[英]How Can I Optimize My gitlab-ci.yml Any Ideas?
我最近在 Gitlab 的项目中创建了一个标签后,我为自己创建了一个自动拉取的管道
但它有严重的安全问题,因为我在 Docker 镜像中使用 Echo 函数来导入我的私钥
和我的图像公钥
我的问题是
如何在变量中安全地从我的 Gitlab 配置文件中读取公钥和私钥?
## Author : RaminSubZero (0VERL0RD Corporation)
## PLEASE READ COMMENTS
## This CI Pulls Your Repository On Your Server With Some Statements
## This CI Triggers Only When You Make A Tag For Your Repo
## Start
image: trion/ng-cli-karma
## Setting Server Configuration For CI/CD Integration
## Config This Variables As You Need
## We Set This Stage Deploy
deploy_stage:
variables:
SSH_PRIVATE_KEY_PATH : "/root/.ssh/id_rsa"
SSH_PRIVATE_KEY : "-----BEGIN RSA PRIVATE KEY-----
example
-----END RSA PRIVATE KEY-----"
SSH_PUBLIC_KEY : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQAexample3v3P RaminSub-Zero@PC"
SERVER: "example.com"
USER: "root"
PORT: "22"
PROJECT_DIR: "public_html/"
BRANCH: "master"
## This Git Pre Commands Save Your Local Changes To Server For Allowing Save Your Custom Files In Server
## You Can Set This Variables Empty If You Want
## For Setting This Variables Empty Replace This Lines With This Code
## GIT_PRESAVE_COMMAND: ""
## GIT_POSTSAVE_COMMAND: ""
## Start Saving Variables
GIT_PRESAVE_COMMAND: "&& git stash"
GIT_POSTSAVE_COMMAND: "&& git stash apply"
## End Saving Variables
CUSTOM_COMMAND: ""
CUSTOM_COMMAND2: ""
## You Can Run Any Command In Your Server You Want | For Example (CUSTOM_COMMAND: "&& systemctl restart nginx")
## Note : You Have To Use && First Of Your Command
# Here We Set Rule For Trigger This CI Per Tag Release
rules:
- if: '$CI_COMMIT_TAG != null'
stage: deploy
script:
- apt-get update
- apt-get update -y && apt-get install openssh-client -y
- mkdir /root/.ssh
- chmod 777 /root/.ssh
- touch /root/.ssh/id_rsa /root/.ssh/id_rsa.pub
- echo "$SSH_PRIVATE_KEY" > /root/.ssh/id_rsa ; echo "$SSH_PUBLIC_KEY" > /root/.ssh/id_rsa.pub
- chmod 600 /root/.ssh/id_rsa.pub
- chmod 600 /root/.ssh/id_rsa
- ssh -o "StrictHostKeyChecking no" -i $SSH_PRIVATE_KEY_PATH $USER@$SERVER -p $PORT "cd $PROJECT_DIR $GIT_PRESAVE_COMMAND && git pull origin $BRANCH $GIT_POSTSAVE_COMMAND $CUSTOM_COMMAND $CUSTOM_COMMAND2 && exit"
## In The End We Exit From Server To Finish Our Updating Session
## End
您应该从.gitlab-ci.yml
删除带有私钥的变量并通过 UI 添加它: https : .gitlab-ci.yml
. 这样它就不会被提交到存储库中。
至于 CI 日志,您应该将script:
下的所有内容移动到单独的 *.sh 文件中 - 这样每一行就不会在日志中单独显示。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.