From 272b7718fb7ef91a411b78fa3b30d807a3fc8d69 Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Wed, 1 Apr 2020 15:56:19 +0200
Subject: [PATCH] Add example for git clone

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 README.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/README.md b/README.md
index 743f494..b5608a1 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,30 @@ password=myverysecrettoken
 protocol=https
 ```
 
+### Dockerfile example (git clone)
+
+In this example the `VAULT_TOKEN` is passed in through a build-arg which means you **MUST** revoke the token before pushing the image, otherwise you will be leaking an active credential!
+
+```Dockerfile
+FROM alpine
+
+ARG VAULT_ADDR
+ARG VAULT_TOKEN
+
+RUN set -ex \
+ && apk --no-cache add curl git \
+ && curl -sSfL "https://github.com/Luzifer/git-credential-vault/releases/download/v0.1.0/git-credential-vault_linux_amd64.tar.gz" | tar -xz -C /usr/bin \
+ && mv /usr/bin/git-credential-vault_linux_amd64 /usr/bin/git-credential-vault \
+ && git config --global credential.helper 'vault --vault-path-prefix secret/git-credentials'
+
+RUN set -ex \
+ && git clone https://github.com/myuser/secretrepo.git /src
+```
+
+```console
+# docker build --build-arg VAULT_ADDR=${VAULT_ADDR} --build-arg VAULT_TOKEN=${VAULT_TOKEN} --no-cache .
+```
+
 ### Dockerfile example (go get)
 
 In this example the `VAULT_TOKEN` is passed in through a build-arg which means you **MUST** revoke the token before pushing the image, otherwise you will be leaking an active credential!