Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option to mount host ssh agent (--ssh) #382

Merged
merged 3 commits into from
Jan 26, 2023

Conversation

tphoney
Copy link

@tphoney tphoney commented Jan 17, 2023

This allows adding of multiple ssh keys to a build,
eg

kind: pipeline
type: docker
name: default
steps:
  - name: docker
    image: plugins/docker:latest
    pull: never
    environment:
    settings:
      dockerfile: Dockerfile
      tags:
        - silly
      repo: tphoney/bash
      ssh_agent_key: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJGd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFRRUE0dVZJRTVJUjZmemY4Q1R5N3dVU2UrY25ZTUxHRWJrTEtENWRTYjRqc0ExODlmOE9YSUpzCmYzZHNqWkl4eVoyUHlTU3lLUkNtaHluYk8rajZaSjBPMnVaWWI2VU9EQW5VZGdtMlduUkZIL2xUYkJNN0RMSVh5bG5HYXUKVzVpZm1aVzllem1Sc09XN1JHU2hDSVprNmZZUHRWT1lhTE5WN3ArREZjZkRRcmxETWdMK1hkbWthS3NadTNTZXBYa1VQMwpuMHdPUkdlMExzTm9pcnpCQmcveWdDVTQ0SDBEdjhzUm1OVUZIWEVleWZwOTFRYjQ3UWdCOVVlbERlQXJwQ1BXVHZqMHBUCnJBQlJqU0hpVXpQcXVDZVU4VVpoTnJidjV0VVN4Q1RZclJERERLdDZwWWp1V0tMZUM0czFCbnVDWVdCWSsvaS9pMXFTS3cKaElpckFpdGNsd0FBQThCTTBTK0VUTkV2aEFBQUFBZHpjMmd0Y25OaEFBQUJBUURpNVVnVGtoSHAvTi93SlBMdkJSSjc1eQpkZ3dzWVJ1UXNvUGwxSnZpT3dEWHoxL3c1Y2dteC9kMnlOa2pISm5ZL0pKTElwRUthSEtkczc2UHBrblE3YTVsaHZwUTRNCkNkUjJDYlphZEVVZitWTnNFenNNc2hmS1djWnE1Ym1KK1psYjE3T1pHdzVidEVaS0VJaG1UcDlnKzFVNWhvczFYdW40TVYKeDhOQ3VVTXlBdjVkMmFSb3F4bTdkSjZsZVJRL2VmVEE1RVo3UXV3MmlLdk1FR0QvS0FKVGpnZlFPL3l4R1kxUVVkY1I3SgorbjNWQnZqdENBSDFSNlVONEN1a0k5Wk8rUFNsT3NBRkdOSWVKVE0rcTRKNVR4Um1FMnR1L20xUkxFSk5pdEVNTU1xM3FsCmlPNVlvdDRMaXpVR2U0SmhZRmo3K0wrTFdwSXJDRWlLc0NLMXlYQUFBQUF3RUFBUUFBQVFBRWVSaXVxaGFJVWwvbjBCS3AKKzZPZHBiVDFCMkg0UDNtazFYWHBXa0pCMmtJNFowclZNQTBMaGtNeGwwdzcrVXM0WCt6VE9tek9CVms1R1NLMmtSSVY1cQp5ZnB0VmNEMldNM2l3bUpGeW9nTFhRVDZDK1kxUnN2TkJZa3liUlBZWjBkUkFwV0lzejY1M25IK1JRZ0FSTVdTZ1k5am9RClYwcXRoZXVZMXo1MHNYUFVSTHdZWDJqS252SmJHVHlNVUlya1prS3RwZG5wUnd6ZUZ5L0dUREpnQnVJQmJtbUtWVGdLNFcKR0daOTJScFFxeUo2N081T3RSVW5lQ3hHSEd2TVE5dDJyRnRnRjVrclBXQVl4UXI5K00yQU84YUZZTFBERW40VUlrcnM0TgpSS3Q3eVZveElzd3Z3YUtFM01rZlJDUnY4V1RFNDBkdWpmSmh0dVMyVzJMaEFBQUFnUUNIQ2FqRytTV2hHbThHUzJ6MC9DCkg2U2xGZVZYQm9LYTVkWUhtSTNCWUpMVGJkRytKaFlHUm1OZ1UyeVozayt0dGVMV0ZOdjFmSXVreFRoRVBVRXpidk8xSzcKWm9yMHJ1bkRudzJ4ZUlTa0dzOHBUYlRCblRyc3hXZHZuTHVyeFIrTjBYT2tGc0tsUUw5NFYzK081OHlWSW9PVmN3dWRiMApleUxvYndEeGM1dlFBQUFJRUE4bVM0VytlaTc0SkVtTXBGSlh5VGgwbzBKblZGVFdlUisranRsWGo3NlV3ampKUURLVWpKCkFxblZSdzJzbFFxL2pQbE1DREtZQVBNdnYwOGk1ZDdFUEpXdWRGMldjNHpUY1lPakZDczdGZnc1RXpnVWRra3lNVzh4dkQKdHkxYmxjYTFKSGpadUkvT2RHTXRBYmJIU0R4d0Nxb0tEUGFKOWNpZmFaenlXS1NVc0FBQUNCQU8raDJqYjZFWXJ1WnNicApJMGpDQzczUlRHWFlpbERDUDBQOEpzYVp3OXBsc0cyZm5PNGhxQWI4KzdNQ0JMM0I0aHNHRHNNS2lvTldpM0tUOWpyWmVmClVyZlNEeXJzTndUMmJOd0VaQzlMeGxaU1dONGZCNktPTVp4ZEF3QmdEYlo2UkNXT1BSNEtZaHlOVnhOdmRLaEQveGdyTjQKT3F5VGFIRWZnMkdPOEJabEFBQUFDblJ3UURZNU5GUlJOek09Ci0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=
      dry_run: true

