如何为 gitlab-runner CI 安装/重用 docker-compose 秘密?
[英]How to mount/reuse docker-compose secrets for gitlab-runner CI?
问题描述
To be clear, I am talking about the secrets configuration available for docker-compose 3.x.
明确地说,我说的是可用于docker-compose 3.x 的secrets配置。
I am not talking about passing secrets keys/tokens using environment variables (from host or from Gitlab CI/CD settings).我不是在谈论使用环境变量(来自主机或来自 Gitlab CI/CD 设置)传递密钥/令牌。
Let's say I have this docker-compose configuration:假设我有这个docker-compose配置:
version: "3.7"
services:
my-app:
image: ubuntu:18.04
container_name: my-app-container
command: tail -f /dev/null
secrets:
- my_app_secrets
secrets:
my_app_secrets:
file: /path/to/secrets.txt
When I start the container manually当我手动启动容器时
$ docker-compose up -d
$ docker-compose exec my-app bash
A /run/secrets/my_app_secrets becomes available inside the container, containing the same exact contents as secrets.txt . A /运行/秘密/ my_app_secrets容器内变得可用时,含有相同的确切内容secrets.txt。 The path /run/secrets/ is defined by the secrets configuration.路径/run/secrets/由secrets配置定义。
Now I need to use this same setup for a Gitlab CI pipeline.现在我需要对 Gitlab CI 管道使用相同的设置。 Unfortunately, I can't seem to find the configuration to put in .gitlab-ci.yml or in the /etc/gitlab-runner/config.toml that will allow me to specify the same secrets configuration.不幸的是,我似乎无法在.gitlab-ci.yml或/etc/gitlab-runner/config.toml中找到允许我指定相同secrets配置的配置。 I am sure it is not mounted because I use a custom ENTRYPOINT script that checks for the /run/secrets/my_app_secrets file and it is not there.我确定它没有安装,因为我使用了一个自定义的ENTRYPOINT脚本来检查/run/secrets/my_app_secrets文件,但它不存在。
if [[ ! -e "/run/secrets/my_app_secrets" ]];
then
print_error "Did not find mounted app secrets from host"
return 1
fi
The current solution I have now is to use the volumes configuration under the [runners.docker] section, and mount the /path/to/secrets.txt as a regular volume.我现在的当前解决方案是使用[runners.docker]部分下的volumes配置,并将/path/to/secrets.txt挂载为常规卷。
volumes = [
"/path/to/secrets.txt:/run/secrets/my_app_secrets"
]
But I think that sort of duplicates the configuration and I am manually specifying the /run/secrets/secret_name path.但我认为这种重复配置,我手动指定/run/secrets/secret_name路径。
Is there another way to specify the secrets config to the gitlab-runner?还有另一种方法可以为 gitlab-runner 指定secrets配置吗?
ENV details:环境细节:
- Gitlab CE 12.8.6 Gitlab CE 12.8.6
- gitlab-runner 12.7.1 gitlab-runner 12.7.1
- Docker 19.03.6码头工人 19.03.6
- docker-compose 1.24.0码头工人撰写 1.24.0
1 个解决方案
解决方案1
0 已采纳 2020-04-11 10:43:13
It seems I misunderstood the usage of the secrets configuration.看来我误解了 秘密配置的用法。
Apparently, it is designed to be used for Docker Swarms.显然,它旨在用于 Docker Swarm。
From the Manage sensitive data with Docker secrets docs:从使用 Docker 机密文档管理敏感数据:
Note : Docker secrets are only available to swarm services, not to standalone containers.
It still can be defined in the docker-compose file for non-swarm, standalone containers (like in the sample docker-compose file in my question) and it would still add a /run/secrets/secret-name to your container.它仍然可以在非 swarm 的独立容器的docker-compose文件中定义(就像在我的问题中的示例docker-compose文件中一样),它仍然会向你的容器添加一个/run/secrets/secret-name 。 However, it behaves like a regular bind mount.但是,它的行为类似于常规绑定安装。
From this Github issue on using Docker secrets without a swarm:从这个 Github 问题关于在没有群的情况下使用 Docker 秘密:
In docker-compose
/run/secretsis just a bind mount to the host./run/secrets只是一个绑定安装到主机。
Those secrets are not deployed to a swarm.
So, for gitlab-runner jobs, you could emulate the secrets feature with a regular mount:因此,对于 gitlab-runner 作业,您可以使用常规挂载来模拟秘密功能:
volumes = [
"/path/to/my_app_secrets:/run/secrets/my_app_secrets"
]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.