September 19, 2020 Update: Configuring Gitlab CI and Private Go Modules

It’s been a few years since I shared a really useful tip related to Gitlab and GitlabCI. This time it’s about a few things to consider when building Go programs using Docker, Docker in Docker, Gitlab CI and more importantly private git repositories that happen to represent Go binaries or/and Go packages.

Prerequisites

To make this work there are 2 requirements:

• You have previous experience building Go programs with Docker using multi staged builds, and
• You already have a working GitlabCI Docker pipeline that uses Docker in Docker.

Making it work

The trickiest part when working with Docker and dependent Go private repositories is permissions, there a few ways to solve this, like defining a new private key and therefore a corresponding deploy key, copying the actual SSH key or even defining personal access tokens; however our preferred way to solve this is to use the CI_JOB_TOKEN environment variable when go getting repositories.

This works by setting the insteadOf git configuration (during build) to use the gitlab-co-token username and https instead of ssh, basically adding the following commands to your Dockerfile:

ARG CI_JOB_TOKEN

ENV CI_JOB_TOKEN=$CI_JOB_TOKEN

RUN git config \
  --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.private/group".insteadOf \
  "git@gitlab.private:group"

Notice I’m also using the ARG called CI_JOB_TOKEN which is populated through --build-arg, so in practice if you were to build this Dockerfile you would need to use:

docker build --build-arg CI_JOB_TOKEN=$CI_JOB_TOKEN -f Dockerfile -t $some_tag .

Finally the last important thing to never forget is to always use multi-stage builds when using this paradigm, otherwise your final image will save the CI_JOB_TOKEN, and really we don’t want that.

Back to posts