Build multiarch containers on Google Cloud Build with Moby BuildKit, Docker Buildx, and QEMU.
By default, this builder starts an SSH agent, adds the default key, and forwards it to the build step like:
eval "$(ssh-agent -s)"
ssh-add
docker build --ssh=defaultYou have two options for getting the SSH key.
Store your private key in the GCP Secret Manager service. Then pass the secret ID (and optionally a different GCP project ID) through environment variables like:
steps:
- name: misorobotics/cloudbuildx
args: [--push, .]
env:
- SSH_SECRET_ID=my-secret
- SSH_SECRET_PROJECT=my-different-projectObtain a key in a previous step and stick it in a volume. Then mount the
volume to /root/.ssh like:
steps:
- name: gcr.io/cloud-builders/gcloud
entrypoint: bash
args:
- -c
- |
gcloud secrets versions access latest --secret=my-secret > /secret/id_rsa
chmod 400 /secret/id_rsa
volumes: [{ name: ssh, path: /secret }]
- name: misorobotics/cloudbuildx
args: [--push, .]
volumes: [{ name: ssh, path: /root/.ssh }]The following environment variables can be set to configure functionality:
-
MULTIARCH: Launch QEMU to emulate additional architectures. -
DISABLE_SSH: Do not start and forward an SSH agent during build. If this parameter is an empty string, then an SSH agent will be started and forwarded to Buildkit via thedocker build --ssh=defaultoption. -
SSH_SECRET_ID: If set, obtain the specified secret from the GCP Secret Manager service and load it into the SSH agent. This option has no effect ifDISABLE_SSHis set. -
SSH_SECRET_PROJECT: If set, specify the GCP project when fetching the secret. -
BUILDER: Specify for multiple builders in the same environment. Defaults tomybuilder
Note that technically the above shell parameters do not have to be exported
to the environment, but you're probably going to set them using the
env key
in a cloudbuild.yaml file.