0

For my organization I am building a GitLab CI/CD pipeline for one of our projects. One job in this pipeline will be executed on a Docker executor GitLab runner running on one of our own servers. The job involves using image docker:20.10.20 together with service docker:20.10.20-dind. The goal is to build a Docker image from my project that is uploaded in the project's container registry hosted on gitlab.com itself (so NOT on Amazon ECR). I have this up and running with the following job configuration in .gitlab-ci.yml:

docker-image-build:
  stage: Docker image build
  image: docker:20.10.20
  services:
    - name: docker:20.10.20-dind
      alias: docker
  tags:
    - docker-runner
  script:
    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER $CI_REGISTRY --password-stdin
    - docker build --pull -m 3g --memory-swap -1 -t $CI_REGISTRY_IMAGE --build-arg FOO=$FOO --build-arg BAR=$BAR .
    - docker push $CI_REGISTRY_IMAGE

However, at the docker login command in the script I get a cybersecurity related warning:

Login Succeeded
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Storing credentials unencrypted in an artefact that might stick around is a big problem for us, as we are very concerned about cybersecurity. However, I can't seem to find a way to install docker-credential-helpers in the docker-in-docker container. (I'd like to or think I have to use the pass```` based credential helper.) It seems to be a very barebone Linux image without a package manager or compiler. It only has tools such as wget and tar, so I could be able to download binaries and I can in fact install the docker-credential-passbinary itself. But I'm mostly stuck with no way to getpassinstalled, let alone its dependencygpg``` along with a sufficient source of entropy.

I'm stuck and don't know how to proceed. Any suggestions would be very appreciated. Should I switch to a shell executor in this case?

Thank you in advance!
Joshua

Joshua Schroijen
  • 109

0 Answers0