How to pass SSH keys as getopt parameters to docker build

Question

I have a build function written in bash that is using getopt to take parameters. I'm using it to build docker projects. Because projects' build args are differentiating a lot, I decided to take build arguments as getopt parameter. It works fine, it works in production setup for a while so no problem in general functioning. I've integrated it to all my repos, tests are successful except one repo which is taking SSH keys as build arguments.

In image-builder function, parameters are being taken like this,

TEMP_BUILD=$(getopt -o hw:v:b:s:d: --longoptions help,working-dir:,version-tag:,build-number:,service-name:,docker-build-arguments: -- "$@")

if [[ $? -ne 0 ]]; 
then
    echo "Failed to parse options...exiting." >&2 ; 
    exit 1;
fi

eval set -- "$TEMP_BUILD"

# extract options and their arguments into variables.
while true ; do
    case "$1" in
        -h|--help)
                HELP="true" ; shift ;;
        -w|--working-dir)
            case "$2" in
                "") WORKING_DIR='' ; shift 2 ;;
                *) WORKING_DIR=$2 ; shift 2 ;;
            esac ;;
        -v|--version-tag)
            case "$2" in
                "") VERSION_TAG='' ; shift 2 ;;
                *) VERSION_TAG=$2 ; shift 2 ;;
            esac ;;
        -b|--build-number)
            case "$2" in
                "") BUILD_NUMBER='' ; shift 2 ;;
                *) BUILD_NUMBER=$2 ; shift 2 ;;
            esac ;;
        -s|--service-name)
            case "$2" in
                "") SERVICE_NAME='' ; shift 2 ;;
                *) SERVICE_NAME=$2 ; shift 2 ;;
            esac ;;
        -d|--docker-build-arguments)
            case "$2" in
                "") DOCKER_BUILD_ARGUMENTS='' ; shift 2 ;;
                *) DOCKER_BUILD_ARGUMENTS=$2 ; shift 2 ;;
            esac ;;
            --) shift ; break ;;
        *) echo "Invalid Parameter!" ; exit 1 ;;
    esac
done

Normally I'm running the function as

image-builder --working-dir "$(pwd)" --version-tag "tag" --build-number "xx" --service-name "service" --docker-build-arguments "--build-arg ARG1=argument-1 --build-arg ARG2=argument-2"

And the docker build line in the script is running like this;

docker build -t $SERVICE_NAME:$VERSION_TAG.$BUILD_NUMBER -f $WORKING_DIR/Dockerfile .

Until here, I explained my setup, here is my problem,

As I said, a project is requiring SSH keys to be passed in docker build, So when I try

image-builder --working-dir "$(pwd)" --version-tag "tag" --build-number "xx" --service-name "service" --docker-build-arguments "--build-arg SSH_PRIVATE_KEY=$(cat ~/.ssh/id_rsa) --build-arg SSH_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)"

It's giving bad flag syntax: -----END

There are tons of issues about this error, and generally double quoting the keys is suggested. When I try to double quote key variables like below,

image-builder --working-dir "$(pwd)" --version-tag "tag" --build-number "xx" --service-name "service" --docker-build-arguments "--build-arg SSH_PRIVATE_KEY="$(cat ~/.ssh/id_rsa)" --build-arg SSH_PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)""

The function is recognizing some part of the key as parameter and returning getopt: unrecognized option '-----END' error.

I even tried to convert my keys to base64 as it's suggested in another issue, but also returned an error because during build phase, the project is trying to pull other repositories from bitbucket and bitbucket and bitbucket returning permission denied for SSH key because of the bad format.

I'm a little bit stuck in this point about what to do,

Any help will be highly appreciated.

Answer 1

You can't double quote something using the same type of quote, if you write:

image-builder "--build-arg SSH_PRIVATE_KEY="$(cat ~/.ssh/id_rsa)""

You have effectively three contatenated strings:

• "--build-arg SSH_PRIVATE_KEY="
• $(cat ~/.ssh/id_rsa)
• ""

As you can see, your cat expansion is still unquoted. You could try writing:

image-builder "--build-arg SSH_PRIVATE_KEY='$(cat ~/.ssh/id_rsa)'"

Note the use of single quotes (') on the inner expression. But you may also want to consider avoiding some of the quoting issues by adding an explicit argument to your image-builder script that would take the path to a secret key file, and then generate the appopriate --build-arg command in the script. So you would call it like:

image-builder --ssh-key ~/.ssh/id_rsa

And inside your script you would do something like:

docker build ... --build-arg SSH_PRIVATE_KEY="$(cat $SSH_PRIVATE_KEY)"