Tag: guide

Using environment secrets as build arguments in Google Cloud Build

December 27, 2018 » Geek

Google Cloud Build is a pretty nice tool for building your docker images continually, and cloud-build-local is pretty great for working on your images in dev. All around, a nice piece of kit to have in a Kubernetes shop.

The docs are pretty good, but one thing that I’ve recently dealt with did not show up in my searching; how to use an environment secret as a build argument to Docker. So here’s how I found to do it.

First, we will follow the encrypted secrets guide to get a secret wrapped up by KMS.

Next, we will create a super simple Dockerfile to show how it is used.

Last, we set up the cloudbuild.yaml. In the documentation demo files they use a shell entrypoint to access the environment variable.

However, it would be nicer to not have to stringify our whole Docker build command.

Luckily, using --build-arg without a value falls through to the environment variable of the same name.

So, we can just use it directly:

Testing locally, it happily runs:

It is worth noting that using build args for secrets is not recommended. Anyone with the image can see what the argument passed in was.

Docker 18.09, added build secrets for a better solution, but GCB is still running Docker 17.12, so we will have to wait for that update.

A gist of the code is available at: https://gist.github.com/jmhobbs/a572b47048eb42803bcb2102ac57a8df

Using Let’s Encrypt With Dreamhost

December 8, 2015 » Geek

2016-01-28

As pointed out in the comments, Dreamhost now supports Let’s Encrypt in the panel. No more workaround needed!

Let’s Encrypt has entered public beta, which means I should probably play with it!

This website is hosted on Dreamhost, which has a round about way of installing SSL certs, but it’s not too bad.

First, you have to go to your Dreamhost panel, then “Secure Hosting” and select “Add Secure Hosting”

Add Secure Hosting

From here, you pick your domain you want to secure. It’s a little bit wonky, in that it doesn’t show www. domains as subdomains in this list, so if you use that, you’ll need to just select the parent domain.

Doing this will issue you a self-signed certificate which will throw up scary browser warnings. We will fix that next.

I chose to run Let’s Encrypt on my laptop, so I followed the user guide to get things installed. Basically just a git clone.

Next you have to begin the request process.

  • certonly states that we only want a certificate generated, not installed.
  • --manual means that we are going to manually authenticate it.
  • --debug is used with the OS X version because it is experimental.

This will probably download some junk with homebrew, then it’s going to ask you some questions, the greatest of which is what domain you want to use.

With this in hand, it will generate an authentication string that you need to put into a file on the server.

Once you do that, it spits out your certificate into /etc/letsencrypt/live/[domain]

Back on the Dreamhost panel, you’ll want to click on “Edit” for the domain we are securing, then select “Manual Configuration”.

Edit Secure Hosting

You can clear the CSR field and then into the “Certificate” field, enter the content from cert.pem.

Into “Intermediate Certificate” I placed the contents of chain.pem

Lastly, we have to change the format of the private key file to one Dreamhost understands.

Then we paste privkey.key into the Dreamhost interface for “Private Key”, save and wait for our new certificate to get installed.

Editing Certificates

It’s magic!

Add Secure Hosting

Now I just have to fix all my asset URLs too…

Tags: , , ,