mount secret as file with certain permissions

[alexcb]

I wanted to perform a git clone with a shared ssh key via:

RUN --mount type=secret,id=+secrets/my/path/to/id_rsa,target=/root/.ssh/id_rsa \
    git clone git@github.com/user/repo.git .

However that mounted the secret as 0444, when it should be 0400 by default.

This resulted in:

   +release-homebrew | Permissions 0444 for '/root/.ssh/id_rsa' are too open.
   +release-homebrew | It is required that your private key files are NOT accessible by others.
   +release-homebrew | This private key will be ignored.

Furthermore, I couldn't do a chmod 0400 /root/.ssh/id_rsa, because that mount point is read-only, and produced the error:

chmod: changing permissions of '/root/.ssh/id_rsa': Read-only file system

Additionally: adding an extra permission to the --mount options would be helpful for cases where you need it to be more open than 0400.

[alexcb]

If anyone else runs into this, here's a work-around:

    RUN --mount type=secret,id=+secrets/my/path/to/id_rsa,target=/root/id_rsa --no-cache \
        eval $(ssh-agent) && \
        cat /root/id_rsa | ssh-add - && \
        git clone git@github.com/user/repo.git .

Also, you might also have to load in github.com's keys beforehand:

    RUN mkdir -p /root/.ssh
    # keyscan from running: ssh-keyscan -H github.com
    RUN echo "|1|M66Uwae8fx9M5JFDd+WyVi3dERM=|LKfAmECF1kHoZ6epHR5jtPhJgic= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" > /root/.ssh/known_hosts