从 Vault 获取 Jenkins git repo 凭据
[英]Getting Jenkins git repo credentials from Vault
问题描述
I would like to avoid storing any credentials in Jenkins and rely solely on Hashicorp Vault for storing and managing credentials.
我想避免在 Jenkins 中存储任何凭据,而仅依靠 Hashicorp Vault 来存储和管理凭据。
It is pretty trivial to get it working once pipeline is working but I can't find any examples or guidance on how I can do the initial git clone from private repo in Jenkinsfile without storing PAT token in Jenkins secrets.一旦管道工作,让它工作是非常微不足道的,但我找不到任何示例或指导,说明如何在不将 PAT 令牌存储在 Jenkins 机密中的情况下,从 Jenkinsfile 中的私人仓库进行初始 git 克隆。
I would like to call Vault first, get PAT token from there , and then clone the repo with Jenkinfile.我想先调用 Vault,从那里获取 PAT 令牌,然后使用 Jenkinfile 克隆 repo。
Could anyone give me a hint please?任何人都可以给我一个提示吗?
1 个解决方案
解决方案1
1 已采纳 2022-06-15 12:26:47
For checking out your project files from the SCM从 SCM 中检出您的项目文件
You will need to store at least the approle/secret to access Vault within the Jenkins credentials store.您将需要至少存储 approle/secret 以在 Jenkins 凭证存储中访问 Vault。 However, once you have done that, you should be able to use the Vault plugin to access any information you need, and have it saved to an environment variable.但是,一旦你这样做了,你应该能够使用Vault 插件来访问你需要的任何信息,并将其保存到环境变量中。 From there, you can use that environment variable as needed.从那里,您可以根据需要使用该环境变量。
See here for an example of how to use the Vault plugin inside your Jenkinsfile有关如何在 Jenkinsfile 中使用 Vault 插件的示例,请参见此处
For checking out your Jenkinsfile (original checkout/clone)用于检查您的 Jenkinsfile(原始结帐/克隆)
Note: The following depends on using SSH to access your SCM.注意:以下取决于使用 SSH 访问您的 SCM。 I have confirmed this method works with Git/SSH.我已经确认此方法适用于 Git/SSH。
You could add your SSH key to the Jenkins built-in node (formerly master) user's home directory, as well as the home directories of users for any build nodes you use.您可以将 SSH 密钥添加到 Jenkins 内置节点(以前的主节点)用户的主目录,以及您使用的任何构建节点的用户主目录。 You would also need to add the correct configuration options to your SSH config file (.ssh/config) so SSH uses that key to access your SCM server.您还需要将正确的配置选项添加到您的 SSH 配置文件 (.ssh/config),以便 SSH 使用该密钥来访问您的 SCM 服务器。
Host myscm.mycompany.com
User scmuser
IdentityFile ~/.ssh/scm_id_rsa
PreferredAuthentications publickey
RequestTTY no
Once you have the above set, you can just specify your SCM URL within Jenkins, and it will use the defaults from your SSH folder.完成上述设置后,您只需在 Jenkins 中指定 SCM URL,它将使用 SSH 文件夹中的默认值。
If you are not using SSH, please post back with your SCM as well as access method (http? rsync?).如果您不使用 SSH,请使用您的 SCM 以及访问方法(http?rsync?)发回。
From comment:来自评论:
You have two other options: (1) store your Jenkinsfile in a public repository that is different from your project repository or make your project repository public, or (2) define your pipeline directly in the job, so that you don't need a Jenkinsfile您还有两个选择:(1) 将您的 Jenkinsfile 存储在与您的项目存储库不同的公共存储库中,或者将您的项目存储库公开,或者 (2) 直接在作业中定义您的管道,这样您就不需要詹金斯文件
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.