如何将Github secret(json文件)传递给Dockerfile

xmd2e60i  于 2023-03-17  发布在  Docker
关注(0)|答案(3)|浏览(138)

我想通过Github操作使用CICD在Docker容器中部署我的DBT/Bigquery项目。我很难将GCP凭据放入容器中。我将凭据放入Github secret中,因为显然我无法将凭据文件放入Github中。我如何将Github secret作为参数传递给keyfile.json,以便将其复制到容器中?
我的停靠文件:

FROM fishtownanalytics/dbt:0.21.0

ARG RUN_TARGET=foo

RUN groupadd --gid 50000 docker && \
    useradd --home-dir /home/docker --create-home --uid 50000 --gid 50000 --skel /dev/null docker

USER docker

RUN mkdir /home/docker/.dbt
# Ordering is least to most frequently touched folder/file
COPY profiles.yml /home/docker/.dbt/profiles.yml
COPY keyfile.json /home/docker/keyfile.json
COPY macros /home/docker/macros
COPY dbt_project.yml /home/docker/dbt_project.yml
COPY models /home/docker/models

WORKDIR /home/docker/

# Run dbt on container startup.
CMD ["run"]

我的github/workflows/main.yml文件看起来如下所示:

name: Build and Deploy to dbt project

on: push

jobs:  
  build-and-push:

    runs-on: ubuntu-latest
    
    steps:

      - name: Checkout repository
        uses: actions/checkout@v2

      - name: dotenv-load
        id: dotenv
        uses: falti/dotenv-action@v0.2.7

      - name: Set up Python 3.9
        uses: actions/setup-python@v2
        with:
          python-version: 3.9

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi

      - name: Configure Docker
        run: gcloud auth configure-docker -q  

      - name: Build and push Docker  
        uses: mr-smithers-excellent/docker-build-push@v5
        with:
          image: repo/image
          tags: v1, latest
          registry: eu.gcr.io
          username: _json_key
          password: ${{ secrets.GCP_SA_KEY }}

这会在生成时产生以下错误:

COPY failed: file not found in build context or excluded by .dockerignore: stat keyfile.json: file does not exist

我尝试过将github secret作为build-args传递,但没有成功。
或者,将凭据放在容器中确实是一种不好的做法,我应该用不同的方法来处理它吗?

2hh7jdfx

2hh7jdfx1#

后续的gcloud命令在下面的步骤之后对我有效。尝试在您的结帐步骤之后立即添加它。

- name: Set up gcloud
    uses: google-github-actions/setup-gcloud@master
    with:
      service_account_key: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
      project_id: ${{ secrets.GCP_PROJECT_ID }}
72qzrwbm

72qzrwbm2#

我最终使用宣誓方法进行身份验证:

jaffle_shop:
  target: dev
  outputs:
    dev:
      type: bigquery
      method: oauth
      project: project_name
      dataset: dataset_name
      threads: 1
      timeout_seconds: 300
      location: europe-west4 # Optional, one of US or EU
      priority: interactive
      retries: 1
name: Build and Deploy to dbt project

on: push

jobs:  
  build-and-push:

    runs-on: ubuntu-latest
    
    steps:

      - name: Checkout repository
        uses: actions/checkout@v2

      - name: dotenv-load
        id: dotenv
        uses: falti/dotenv-action@v0.2.7
      
      - name: get sha
        id: vars
        run: |
          echo ::set-output name=sha_short::$(git rev-parse --short=8 ${{ github.sha }})
      - name: Set up Python 3.9
        uses: actions/setup-python@v2
        with:
          python-version: 3.9

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi

      - name: Login
        uses: google-github-actions/setup-gcloud@master
        with:
          project_id: ${{ steps.dotenv.outputs.GCP_PROJECT }}
          service_account_key: ${{ secrets.GCP_SA_KEY }}
          export_default_credentials: true

      - name: Configure Docker
        run: gcloud auth configure-docker -q  

      - name: Build and push Docker  
        uses: mr-smithers-excellent/docker-build-push@v5
        with:
          image: repo/image
          tags: v1, latest
          registry: eu.gcr.io
          username: _json_key
          password: ${{ secrets.GCP_SA_KEY }}
wtlkbnrh

wtlkbnrh3#

您也可以使用base64编码的JSON字符串,我认为这是将JSON对象传递到GithubActions的首选方法,然后在您的Dockerfile中解码该字符串。
在一篇博客文章here中解释了这一点。

相关问题