GitLab CI ssh注册表登录 [英] GitLab CI ssh registry login

问题描述

我有一个GitLab项目 gitlab.com/my-group/my-project ，该项目具有用于生成映像并将其推送到项目的GitLab注册表的CI管道 registry.gitlab.com/my-group/my-project:tag 。我想将此映像部署到我有运行docker的VM的Google Compute Engine。

I have a GitLab project gitlab.com/my-group/my-project which has a CI pipeline that builds an image and pushes it to the project's GitLab registry registry.gitlab.com/my-group/my-project:tag. I want to deploy this image to Google Compute Engine, where I have a VM running docker.

通过手动进入虚拟机然后单击 docker登录Registry.gitlab.com 即可轻松手动完成操作和 docker运行... registry.gitlab.com/my-group/my-project:tag 。除了 docker login 命令是交互式的，对于CI而言，这是不可行的。它可以在命令行上接受用户名和密码，但是即使我的登录信息位于秘密变量（将我的GitLab登录凭据存储在GitLab秘密变量中？...）

Easy enough to do it manually by ssh'ing into the VM, then docker login registry.gitlab.com and docker run ... registry.gitlab.com/my-group/my-project:tag. Except the docker login command is interactive, which is a no-go for CI. It can accept a username and password on the command line, but that hardly feels like the right thing to do, even if my login info is in a secret variable (storing my GitLab login credentials in a GitLab secret variable?...)

管道的Deploy阶段预期的工作流程：

This is the intended workflow on the Deploy stage of the pipeline:

1. 要么安装 gcloud 工具或使用预先安装的映像


2. gcloudcompute ssh my-gce-vm-name --quiet --command \
docker登录注册表.gitlab.com&& docker运行Registry.gitlab.com/my-group/my-project:tag

1. Either install the gcloud tool or use an image with it preinstalled
2. gcloud compute ssh my-gce-vm-name --quiet --command \ "docker login registry.gitlab.com && docker run registry.gitlab.com/my-group/my-project:tag"

由于 gcloud 命令将在GitLab CI Runner中运行，因此它可以可以访问秘密变量，但这就是

Since the gcloud command would be running within the GitLab CI Runner, it could have access to secret variables, but is that really the best way to log in to the GitLab Registry over ssh from GitLab?

推荐答案

I'是通过git从GitLab 登录到git注册表的最佳方法吗？ ll a回答我自己的问题，以防其他任何人偶然发现。 GitLab为每个版本创建临时访问令牌给用户 gitlab-ci-token 访问GitLab注册中心的管道。解决方案是以 gitlab-ci-token 用户的身份登录。

I'll answer my own question in case anyone else stumbles upon it. GitLab creates ephemeral access tokens for each build of the pipeline that give the user gitlab-ci-token access to the GitLab Registry. The solution was to log in as the gitlab-ci-token user in the build.

.gitlab-ci .yml（节选）：

.gitlab-ci.yml (excerpt):

deploy:
  stage: deploy
  before_script:
    - gcloud compute ssh my-instance-name --command "docker login registry.gitlab.com/my-group/my-project -u gitlab-ci-token -p $CI_BUILD_TOKEN"

这篇关于GitLab CI ssh注册表登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！