Docker Compose with "secret" build-args

docker-compose-build.md

Building using docker-compose and (multi-line) environment variables

$ mkdir -p example && cd example

$ cat -<<EOF > Dockerfile
FROM busybox AS stage-one
ARG MYSTUFF
ARG SSL_KEY
RUN env
RUN echo "foobar" > /some-file.txt
FROM busybox
RUN env
COPY --from=stage-one /some-file.txt /some-file.txt
EOF

Docker Compose file;

• MYSTUFF build-arg doesn't have a value, so takes its value from the current shell environment
• SSL_KEY has a value set

version: "3.3"
services:
  foobar:
    build:
      context: .
      args:
        MYSTUFF:
        SSL_KEY: |-
            -----BEGIN RSA PRIVATE KEY-----
            MIICXQIBAAKBgQD272jYrLm8Ph5QpMWFcWUO9Ua1EviykalP+tkMIg12yZ3GvezF
            y8aayxdztB5vu68jqMeg6mOJlscWqFUhmAxj4mDknYenVzVX2CKzCgHlGninTKxY
            61rXDaDZVpSZ+XIESJkaB0z9HHYtrSLr0coKmq4cT5TRptOnkpDlJxIRaQIDAQAB
            AoGATcTYoGTFmiN2KK+8BWrRCQT2X9C5woNdb3LxKIEQ/HhC2HS4PRMQWW/c0vPH
            IilZ30EoneUztAFochpRtWLNg4lJoLy04X/eNjEiC/imp0KSwWXmnuLhDcWcb0+M
            slddvzHAAfK1jzIk8zEvcFnhuRoR/L3yWLQp3dIkG07h5IECQQD7xdyhfYMKiYZ7
            HIq9mU0oNaC7UvxHTw3HB4rT3yvqVZXW15JvR64qCe+sOn9xJEesGDkUUxghV+dd
            0GFOODPb2trQ1NGyKzus72JvO61pVpIhT6kVQo3xC543/+1FvU+albjtmqKe1MjZ
            32B6VtNdlgA4VzMC7qrZXwU+oD83WbG6s1GKQa/rXB8wo9moOGcNPP7PmXovDr6F
            zIVbekIj0YuTQdo31aKPNmrTVqd+iOk0LGaUC5zMi0OgDaKKDuP1Ou6ANVTcBXcF
            BnJRQ7XYtjs0oSmvA7bgbTfN4IMJxJ4hYybF1pURh/o4QW4FUytLaF8zghuTc0aP
            yKIsFLzi5ZT34KLVNGAEA44FsG71hOajFkA4c2I/SwU+
            -----END RSA PRIVATE KEY-----

Build it, and set MYSTUFF before building;

$ MYSTUFF=$'one\ntwo\nthree' docker-compose build

Building foobar
Step 1/8 : FROM busybox AS stage-one
 ---> 7968321274dc
Step 2/8 : ARG MYSTUFF
 ---> Running in 82e7ed511e0a
 ---> 5d77527510be
Removing intermediate container 82e7ed511e0a
Step 3/8 : ARG SSL_KEY
 ---> Running in 593e104f9151
 ---> 24ce5123efd0
Removing intermediate container 593e104f9151
Step 4/8 : RUN env
 ---> Running in 4bb7b296ecd8
HOSTNAME=4cfe65ad68c6
SHLVL=1
HOME=/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SSL_KEY=-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD272jYrLm8Ph5QpMWFcWUO9Ua1EviykalP+tkMIg12yZ3GvezF
y8aayxdztB5vu68jqMeg6mOJlscWqFUhmAxj4mDknYenVzVX2CKzCgHlGninTKxY
61rXDaDZVpSZ+XIESJkaB0z9HHYtrSLr0coKmq4cT5TRptOnkpDlJxIRaQIDAQAB
AoGATcTYoGTFmiN2KK+8BWrRCQT2X9C5woNdb3LxKIEQ/HhC2HS4PRMQWW/c0vPH
IilZ30EoneUztAFochpRtWLNg4lJoLy04X/eNjEiC/imp0KSwWXmnuLhDcWcb0+M
slddvzHAAfK1jzIk8zEvcFnhuRoR/L3yWLQp3dIkG07h5IECQQD7xdyhfYMKiYZ7
HIq9mU0oNaC7UvxHTw3HB4rT3yvqVZXW15JvR64qCe+sOn9xJEesGDkUUxghV+dd
0GFOODPb2trQ1NGyKzus72JvO61pVpIhT6kVQo3xC543/+1FvU+albjtmqKe1MjZ
32B6VtNdlgA4VzMC7qrZXwU+oD83WbG6s1GKQa/rXB8wo9moOGcNPP7PmXovDr6F
zIVbekIj0YuTQdo31aKPNmrTVqd+iOk0LGaUC5zMi0OgDaKKDuP1Ou6ANVTcBXcF
BnJRQ7XYtjs0oSmvA7bgbTfN4IMJxJ4hYybF1pURh/o4QW4FUytLaF8zghuTc0aP
yKIsFLzi5ZT34KLVNGAEA44FsG71hOajFkA4c2I/SwU+
-----END RSA PRIVATE KEY-----
PWD=/
MYSTUFF=one
two
three
 ---> 3f24f1624976
Removing intermediate container 4bb7b296ecd8
Step 5/8 : RUN echo "foobar" > /some-file.txt
 ---> Running in 6f5498f742b5
 ---> f865c21fe5e9
Removing intermediate container 6f5498f742b5

Step 6/8 : FROM busybox
 ---> 7968321274dc
Step 7/8 : RUN env
 ---> Running in 7abf9f0697d3
HOSTNAME=4cfe65ad68c6
SHLVL=1
HOME=/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
 ---> b38b77d51bef
Removing intermediate container 7abf9f0697d3
Step 8/8 : COPY --from=stage-one /some-file.txt /some-file.txt
 ---> 0a2f2e74a7b5
Removing intermediate container 289f6ddb84dc

Successfully built 0a2f2e74a7b5
Successfully tagged composeexample_foobar:latest

Second build-stage does not inherit the environment-variables, and only the some-file.txt is copied

Perfect!

How would you consume the SSH key though? Most posts I've seen echo the variable into a file, defeating the purpose of not putting the key in the image