Jenkins podTemplate 禁用默认回显

Question

我在 Kubernetes 中运行我的 jenkins 以根据要求创建动态从属 pod。

每个文件都使用来自 jenkins 的一些凭据。

现在的问题是当我在 sh script:"" 中运行一些命令时，该凭据在 UI 的日志视图选项中可见。

如下图所示。

我的Jenkinsfile如下所示

podTemplate(
    containers: [
        containerTemplate(name: 'helm', alwaysPullImage: true, image: 'k8s-helm:v3.4.2', command: 'cat',
            ttyEnabled: true)
    ],
    imagePullSecrets: ['registry-credentials']) {
  properties([parameters(
      [string(name: 'dockerImageTag', description: 'Docker image tag to deploy'),
       string(name: 'branchName', defaultValue: 'dev', description: 'Branch being deployed'),
       string(name: 'targetBranch', defaultValue: 'dev', description: 'Target branch against which if a PR is being raised')])])

  currentBuild.description = "branch ${params.branchName}"
  node(POD_LABEL) {

    container('helm') {
      withCredentials([[$class       : 'FileBinding',
                        credentialsId: 'sling-test-kubeconfig',
                        variable     : 'KUBECONFIG'],
                       [$class       : 'StringBinding',
                        credentialsId: 'sd-charts-github-api-token',
                        variable     : 'API_TOKEN']]) {
        stage('Add Helm repository') {
          sh script: "helm repo add stable 'https://charts.helm.sh/stable'",
              label: 'Add stable helm repo'
          sh script: 'helm repo list', label: 'List available helm repos'
        }
        withCredentials([[$class       : 'StringBinding',
                          credentialsId: 'test-env-postgres-password',
                          variable     : 'POSTGRES_PASSWORD'],
                         [$class       : 'StringBinding',
                          credentialsId: 'test-env-rabbitmq-password',
                          variable     : 'RABBITMQ_PASSWORD']]) {

          stage('Deploy') {
            echo "Deploying docker release -> myhost.com/8023/sling/scheduler:${params.dockerImageTag}"
            sh script: "scheduler charts/scheduler " +
                "--set appConfig.postgres.password=${POSTGRES_PASSWORD}," +
                "image.tag=${params.dockerImageTag}," +
                "appConfig.rabbitmq.password=${RABBITMQ_PASSWORD}," +
                "deployment.annotations.buildNumber=${currentBuild.number} " +
                "--wait",
                label: 'Install helm release'
          }
        }
      }
    }
  }
}

这个文件有一些我不想在 UI 日志上显示的凭据（即 RABBITMQ_PASSWORD、POSTGRES_PASSWORD 等...还有很多），基本上我不想显示位于

sh script: "scheduler charts/scheduler " +
                "--set appConfig.postgres.password=${POSTGRES_PASSWORD}," +
                "image.tag=${params.dockerImageTag}," +
                "appConfig.rabbitmq.password=${RABBITMQ_PASSWORD}," +
                "deployment.annotations.buildNumber=${currentBuild.number} " +
                "--wait",
                label: 'Install helm release'

我得到了一些参考，但这也不起作用。

有人可以帮我解决这个问题。

Answer 1

To avoid leaking your credentials into the output, you need to resolve them within the shell interpreter of the shell step method instead of within Jenkins Pipeline. 由于withCredentials临时分配给环境变量，因此可以通过不在 Groovy 内插值来实现：

sh script: 'scheduler charts/scheduler ' + // literal string
           '--set appConfig.postgres.password=${POSTGRES_PASSWORD},' + // no Groovy interpolation
           "image.tag=${params.dockerImageTag}," + // Groovy interpolation
           'appConfig.rabbitmq.password=${RABBITMQ_PASSWORD},' + // no Groovy interpolation
           "deployment.annotations.buildNumber=${currentBuild.number} " +  // Groovy interpolation
           '--wait', // literal string
           label: 'Install helm release'

这将准确地插入和连接字符串 put 参数到 shell 步骤方法，并且不会在 Jenkins 管道 output 中暴露您的凭据。