From 20f753fd4a62b0229406fa12a9aad27fb337c768 Mon Sep 17 00:00:00 2001
From: Jason Dictos <jdictos@een.com>
Date: Mon, 8 Apr 2024 12:59:00 -0700
Subject: [PATCH] Add ssh identity support

Signed-off-by: Jason Dictos <jdictos@een.com>
---
 Dockerfile                  |  1 +
 README.md                   | 21 +++++++++++++++++++++
 assets/out                  | 15 +++++++++++++++
 tests/fixtures/ssh_identity |  7 +++++++
 tests/out_test.go           | 15 ++++++---------
 5 files changed, 50 insertions(+), 9 deletions(-)
 create mode 100644 tests/fixtures/ssh_identity

diff --git a/Dockerfile b/Dockerfile
index 328871d7..fed8e574 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -45,6 +45,7 @@ RUN apt update && apt install -y --no-install-recommends \
     docker-ce \
     docker-buildx-plugin \
     jq \
+    openssh-client \
     ca-certificates \
     xz-utils \
     iproute2 \
diff --git a/README.md b/README.md
index 2695443d..9edfb189 100644
--- a/README.md
+++ b/README.md
@@ -277,6 +277,27 @@ version is the image's digest.
 * `pull_tag`: *Optional.*  **DEPRECATED. Use `get` and `load` instead.** Default
   `latest`. The tag of the repository to pull down via `pull_repository`.
 
+* `ssh_identity`: *Optional.* Set to an openssh private SSH key (it can be a file
+  or an inline key). This identity will be passed to `docker build` via the 
+  `--ssh default` argument through a temporary `ssh-agent` instance.
+
+  Examples:
+
+  ```yaml
+  ssh_identity: |
+        -----BEGIN OPENSSH PRIVATE KEY-----
+        0000000000000000000000000000000000000000000000000000000000000000000000
+        0000000000000000000000000000000000000000000000000000000000000000000000
+        0000000000000000000000000000000000000000000000000000000000000000000000
+        0000000000000000000000000000000000000000000000000000000000000000000000
+        000000000000000000000000000000000000000000000000000000==
+        -----END OPENSSH PRIVATE KEY-----
+  ```
+
+  ```yaml
+  ssh_identity: /path/to/key
+  ```
+
 * `tag`: **DEPRECATED - Use `tag_file` instead**
 * `tag_file`: *Optional.* The value should be a path to a file containing the name
   of the tag. When not set, the Docker build will be pushed with tag value set by
diff --git a/assets/out b/assets/out
index e605e268..57e39231 100755
--- a/assets/out
+++ b/assets/out
@@ -126,6 +126,7 @@ import_file=$(jq -r '.params.import_file // ""' < $payload)
 
 pull_repository=$(jq -r '.params.pull_repository // ""' < $payload)
 pull_tag=$(jq -r '.params.pull_tag // "latest"' < $payload)
+ssh_identity=$(jq -r '.params.ssh_identity // ""' < $payload)
 target_name=$(jq -r '.params.target_name // ""' < $payload)
 
 if [ -n "$load" ]; then
@@ -237,6 +238,20 @@ elif [ -n "$build" ]; then
     fi
   fi
 
+  ssh_args=()
+  if [ -n "$ssh_identity" ]; then
+    export DOCKER_BUILDKIT=1
+    eval "$(ssh-agent)"
+    trap "ssh-agent -k; $( trap -p EXIT | cut -f2 -d \' )" EXIT
+    if [ -f "$ssh_identity" ]; then
+      ssh-add "$ssh_identity"
+    else
+      ssh-add <(echo "$ssh_identity")
+    fi
+    ssh_args+=("--ssh")
+    ssh_args+=("default")
+  fi
+
   target=()
   if [ -n "${target_name}" ]; then
    target+=("--target")
diff --git a/tests/fixtures/ssh_identity b/tests/fixtures/ssh_identity
new file mode 100644
index 00000000..695743b0
--- /dev/null
+++ b/tests/fixtures/ssh_identity
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCTcY7/Q4JTr+zc5uuLSndCM8uiMBdf2H3JHTaCw1POrQAAAJiSPsoAkj7K
+AAAAAAtzc2gtZWQyNTUxOQAAACCTcY7/Q4JTr+zc5uuLSndCM8uiMBdf2H3JHTaCw1POrQ
+AAAEBhwFGOegUZ/wTf18i/9SNbDgZ0P/BJtPUoGHdvi2bNtJNxjv9DglOv7Nzm64tKd0Iz
+y6IwF1/YfckdNoLDU86tAAAAE3NvbWVvbmVAZXhhbXBsZS5jb20BAg==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/tests/out_test.go b/tests/out_test.go
index 802df105..4f26f228 100644
--- a/tests/out_test.go
+++ b/tests/out_test.go
@@ -484,8 +484,8 @@ var _ = Describe("Out", func() {
 		})
 	})
 
-	Context("When passing additional_tags ", func() {
-		It("should push add the additional_tags", func() {
+	Context("When specifying ssh_identity file", func() {
+		It("should set ssh args", func() {
 			session := put(map[string]interface{}{
 				"source": map[string]interface{}{
 					"repository": "test",
@@ -493,19 +493,16 @@ var _ = Describe("Out", func() {
 				"params": map[string]interface{}{
 					"build":           "/docker-image-resource/tests/fixtures/build",
 					"additional_tags": "/docker-image-resource/tests/fixtures/tags",
+				  "ssh_identity": "/docker-image-resource/tests/fixtures/ssh_identity",
 				},
 			},
 			)
-			Expect(session.Err).To(gbytes.Say(docker(`push test:latest`)))
-			Expect(session.Err).To(gbytes.Say(docker(`tag test:latest test:a`)))
-			Expect(session.Err).To(gbytes.Say(docker(`push test:a`)))
-			Expect(session.Err).To(gbytes.Say(docker(`tag test:latest test:b`)))
-			Expect(session.Err).To(gbytes.Say(docker(`push test:b`)))
-			Expect(session.Err).To(gbytes.Say(docker(`tag test:latest test:c`)))
-			Expect(session.Err).To(gbytes.Say(docker(`push test:c`)))
+			Expect(session.Err).To(gbytes.Say(dockerarg(`--ssh`)))
+			Expect(session.Err).To(gbytes.Say(dockerarg(`default`)))
 		})
 	})
 
+
 	Context("When only http_proxy setting is provided, with no build arguments", func() {
 		It("passes the arguments correctly to the docker daemon", func() {
 			session := putWithEnv(map[string]interface{}{