copy if not included in the host system
RUN mkdir -p .aws
RUN mkdir -p .pem

WORKDIR /root/.aws

RUN --mount=type=secret,id=ak \
--mount=type=secret,id=sak \
awk -v ak="$(cat /run/secrets/ak)" -v sak="$(cat /run/secrets/sak)" \
RUN awk -v ak="${ak}" -v sak="${sak}" \
'BEGIN {print "[default]\naws_access_key_id = " ak "\naws_secret_access_key = " sak > "/root/.aws/credentials"}'

RUN awk -v region=region \
RUN awk -v region=${region} \
'BEGIN {print "[default]\nregion = " region > "/root/.aws/config"}'

WORKDIR /root/.pem

RUN --mount=type=secret,id=PEM \
awk -v pem="$(cat /run/secrets/PEM)" \
RUN awk -v pem="${PEM}" \
'BEGIN {print pem > "/root/.pem/private-key.pem"}'

RUN chmod 400 /root/.pem/private-key.pem
Expand Down

0 comments on commit 1ce6308

Please sign in to comment.