gitlab-runner exec docker-注入gpg密钥
[英]gitlab-runner exec docker - inject gpg key
问题描述
I need to run gitlab-runner locally using the exec command and the docker executor. 
我需要使用exec命令和gitlab-runner在本地运行gitlab-runner 。
The docker executor clones the project into the container so I start with a blank slate. docker executor将项目克隆到容器中,所以我从空白开始。 In order to run the tests, I need to decrypt certain credentials files. 为了运行测试,我需要解密某些凭证文件。 Normally this is done on the dev machine using the developers private gpg key. 通常,这是在开发人员机器上使用开发人员专用gpg密钥完成的。 But now we are in a container and I can't find a way to inject the developers gpg key into the testing container. 但是现在我们在一个容器中,我找不到将开发人员gpg密钥注入到测试容器中的方法。
Normally it would make sense to pass the private key as an environment variable but the environment feature is not supported on the gitlab-runner exec command. 通常,将私钥作为环境变量传递是有意义的,但是gitlab-runner exec命令不支持environment功能。
It would be much easier if gitlab-runner would just copy the project files into the container instead of doing a fresh clone of the project. 如果gitlab-runner仅将项目文件复制到容器中,而不是对项目进行新的克隆,那将容易得多。 That way the developer would decrypt the credentials on the host and everything is fine. 这样,开发人员可以解密主机上的凭据,一切都很好。
What are my options here? 我在这里有什么选择?
2 个解决方案
解决方案1
2 已采纳 2018-06-07 12:06:42
The only option to pass in environment variables into the testing container is to use the --env parameter for gitlab-runner . 将环境变量传递到测试容器的唯一选择是对gitlab-runner使用--env参数。
First we need to store the private key in an environment variable on our local machine. 首先,我们需要将私钥存储在本地计算机上的环境变量中。 I used direnv for this but it also works manually: 我为此使用了direnv ,但它也可以手动工作:
export GPG_PRIVATE_KEY="$(gpg --export-secret-keys -a <KEY ID>)"
Then we can run gitlab-runner like this: 然后我们可以像这样运行gitlab-runner :
gitlab-runner exec docker test \
--env GPG_PRIVATE_KEY="$GPG_PRIVATE_KEY" \
--env GPG_PASSPHRASE="$GPG_PASSPHRASE"
Note that I also passed the passphrase in an environment variable because I need it inside the container to decrypt my data. 请注意,我还在环境变量中传递了密码短语,因为我需要在容器内部使用它来解密我的数据。
Now I can import the key in the docker container. 现在,我可以将密钥导入docker容器中。 The top of my .gitlab-ci.yml looks like this: 我的.gitlab-ci.yml的顶部看起来像这样:
image: quay.io/mhart/alpine-node:8
before_script:
- apk add --no-cache gnupg
- echo "$GPG_PRIVATE_KEY" | gpg --batch --import --pinentry-mode loopback --no-tty
Done, now we can use that key inside the container to do what we want. 完成后,现在我们可以使用容器内的键执行我们想要的操作了。
I also ran into some problems when I tried to decrypt my data. 当我尝试解密数据时,我也遇到了一些问题。 This guide was incredibly helpful and solved my issue. 本指南非常有用,可以解决我的问题。
解决方案2
0 2018-06-05 10:25:36
It is hard for me to imagine.why you need to invoke gitlab-runner with exec but why could not you do 我很难想象。为什么需要用exec调用gitlab-runner,但为什么不能呢?
exec gitlab-runner sh
export GPG_KEY=...
....
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.