在构建过程中使用Jenkins Git插件中的SSH密钥运行Git命令 [英] Use SSH Key from Jenkins Git Plugin to Run Git Commands During Build
问题描述
我们在Jenkins上的构建作业作为发行版的一部分运行,例如git push和git pull等git命令,因此需要一种在构建过程中从shell运行经过身份验证的git命令的方法.
Our build job on Jenkins runs as part of a release build some git commands like git push and git pull, therefore requires a way to run authenticated git commands from the shell during the build.
我们的jenkins奴隶没有任何凭证,因为它们是按构建创建的一次性Docker容器.
Our jenkins slaves don't hold any credentials as they are disposable docker containers that are created per build.
git插件使用Jenkins凭据进行管理,并且以某种方式"将GIT_SSH设置为通过该凭据配置的私钥.
The git plugin manages this with the Jenkins credentials and "somehow" sets GIT_SSH to pick up a private key that is configured via the credentials.
我检查了源代码,并尝试确定如何配置变量,以便例如可以将git pull作为SSH脚本作为构建的一部分运行.没有成功.
I checked the source code and tried to determine how I can get the variable configured so that I can run for example git pull as an SSH script as part of the build. Without success.
在使用Jenkins凭证的构建步骤中,有没有一种方法可以运行git命令?
Is there a way to run a git command as part of the build steps using the Jenkins credentials?
我当前的解决方案是在构建环境设置过程中将SSH密钥复制到从属服务器,但似乎是重复的工作(加上潜在的安全问题).
My current solution is to copy the SSH key to the slave as part of the build environment setup but seems like duplicate work (plus potential security issue).
推荐答案
我暂时也无法弄清楚.因此,尽管已有将近三年的历史,但我将发布使用私有SSH密钥的解决方案.它也可以是自适应的用户/密码组合.
I couldn't figure this out for a while too. So although almost three years old I'll post my solution for using a private SSH Key. It may also be adaptable user/password combinations.
-
将密钥添加为凭据部分,类型为带私钥的SSH用户名".
Add the key to the credentials section as kind "SSH Username with private key".
在构建项目中使用绑定"(您需要在构建环境中勾选使用秘密文本或文件"以使其可用)将凭证信息存储在环境变量中:
In the build project use the "Bindings" (You need to tick the "Use secret text(s) or file(s)" in the Build Environment to make it available) to store the credential information in environment variables:
现在介绍了如何在git调用中使用键的棘手部分.我选择了GIT_SSH环境变量,因为它是最向后兼容的方式.为了完成这项工作,您需要使用SSH_KEYFILE中提供的密钥文件的路径,创建一个包含ssh调用的包装器脚本.人们可能会找到一种更好的解决方案来创建该脚本.对我来说,以下shell命令有效:
Now comes the tricky part on how to use the key in the git call. I chose GIT_SSH environment variable since the is the most backward compatible way. In order to make that work you need to create a wrapper script that contains the ssh call using the path to the key file provided in SSH_KEYFILE. One may find a better solution to create that script. For me the following shell commands worked:
#!/bin/bash
set +x
SSH_WRAPPER_SCRIPT=/tmp/ssh_wrapper
# delete pre-existing script
[[ -f $SSH_WRAPPER_SCRIPT ]] && rm $SSH_WRAPPER_SCRIPT
# create wrapper script with current keyfile path from bindings variable
echo "#!/bin/sh" >> $SSH_WRAPPER_SCRIPT
echo "exec /usr/bin/ssh -i ${SSH_KEYFILE} \"\$@\"" >> $SSH_WRAPPER_SCRIPT
chmod +x $SSH_WRAPPER_SCRIPT
# set GIT_SSH env var to use wrapper script
export GIT_SSH=$SSH_WRAPPER_SCRIPT
# now run your actual git commands here
git ls-remote -h git@someserver.com:some_repo.git HEAD
这篇关于在构建过程中使用Jenkins Git插件中的SSH密钥运行Git命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