then in the dockerfile, you can reference particular keys

#syntax=docker/dockerfile-upstream:master-experimental

FROM alpine
RUN apk add --no-cache openssh-client \
   && adduser -u 100 -h /example -S example example

USER example
RUN --mount=type=ssh,uid=100 ssh-add -L

ohenning and others added 2 commits January 17, 2023 12:43
missed error check

add debugging

fix empty val for SSHAgent

fix flag type

remove []

debug

base64 encode ssh key

fix

remove debug output

code cleanup

Update docker.go
@tphoney tphoney added the enhancement New feature or request label Jan 17, 2023
@tphoney tphoney force-pushed the enable-ssh-agent branch 3 times, most recently from 61d2c99 to a2f8157 Compare January 23, 2023 11:54
@tphoney
Copy link
Author

tphoney commented Jan 23, 2023

@ohenning @bkk-bcd due to limitations in drone for secret handling, i ended up limiting the number of keys that can be passed to just one. it will use the default project id in the dockerfile. does this look ok ?

@bradrydzewski
Copy link
Member

@tphoney I noticed we were base64 decoding the ssh key. Is the idea that the end user encodes the ssh key and saves as a secret, and then the plugin decodes?

@tphoney
Copy link
Author

tphoney commented Jan 24, 2023

@tphoney I noticed we were base64 decoding the ssh key. Is the idea that the end user encodes the ssh key and saves as a secret, and then the plugin decodes?

Yeah that is the plan, as the keys are multiline

@bradrydzewski
Copy link
Member

@tphoney we have a few other plugins that accept ssh keys as input parameters, however, they do not require the user to base64 encode the values. Do we need to base64 encode, or can we omit the encoding requirement to align with existing plugins? Here is an example or prior art:
https://github.com/appleboy/drone-git-push/blob/b91096f0472c43fa451775c27f8a0223754ac271/repo/key.go#L18

Most ssh keys are pem encoded and can be safely copied / pasted into our user interface when creating the secret. If using the command line to create secrets, we provide an option to create the secret from a file. The key could also be added to the yaml using block scalar syntax (example below) although I suspect most people would use secrets.

