Add ssh identity support

JasonDictos · JasonDictos · commit ff51675af414 · 2024-04-08T13:51:46.000-07:00
Signed-off-by: Jason Dictos &lt;jdictos@een.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -45,6 +45,7 @@ RUN apt update && apt install -y --no-install-recommends \
     docker-ce \
     docker-buildx-plugin \
     jq \
+    openssh-client \
     ca-certificates \
     xz-utils \
     iproute2 \
diff --git a/README.md b/README.md
@@ -277,6 +277,27 @@ version is the image's digest.
 * `pull_tag`: *Optional.*  **DEPRECATED. Use `get` and `load` instead.** Default
   `latest`. The tag of the repository to pull down via `pull_repository`.
 
+* `ssh_identity`: *Optional.* Set to an openssh private SSH key (it can be a file
+  or an inline key). This identity will be passed to `docker build` via the 
+  `--ssh default` argument through a temporary `ssh-agent` instance.
+
+  Examples:
+
+  ```yaml
+  ssh_identity: |
+        -----BEGIN OPENSSH PRIVATE KEY-----
+        0000000000000000000000000000000000000000000000000000000000000000000000
+        0000000000000000000000000000000000000000000000000000000000000000000000
+        0000000000000000000000000000000000000000000000000000000000000000000000
+        0000000000000000000000000000000000000000000000000000000000000000000000
+        000000000000000000000000000000000000000000000000000000==
+        -----END OPENSSH PRIVATE KEY-----
+  ```
+
+  ```yaml
+  ssh_identity: /path/to/key
+  ```
+
 * `tag`: **DEPRECATED - Use `tag_file` instead**
 * `tag_file`: *Optional.* The value should be a path to a file containing the name
   of the tag. When not set, the Docker build will be pushed with tag value set by
diff --git a/assets/out b/assets/out
@@ -126,6 +126,7 @@ import_file=$(jq -r '.params.import_file // ""' < $payload)
 
 pull_repository=$(jq -r '.params.pull_repository // ""' < $payload)
 pull_tag=$(jq -r '.params.pull_tag // "latest"' < $payload)
+ssh_identity=$(jq -r '.params.ssh_identity // ""' < $payload)
 target_name=$(jq -r '.params.target_name // ""' < $payload)
 
 if [ -n "$load" ]; then
@@ -237,6 +238,20 @@ elif [ -n "$build" ]; then
     fi
   fi
 
+  ssh_args=()
+  if [ -n "$ssh_identity" ]; then
+    export DOCKER_BUILDKIT=1
+    eval "$(ssh-agent)"
+    trap "ssh-agent -k; $( trap -p EXIT | cut -f2 -d \' )" EXIT
+    if [ -f "$ssh_identity" ]; then
+      ssh-add "$ssh_identity"
+    else
+      ssh-add <(echo "$ssh_identity")
+    fi
+    ssh_args+=("--ssh")
+    ssh_args+=("default")
+  fi
+
   target=()
   if [ -n "${target_name}" ]; then
    target+=("--target")
diff --git a/tests/fixtures/ssh_identity b/tests/fixtures/ssh_identity
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCTcY7/Q4JTr+zc5uuLSndCM8uiMBdf2H3JHTaCw1POrQAAAJiSPsoAkj7K
+AAAAAAtzc2gtZWQyNTUxOQAAACCTcY7/Q4JTr+zc5uuLSndCM8uiMBdf2H3JHTaCw1POrQ
+AAAEBhwFGOegUZ/wTf18i/9SNbDgZ0P/BJtPUoGHdvi2bNtJNxjv9DglOv7Nzm64tKd0Iz
+y6IwF1/YfckdNoLDU86tAAAAE3NvbWVvbmVAZXhhbXBsZS5jb20BAg==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/tests/out_test.go b/tests/out_test.go
@@ -484,6 +484,24 @@ var _ = Describe("Out", func() {
 		})
 	})
 
+	Context("When specifying ssh_identity", func() {
+		It("should set ssh args", func() {
+			session := put(map[string]interface{}{
+				"source": map[string]interface{}{
+					"repository": "test",
+				},
+				"params": map[string]interface{}{
+					"build":           "/docker-image-resource/tests/fixtures/build",
+					"additional_tags": "/docker-image-resource/tests/fixtures/tags",
+				  "ssh_identity": "/docker-image-resource/tests/fixtures/ssh_identity",
+				},
+			},
+			)
+			Expect(session.Err).To(gbytes.Say(dockerarg(`--ssh`)))
+			Expect(session.Err).To(gbytes.Say(dockerarg(`default`)))
+		})
+	})
+
 	Context("When passing additional_tags ", func() {
 		It("should push add the additional_tags", func() {
 			session := put(map[string]interface{}{
