提前道歉,因为我对编写GitLab管道不太有信心。我有一对加密的公钥和私钥,提交给GitLab回购。我在我的管道中引入了一个新阶段,以便解密密钥并进行部署。
decryption:
stage: decryption
allow_failure: false
before_script:
- mkdir -p ~/.ssh
- eval $(ssh-agent -s)
- '[[ -f /.dockerenv ]] && echo -e "Host *ntStrictHostKeyChecking nonn" > ~/.ssh/config'
script:
- chmod 660 ./keys/vault_password.txt
- echo $ANSIBLE_VAULT_PASSWORD > ./keys/vault_password.txt
- chmod 660 ./keys/private.key
- chmod 660 ./keys/public.key
- ansible-vault decrypt --vault-password-file ./keys/vault_password.txt ./keys/private.key
- ansible-vault decrypt --vault-password-file ./keys/vault_password.txt ./keys/public.key
- echo "$(cat ./keys/private.key)"
- echo "$(cat ./keys/public.key)"
artifacts:
untracked: true
我的下一阶段是build。
build:
stage: build
allow_failure: false
dependencies:
- decryption
script:
- rm -rf vendor/drupal/coder
- composer install
- ./vendor/bin/robo ci:build
- ls -la vendor/drupal/coder
- echo "$(cat ./keys/private.key)"
- echo "$(cat ./keys/public.key)"
artifacts:
name: "mycompany_build_{$CI_COMMIT_SHA}"
expire_in: '1 week'
paths:
- ./build
当我尝试在decryption阶段回显密钥时,我可以看到解密的密钥。但是,当我在下面的build阶段尝试访问这样的密钥时,它会向我显示加密的文件。我只是想看看我是否可以在build阶段访问解密的文件,然后我可以传递这些密钥进行部署。很明显,管道有些地方不正确。
- echo "$(cat ./keys/private.key)"
- echo "$(cat ./keys/public.key)"
也许我编写管道的方式需要更改,以便将更改后的未跟踪public.key和private.key传递到构建阶段,也可能传递到deploy阶段。
有人能给我指一下这个问题的正确方向吗?。我必须更改工件中的某些内容吗?。我该怎么做?。提前谢谢。
我对GitLab ci不太了解,但我认为你没有正确引用解密后的文件,在解密步骤中,你应该将解密后的值保存到一个变量中,然后在构建步骤中调用它,你现在的做法是在构建步骤引用文件本身-文件没有解密,您可以在解密步骤中解密,并保存解密后的值以供以后使用。我不确定这是否有效,但也许你可以明白:解密:
decryption:
stage: decryption
allow_failure: false
before_script:
- mkdir -p ~/.ssh
- eval $(ssh-agent -s)
- '[[ -f /.dockerenv ]] && echo -e "Host *ntStrictHostKeyChecking nonn" > ~/.ssh/config'
script:
- chmod 660 ./keys/vault_password.txt
- echo $ANSIBLE_VAULT_PASSWORD > ./keys/vault_password.txt
- chmod 660 ./keys/private.key
- chmod 660 ./keys/public.key
- ansible-vault decrypt --vault-password-file ./keys/vault_password.txt ./keys/private.key
- ansible-vault decrypt --vault-password-file ./keys/vault_password.txt ./keys/public.key
- echo "private_key_value=$(cat ./keys/private.key)"
- echo "public_key_value=$(cat ./keys/public.key)"
artifacts:
untracked: true
And then the build step:
```yml
uild:
stage: build
allow_failure: false
dependencies:
- decryption
script:
- rm -rf vendor/drupal/coder
- composer install
- ./vendor/bin/robo ci:build
- ls -la vendor/drupal/coder
- echo $private_key_value
- echo $public_key_value
artifacts:
name: "mycompany_build_{$CI_COMMIT_SHA}"
expire_in: '1 week'
paths:
- ./build