How to unlock git-crypt files during docker build on gitlab ci/cd pipeline

Question

I have a repo with encrypted files, using git-crypt. I have exported the key to a file. Now I am using the default docker image build template on gitlab to build my images. The pipeline works just fine. I just don't know how to "unlock" the files during the build so that the image has cleartext files for use. The pipeline build looks like this:

docker-build:
  # Use the official docker image.
  image: docker:latest
  stage: build
  services:
    - docker:dind
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  # Default branch leaves tag empty (= latest tag)
  # All other branches are tagged with the escaped branch name (commit ref slug)
  script:
    - |
      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
        tag=""
        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
      else
        tag=":$CI_COMMIT_REF_SLUG"
        echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
      fi
      echo $CI_REGISTRY_IMAGE${tag}
    - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
    - docker push "$CI_REGISTRY_IMAGE${tag}"
  # Run this job in a branch where a Dockerfile exists
  rules:
    - if: $CI_COMMIT_BRANCH
      exists:
        - Dockerfile

I am just not sure where or when unlock happens. Does it happen in the Dockerfile or in this build processes? I have googled, and would have thought this was a common question but so far nothing.

thank you in advance for any help or links you can provide.

Brad

Answer 1

Couldn't you just use the File variable type from Gitlab's CI/CD with a symmetric key?.

Answer 2

I think the reason no one has answered because it is almost impossible to answer. There are so many permutations to how to use runners. So I will share my solution.

The thing I had to realize is that the OS image that runs the docker image doesn't have git-crypt installed in it. So that was my first task.

- apk add git-crypt

Now that the binary is in the building image I need to somehow get the unlock key into the image. Thankfully, gitlab has project variables that you can use in your builds. However, they do not currently have a way to upload a binary file, which the unlock key is. So what to do. Well you base64 encode it.

base64 binaryfile.key > baseecodeded.key

You can now paste the text with NO cr/lf into the gitlab project variables and make sure you set it to File not text. Then you can decode the variable back to a file and use it in your build.

- cat "$CRYPT_KEY" | base64 -d > key-file
- git-crypt unlock key-file

The final .gitlab-ci.yml is as follows. The one thing I would do is change this to skip creating a file.. and just pipe the decoded variable directly to the git-crypt unlock.

docker-build:
  # Use the official docker image.
  image: docker:latest
  stage: build
  tags:
    - "docker"
  services:
    - docker:dind
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - apk add git-crypt
    - cat "$CRYPT_KEY" | base64 -d > key-file
    - git-crypt unlock key-file
  script:
    - |
      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
        tag=""
        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
      fi

    - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
    - docker push "$CI_REGISTRY_IMAGE${tag}"

  # Run this job in a branch where a Dockerfile exists
  rules:
    - if: "$CI_COMMIT_BRANCH =~ /^dev/"
      when: never
    - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      exists:
        - Dockerfile