First we need to write a Dockerfile which is able to fetch and build the project:
FROM fedora:23
RUN dnf install -y git
# this is the private key you DON'T want to get leaked
COPY id_rsa /
# just for the demo; we are not using the key actually
RUN git clone https://github.com/TomasTomecek/sen /project && \
cd /project && \
python3 ./setup.py build
# make clean would make sense hereLet's get the key:
cp -a ~/.ssh/id_rsa id_rsaand don't forget to blacklist the key in .gitignore!
printf "id_rsa\n" >.gitignoreBuild time!
docker build --tag=build-image .
We can copy the build artifact from build container now:
docker create --name=build-container build-image cat
docker cp build-container:/project ./build-artifactYou are free to inspect and post-process the artifact:
ls -lha ./build-artifactEverything is fine? If so, let's build the final image.
docker build -f Dockerfile.release --tag=sen .Is the key in final image?
cat ./test-if-key-is-present.sh
if docker run sen test -f /id_rsa
then
printf "Key is in final image!\n"
exit 2
else
printf "Key is not in final image.\n"
fi./test-if-key-is-present.sh
Key is not in final imageYou can also run the whole example by executing
./build.shHere's a blog post about this feature.