[英]How to mount/reuse docker-compose secrets for gitlab-runner CI?
To be clear, I am talking about the secrets
configuration available for docker-compose
3.x.明确地说,我说的是可用于
docker-compose
3.x 的secrets
配置。
I am not talking about passing secrets keys/tokens using environment variables (from host or from Gitlab CI/CD settings).我不是在谈论使用环境变量(来自主机或来自 Gitlab CI/CD 设置)传递密钥/令牌。
Let's say I have this docker-compose
configuration:假设我有这个
docker-compose
配置:
version: "3.7"
services:
my-app:
image: ubuntu:18.04
container_name: my-app-container
command: tail -f /dev/null
secrets:
- my_app_secrets
secrets:
my_app_secrets:
file: /path/to/secrets.txt
When I start the container manually当我手动启动容器时
$ docker-compose up -d
$ docker-compose exec my-app bash
A /run/secrets/my_app_secrets becomes available inside the container, containing the same exact contents as secrets.txt . A /运行/秘密/ my_app_secrets容器内变得可用时,含有相同的确切内容secrets.txt。 The path /run/secrets/ is defined by the
secrets
configuration.路径/run/secrets/由
secrets
配置定义。
Now I need to use this same setup for a Gitlab CI pipeline.现在我需要对 Gitlab CI 管道使用相同的设置。 Unfortunately, I can't seem to find the configuration to put in .gitlab-ci.yml or in the /etc/gitlab-runner/config.toml that will allow me to specify the same
secrets
configuration.不幸的是,我似乎无法在.gitlab-ci.yml或/etc/gitlab-runner/config.toml中找到允许我指定相同
secrets
配置的配置。 I am sure it is not mounted because I use a custom ENTRYPOINT
script that checks for the /run/secrets/my_app_secrets file and it is not there.我确定它没有安装,因为我使用了一个自定义的
ENTRYPOINT
脚本来检查/run/secrets/my_app_secrets文件,但它不存在。
if [[ ! -e "/run/secrets/my_app_secrets" ]];
then
print_error "Did not find mounted app secrets from host"
return 1
fi
The current solution I have now is to use the volumes
configuration under the [runners.docker] section, and mount the /path/to/secrets.txt as a regular volume.我现在的当前解决方案是使用[runners.docker]部分下的
volumes
配置,并将/path/to/secrets.txt挂载为常规卷。
volumes = [
"/path/to/secrets.txt:/run/secrets/my_app_secrets"
]
But I think that sort of duplicates the configuration and I am manually specifying the /run/secrets/secret_name path.但我认为这种重复配置,我手动指定/run/secrets/secret_name路径。
Is there another way to specify the secrets
config to the gitlab-runner?还有另一种方法可以为 gitlab-runner 指定
secrets
配置吗?
ENV details:环境细节:
It seems I misunderstood the usage of the secrets configuration.看来我误解了 秘密配置的用法。
Apparently, it is designed to be used for Docker Swarms.显然,它旨在用于 Docker Swarm。
From the Manage sensitive data with Docker secrets docs:从使用 Docker 机密文档管理敏感数据:
Note : Docker secrets are only available to swarm services, not to standalone containers.
注意:Docker 机密仅适用于 swarm 服务,不适用于独立容器。
It still can be defined in the docker-compose
file for non-swarm, standalone containers (like in the sample docker-compose file in my question) and it would still add a /run/secrets/secret-name to your container.它仍然可以在非 swarm 的独立容器的
docker-compose
文件中定义(就像在我的问题中的示例docker-compose文件中一样),它仍然会向你的容器添加一个/run/secrets/secret-name 。 However, it behaves like a regular bind mount.但是,它的行为类似于常规绑定安装。
From this Github issue on using Docker secrets without a swarm:从这个 Github 问题关于在没有群的情况下使用 Docker 秘密:
In docker-compose
/run/secrets
is just a bind mount to the host.在 docker-compose
/run/secrets
只是一个绑定安装到主机。
Those secrets are not deployed to a swarm.这些秘密不会部署到一个群体中。
So, for gitlab-runner jobs, you could emulate the secrets feature with a regular mount:因此,对于 gitlab-runner 作业,您可以使用常规挂载来模拟秘密功能:
volumes = [
"/path/to/my_app_secrets:/run/secrets/my_app_secrets"
]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.