ssh_agent_key: |-
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIW+BK6UQtCPACAggA
    MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCIvU4FD31mkYR76ugTEhuwBIIJ
    UJPHGeObOC1lHMrTTKhdyiekEcJhCO3rzP/gqVpqXkjhUASTWEsE9LEcuGKdrzAN
    Dsy/WL9revg9UAQtGAk8WTSqWhv5JaCC4FqLGirqLMzhU51Jf4GbmCOWAWGP7TZu
    QEfBUexTcFVf13cVX7LFGOAZ3yIvFc3sfl5nyYY9Nerk8MxUOW+9Ck5loTEzMj9j
    xJf5RsNvcoGVg33Rf7vl2xFIAD+PFdehd8n2CveQ48LJ9Zfn0gsRPQrPL+02Nlhu
    7f44uW/Vq2YqG3PN1n8GUTexvF/qCKkd2T2QmHYnK9cryRn0xHvzSjSsQls170sA
    Svu0sdTwh1tIs/sxRGuSta+iXPfHJnW4sZzh/2lAMvkgML6h9JAeIYV6e/qUqYSq
    GxSfj7s0Qs0K5e3Xv1lCQUhSz82fBysznjeAhWa45YEV
    -----END ENCRYPTED PRIVATE KEY-----

@bkk-bcd
Copy link

bkk-bcd commented Jan 24, 2023

@tphoney we have a few other plugins that accept ssh keys as input parameters, however, they do not require the user to base64 encode the values. Do we need to base64 encode, or can we omit the encoding requirement to align with existing plugins? Here is an example or prior art: https://github.com/appleboy/drone-git-push/blob/b91096f0472c43fa451775c27f8a0223754ac271/repo/key.go#L18

Most ssh keys are pem encoded and can be safely copied / pasted into our user interface when creating the secret. If using the command line to create secrets, we provide an option to create the secret from a file. The key could also be added to the yaml using block scalar syntax (example below) although I suspect most people would use secrets.

ssh_agent_key: |-
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIW+BK6UQtCPACAggA
    MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCIvU4FD31mkYR76ugTEhuwBIIJ
    UJPHGeObOC1lHMrTTKhdyiekEcJhCO3rzP/gqVpqXkjhUASTWEsE9LEcuGKdrzAN
    Dsy/WL9revg9UAQtGAk8WTSqWhv5JaCC4FqLGirqLMzhU51Jf4GbmCOWAWGP7TZu
    QEfBUexTcFVf13cVX7LFGOAZ3yIvFc3sfl5nyYY9Nerk8MxUOW+9Ck5loTEzMj9j
    xJf5RsNvcoGVg33Rf7vl2xFIAD+PFdehd8n2CveQ48LJ9Zfn0gsRPQrPL+02Nlhu
    7f44uW/Vq2YqG3PN1n8GUTexvF/qCKkd2T2QmHYnK9cryRn0xHvzSjSsQls170sA
    Svu0sdTwh1tIs/sxRGuSta+iXPfHJnW4sZzh/2lAMvkgML6h9JAeIYV6e/qUqYSq
    GxSfj7s0Qs0K5e3Xv1lCQUhSz82fBysznjeAhWa45YEV
    -----END ENCRYPTED PRIVATE KEY-----

I had issues with this working without the base64 encoding in place. If you can pull this PR down and provide a test case that works without it, we can use to verify? Maybe I was doing something else wrong? It's probably the multline issue @tphoney mentions above...

@bkk-bcd
Copy link

bkk-bcd commented Jan 24, 2023

@ohenning @bkk-bcd due to limitations in drone for secret handling, i ended up limiting the number of keys that can be passed to just one. it will use the default project id in the dockerfile. does this look ok ?

For my use case one key is fine, its foreseeable that other folks might need more than one.

I'm not sure what you mean by project ID in this context, can you point me to the code?

