Multi Build Stage Dockerfile

Onboardbase can be used in a Multi Build Stage Dockerfile to manage the secrets of any program the Dockerfile is running.

📘

Generating a Service Token

From your Onboardbase dashboard, go to the account page, click on Generate service tokens and give it a name (based on the service you want to use it for). Copy the generated service token and store it as a config variable for the service.

📘

TIP

You can authenticate the CLI with Environment variables.
Supported environment variables are:

  • ONBOARDBASE_TOKEN - A service token
  • ONBOARDBASE_PROJECT - an onboardbase project name
  • ONBOARDBASE_ENVIRONMENT - an environment in the specified project

In a multi-stage docker build, setting up your stages depends on the requirements of your image.

For Onboardbase, it means that you need to have the right configuration for your environment variables

Below is a Dockerfile that inherits from a nodejs image.

The highlights are from lines 3 to 4, which accepts the environment variables as an argument in the global scope, and line 26 to 33 which is in a builder stage that accepts the same Onboardbase config as the global stage but sets it as the stage environment variable.

# accept all arguments in the global stage

ARG ONBOARDBASE_TOKEN
ARG ONBOARDBASE_PROJECT
ARG ONBOARDBASE_ENVIRONMENT

# Stage 1: Install dependencies
FROM node:16-alpine AS deps

RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY package.json yarn.lock ./
RUN yarn --frozen-lockfile

FROM node:lts-stretch-slim as builder

RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
# Disable telemetry
ENV NEXT_TELEMETRY_DISABLED 1
# Install Onboardbase
RUN yarn global add @onboardbase/cli

# accept onboardbase system environment argument variables to this build stage
ARG ONBOARDBASE_TOKEN
ARG ONBOARDBASE_PROJECT
ARG ONBOARDBASE_ENVIRONMENT
# set the argument variables on the build stage environment
ENV ONBOARDBASE_TOKEN=${ONBOARDBASE_TOKEN}
ENV ONBOARDBASE_PROJECT=${ONBOARDBASE_PROJECT}
ENV ONBOARDBASE_ENVIRONMENT=${ONBOARDBASE_ENVIRONMENT}

# Copy package.json and package-lock.json to allow using cached packages
COPY package*.json ./

# Install node dependencies
RUN npm install

# successfully run a command against onboardbase
RUN onboardbase run "yarn build"


# Define command for starting app process
CMD ["/usr/local/bin/npm", "start"]

Building the Image

To successfully build the image, we will use the --build-arg option of the Docker build command to pass environment variables to the Dockerfile. Below is the full command passing the ONBOARDBASE_TOKEN and ONBOARDBASE_PROJECT and ONBOARDBASE_ENVIRONMENT variables.

docker build \
    --tag "managed-docker-image" \
    --build-arg ONBOARDBASE_TOKEN="STRING" \
    --build-arg ONBOARDBASE_PROJECT="STRING" \
    --build-arg ONBOARDBASE_ENVIRONMENT="STRING" \
    ./Dockerfile

Deploying to Kubernetes through Github Actions

We can deploy managed Onboardbase Docker image through GitHub Actions and Dockerhub to a Google Cloud Kubernetes cluster.

The below Github workflow file uses Github secrets to manage the sensitive build credentials, like the ONBOARDBASE_TOKEN and ONBOARDBASE_PROJECT and ONBOARDBASE_ENVIRONMENT

It sets up Google Cloud SDK and authenticates it in the runner; we then build the Managed Dockerfile with the build command passing the required environment variables and finally pushing the image to the Docker hub.

# This is a workflow to deploy the api part of this project to docker

name: Managed App Build

on:
  push:
    branches:
      - "main"

env:
  PROJECT_ID: ${{ secrets.GKE_PROJECT }}
  GKE_CLUSTER: '*******' # Add your cluster name here.
  GKE_ZONE: us-east1-c # Add your cluster zone here.
  DEPLOYMENT_NAME: '*******' # Add your deployment name here
  IMAGE: Managed-Onboard
  GKE_SA_KEY: ${{ secrets.GKE_SA_KEY }}
  GKE_PROJECT: ${{ secrets.GKE_PROJECT }}
  REGISTRY_HOSTNAME: registry.hub.docker.com
  DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
  DOCKER_PWD: ${{ secrets.DOCKER_PWD }}
  ONBOARDBASE_TOKEN: ${{ secrets.ONBOARDBASE_TOKEN }}
  ONBOARDBASE_PROJECT: ${{ secrets.ONBOARDBASE_PROJECT }}
  ONBOARDBASE_ENVIRONMENT: ${{secrets.ONBOARDBASE_ENVIRONMENT}}

jobs:
  setup-build-publish-deploy:
    name: Setup, Build, Publish, and Deploy
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      # Setup gcloud CLI
      - uses: google-github-actions/[email protected]
        with:
          service_account_key: ${{ env.GKE_SA_KEY }}
          project_id: ${{ env.GKE_PROJECT }}

      # Configure docker to use the gcloud command-line tool as a credential helper
      - run: |-
          gcloud --quiet auth configure-docker

      # Get the GKE credentials so we can deploy to the cluster
      - uses: google-github-actions/[email protected]
        with:
          cluster_name: ${{ env.GKE_CLUSTER }}
          location: ${{ env.GKE_ZONE }}
          credentials: ${{ secrets.GKE_SA_KEY }}
      - name: Login to DockerHub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PWD }}
      # Build the Docker image using the Dockefile
      - name: Build
        run: |-
          docker build \
            --tag "$IMAGE" \
            --build-arg ONBOARDBASE_TOKEN="${{ env.ONBOARDBASE_TOKEN }}" \
            --build-arg ONBOARDBASE_PROJECT="${{ env.ONBOARDBASE_PROJECT }}" \
            --build-arg ONBOARDBASE_ENVIRONMENT="${{ env.ONBOARDBASE_ENVIRONMENT }}" \
            --build-arg GITHUB_REF="$GITHUB_REF" \
            ./Dockerfile

      # Push the Docker image to Docker Registry
      - name: Publish
        run: |-
          docker push "$IMAGE"