[英]How Can I Optimize My gitlab-ci.yml Any Ideas?
我最近在 Gitlab 的項目中創建了一個標簽后,我為自己創建了一個自動拉取的管道
但它有嚴重的安全問題,因為我在 Docker 鏡像中使用 Echo 函數來導入我的私鑰
和我的圖像公鑰
我的問題是
如何在變量中安全地從我的 Gitlab 配置文件中讀取公鑰和私鑰?
## Author : RaminSubZero (0VERL0RD Corporation)
## PLEASE READ COMMENTS
## This CI Pulls Your Repository On Your Server With Some Statements
## This CI Triggers Only When You Make A Tag For Your Repo
## Start
image: trion/ng-cli-karma
## Setting Server Configuration For CI/CD Integration
## Config This Variables As You Need
## We Set This Stage Deploy
deploy_stage:
variables:
SSH_PRIVATE_KEY_PATH : "/root/.ssh/id_rsa"
SSH_PRIVATE_KEY : "-----BEGIN RSA PRIVATE KEY-----
example
-----END RSA PRIVATE KEY-----"
SSH_PUBLIC_KEY : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQAexample3v3P RaminSub-Zero@PC"
SERVER: "example.com"
USER: "root"
PORT: "22"
PROJECT_DIR: "public_html/"
BRANCH: "master"
## This Git Pre Commands Save Your Local Changes To Server For Allowing Save Your Custom Files In Server
## You Can Set This Variables Empty If You Want
## For Setting This Variables Empty Replace This Lines With This Code
## GIT_PRESAVE_COMMAND: ""
## GIT_POSTSAVE_COMMAND: ""
## Start Saving Variables
GIT_PRESAVE_COMMAND: "&& git stash"
GIT_POSTSAVE_COMMAND: "&& git stash apply"
## End Saving Variables
CUSTOM_COMMAND: ""
CUSTOM_COMMAND2: ""
## You Can Run Any Command In Your Server You Want | For Example (CUSTOM_COMMAND: "&& systemctl restart nginx")
## Note : You Have To Use && First Of Your Command
# Here We Set Rule For Trigger This CI Per Tag Release
rules:
- if: '$CI_COMMIT_TAG != null'
stage: deploy
script:
- apt-get update
- apt-get update -y && apt-get install openssh-client -y
- mkdir /root/.ssh
- chmod 777 /root/.ssh
- touch /root/.ssh/id_rsa /root/.ssh/id_rsa.pub
- echo "$SSH_PRIVATE_KEY" > /root/.ssh/id_rsa ; echo "$SSH_PUBLIC_KEY" > /root/.ssh/id_rsa.pub
- chmod 600 /root/.ssh/id_rsa.pub
- chmod 600 /root/.ssh/id_rsa
- ssh -o "StrictHostKeyChecking no" -i $SSH_PRIVATE_KEY_PATH $USER@$SERVER -p $PORT "cd $PROJECT_DIR $GIT_PRESAVE_COMMAND && git pull origin $BRANCH $GIT_POSTSAVE_COMMAND $CUSTOM_COMMAND $CUSTOM_COMMAND2 && exit"
## In The End We Exit From Server To Finish Our Updating Session
## End
您應該從.gitlab-ci.yml
刪除帶有私鑰的變量並通過 UI 添加它: https : .gitlab-ci.yml
. 這樣它就不會被提交到存儲庫中。
至於 CI 日志,您應該將script:
下的所有內容移動到單獨的 *.sh 文件中 - 這樣每一行就不會在日志中單獨顯示。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.