We use Sinopia for our npm repo and the credentials (.npmrc file in Home or current dir.) are nec. for a build.... Up until today, I've avoided persisting these cred's in the code, of course, and also kept them out of docker image layers by passing an env var that is set with contents of the .npmrc credentials file. Then during the build:
RUN cat $NPMRC>.npmrc && npm install ; rm .npmrc
... all in one RUN avoids a layer persisted with the secret in it.....
But I'm trying to setup container build requests using YAML files to set up the env. var but failing. The build-request.yaml has to be in the code so I can't put it in there and I've tried to add --build-arg NPMRC="$(<.npmrc)"... after copying it from buckets.... no errors but auth fails
I'm trying create the build args using an incantation like this: [..., '--build-arg', 'NPMRC=\""$(< ./.npmrc)"\"', ....] this shows in the build history as
... build --build-arg "NPMRC=\""$(cat ./.npmrc)"\"" -t
... which afaict is correct if bash gets hold of the subshell like I think it should:
echo "NPMRC=\""$(cat ./.npmrc)"\"" -> NPMRC="_auth=...."
Looking for solutions others may have found
I think this page is right on the money so I'd say it's safe to answer my own question with reference to it (I won't accept, I guess?):
https://cloud.google.com/container-builder/docs/tutorials/using-encrypted-files
Summary: Encrypt .npmrc using Cloud Key Management Service and commit the encrypted file in src home directory (or copy to bucket and add a gsutil build step).. then add the decrypt as a build step: steps: - name: gcr.io/cloud-builders/gcloud args: - kms - decrypt - --ciphertext-file=npmrc.enc - --plaintext-file=.npmrc - --location=global - --keyring=[KEYRING-NAME] - --key=[KEY-NAME]