Using SSH keys with Google Container Builder

Question

We currently host our Ruby on Rails site on Google Container Engine. I am in the process of migrating our deploy from a 3rd party CI to the new Google Container Builder. The only thing blocking me is installing our gems from private Github repos. I have already created an SSH key stored in cloud storage that I load with the gsutil command. I have ensured the key is there and with correct file permissions (using a simple busybox ls build step) but am at a loss how to get Bundler/git to use this later on. I've tried a few solutions using environment variables from this answer (e.g. GIT_SSH_COMMAND) without success.

I have this working on our current CI by adding the SSH key and using ssh-add so git can find it later. However the base Google image doesn't seem to be using ssh-agent.

Any suggestions (or hacks :) to get around this?

Answer 1

I'll lay out two options for you.

1) Since you've got your ssh key in cloud storage, you can pull it from there into your build context using the gsutil cloud-builder. The README has examples for copying files from GCS into the build workspace.

Note that you may have to set up the Builder Service Account to have read access to the GCS object containing the credentials.

Once you've got the credentials in the workspace, you ought to be able to do what you want with them.

2) If you connect your GitHub repository to a Cloud Source Repository, you could then pull in the source directly from there, assuming your Builder Service Account has access to the CSR. (If it's in the same project, it will have read access by default.)

Full disclosure: I'm a Googler on the engineering team behind Container Builder.

Answer 2

Okay after getting some help from the Google team and trial and error I found the following strategy effective.

In my cloudbuild.yaml I added the following build step:

- name: ruby:2.2 args: ['bash', './devops/cloud_bundle_install.sh']

Where ./devops/cloud_bundle_install.sh is the following:

eval `ssh-agent` mkdir -p /root/.ssh ssh-keyscan github.com >> ~/.ssh/known_hosts mv /workspace/<KEY_DOWNLOADED_VIA_GSUTIL> ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa ssh-add /workspace/.ssh/id_rsa bundle package --all --all-platforms

Answer 3

Simpler version:

cloudbuild.yaml:

  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    args: ['gsutil', 'cp', '-r', 'gs://artifacts.<PROJECT-ID>.appspot.com/.ssh', '/builder/home/']
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    entrypoint: /bin/bash
    args: ['-c', 'chmod 400 /builder/home/.ssh/build']
  - name: 'gcr.io/cloud-builders/gcloud'
    args: [ 'beta', 'compute', 'ssh', '--zone=<ZONE>', 'build@<INSTANCE-ID>', '--ssh-key-file=/builder/home/.ssh/build', '--', 'ls -al'