我是詹金斯的新手,已经连续3天不停地处理一个问题,无法解决,所以我希望有人能帮忙
我正试图将一个秘密从hashicorp vault传递到jenkins管道中,看起来我可以提取该秘密,但我不能在withVault语句的花括号之外使用它,有人能为我指明正确的方向,告诉我如何将该秘密转换为全局变量,然后我可以在管道中使用吗?
这是我的代码:
#!/usr/bin/env groovy
def projectProperties = [
[$class: 'BuildDiscarderProperty',strategy: [$class: 'LogRotator', numToKeepStr: '5']]
]
node{
withVault(configuration: [timeout: 60, vaultCredentialId: 'approle', vaultUrl: 'https://redacted.com'], vaultSecrets: [[path: '/secrets/kaniko', secretValues: [[vaultKey: 'key']]]])
{
sh 'echo $key' #Shows that the key has been pulled while running the pipeline
}
}
pipeline {
agent {
kubernetes {
cloud 'openshift'
idleMinutes 15
activeDeadlineSeconds 1800
yaml """
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
volumes:
- name: build-context
emptyDir: {}
- name: kaniko-secret
secret:
secretName: regcred-${NAMESPACE}
items:
- key: .dockerconfigjson
path: config.json
securityContext:
runAsUser: 0
serviceAccount: kaniko
initContainers:
- name: kaniko-init
image: ubuntu
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
args: ["--context=git://${key}@github.com/redacted/dockerfiles.git#refs/heads/${BRANCH}",
"--destination=image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/${IMAGE_NAME}:${IMAGE_TAG}",
"--dockerfile=/jenkins-slave-ansible/Dockerfile",
"--skip-tls-verify"]
resources:
limits:
cpu: 1
memory: 5Gi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- name: build-context
mountPath: /kaniko/build-context
- name: kaniko-secret
mountPath: /kaniko/.docker
restartPolicy: Never
"""
}
}
parameters {
choice(name: 'NAMESPACE', choices: ['engineering', 'ce-jenkins-testing'])
string(defaultValue: 'master', description: 'Please enter your branch name', name: 'BRANCH')
string(defaultValue: 'test', description: 'Please enter your image name (e.g.: jenkins-slave-ansible)', name: 'IMAGE_NAME')
string(defaultValue: 'latest', description: 'Please add your tag (e.g.: 1.72.29)', name: 'IMAGE_TAG')
}
etc..... more code below
我需要能够从上面使用线内的钥匙:
args: ["--context=git://${key}@github.com/redacted/dockerfiles.git#refs/heads/${BRANCH}"
提前感谢!
您可以将vaultKey绑定到环境变量
secretValues: [[vaultKey: 'key', envVar: 'KEY']]
然后在需要使用它的地方,引用env。密钥
args: ["--context=git://${env.KEY}@github.com/redacted/dockerfiles.git#refs/heads/${BRANCH}"
您需要添加envVar并将此值拉到withVault((作用域之外
withVault(configuration: ...,
vaultSecrets: [[
path: '...',
secretValues: [[envVar: 'key_inside_withVault', vaultKey: 'key']]]]) {
env.key_outside_withVault = key_inside_withVault
}
您可以对所有三个key...变量使用相同的变量名key