@bradrydzewski
Copy link
Member

bradrydzewski commented Jan 25, 2023

We have a number of plugins that accept multi-line values (ssh keys, json values, etc) as inputs that do not require base64 encoding, so I am certain this will work. We use some of these plugins in our own pipelines (example). You can use the below yaml to confirm that Drone supports passing mutli-line values to plugins and retains newlines.

kind: pipeline
name: default

steps:
  - name: test
    image: alpine
    settings:
      ssh_key: |-
        -----BEGIN ENCRYPTED PRIVATE KEY-----
        MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIW+BK6UQtCPACAggA
        MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCIvU4FD31mkYR76ugTEhuwBIIJ
        UJPHGeObOC1lHMrTTKhdyiekEcJhCO3rzP/gqVpqXkjhUASTWEsE9LEcuGKdrzAN
        Dsy/WL9revg9UAQtGAk8WTSqWhv5JaCC4FqLGirqLMzhU51Jf4GbmCOWAWGP7TZu
        QEfBUexTcFVf13cVX7LFGOAZ3yIvFc3sfl5nyYY9Nerk8MxUOW+9Ck5loTEzMj9j
        xJf5RsNvcoGVg33Rf7vl2xFIAD+PFdehd8n2CveQ48LJ9Zfn0gsRPQrPL+02Nlhu
        7f44uW/Vq2YqG3PN1n8GUTexvF/qCKkd2T2QmHYnK9cryRn0xHvzSjSsQls170sA
        Svu0sdTwh1tIs/sxRGuSta+iXPfHJnW4sZzh/2lAMvkgML6h9JAeIYV6e/qUqYSq
        GxSfj7s0Qs0K5e3Xv1lCQUhSz82fBysznjeAhWa45YEV
        -----END ENCRYPTED PRIVATE KEY-----
    commands:
    - echo -n "$PLUGIN_SSH_KEY"

Here are the results of the above yaml using drone exec

[test:1] latest: Pulling from library/alpine
[test:2] Digest: sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a
[test:3] Status: Image is up to date for alpine:latest
[test:4] + echo -n "$PLUGIN_SSH_KEY"
[test:5] -----BEGIN ENCRYPTED PRIVATE KEY-----
[test:6] MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIW+BK6UQtCPACAggA
[test:7] MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCIvU4FD31mkYR76ugTEhuwBIIJ
[test:8] UJPHGeObOC1lHMrTTKhdyiekEcJhCO3rzP/gqVpqXkjhUASTWEsE9LEcuGKdrzAN
[test:9] Dsy/WL9revg9UAQtGAk8WTSqWhv5JaCC4FqLGirqLMzhU51Jf4GbmCOWAWGP7TZu
[test:10] QEfBUexTcFVf13cVX7LFGOAZ3yIvFc3sfl5nyYY9Nerk8MxUOW+9Ck5loTEzMj9j
[test:11] xJf5RsNvcoGVg33Rf7vl2xFIAD+PFdehd8n2CveQ48LJ9Zfn0gsRPQrPL+02Nlhu
[test:12] 7f44uW/Vq2YqG3PN1n8GUTexvF/qCKkd2T2QmHYnK9cryRn0xHvzSjSsQls170sA
[test:13] Svu0sdTwh1tIs/sxRGuSta+iXPfHJnW4sZzh/2lAMvkgML6h9JAeIYV6e/qUqYSq
[test:14] GxSfj7s0Qs0K5e3Xv1lCQUhSz82fBysznjeAhWa45YEV
[test:15] -----END ENCRYPTED PRIVATE KEY-----

@bkk-bcd
Copy link

bkk-bcd commented Jan 25, 2023

I'll defer to @tphoney on this one, I wasn't able to get it to work 🤷

It is worth noting we use starlark.

@tphoney
Copy link
Author

tphoney commented Jan 25, 2023

@bkk-bcd

I'm not sure what you mean by project ID in this context

https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066 explains it pretty well, it is at the bottom of the blog post.
basically if you have multiple ssh keys to use, you use project id's to refer to the keys inside of your docker file.

@bradrydzewski i made the changes to use the raw key, looks good.

@tphoney tphoney merged commit 2dcf4a5 into drone-plugins:master Jan 26, 2023
@jimsheldon jimsheldon mentioned this pull request Mar 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants