Azure Devops nuget 工件提要和 docker [英] Azure Devops nuget artifact feed and docker
问题描述
是否有一种好方法可以为 Devops 创建身份验证机制,以便能够访问工件 NuGet 提要?我想为我的团队创建一个基本映像,这样他们就可以从我们的 Azure 容器注册表中提取一个可以访问我们的 devops nuget 提要的映像.理想情况下,人们不必在从其主机构建系统获取 PAT 的每个项目中都拥有相同的库存 dockerfile 代码.这也能让我们更好地进行 CICD.
Is there a good way to create an authentication mechanism to Devops to be able to access the artifact NuGet feed? I would like to create a base image for my team that would allow them to just pull an image from our Azure Container Registry that has access to our devops nuget feed. Ideally people wouldn't have to have the same stock dockerfile code in every single project that grabs a PAT from their host build system. This would also allow us to CICD this a little more nicely.
我目前的解决方案
FROM mcr.microsoft.com/dotnet/core/sdk:3.1 AS build-env
WORKDIR /app
ARG IT_PAT
ENV VSS_NUGET_EXTERNAL_FEED_ENDPOINTS "{"endpointCredentials": [{"endpoint": "https://pkgs.dev.azure.com/MNPIT/_packaging/MNP/nuget/v3/index.json","username": "build","password": "${IT_PAT}"}]}"
RUN mkdir -p $HOME/.nuget/plugins
WORKDIR /deps
# Downloads and installs the NuGet credential plugin so we can login to the private NuGet feed
RUN curl https://github.com/microsoft/artifacts-credprovider/releases/download/v0.1.24/Microsoft.NetCore2.NuGet.CredentialProvider.tar.gz -L -o creds.tar.gz -s
RUN tar -xzf creds.tar.gz
RUN cp -r plugins/netcore/ ~/.nuget/plugins
- 每个构建文件中的库存代码
- 每个用户使用 PAT 配置他们的环境变量
- 在每次构建时传递 PAT
- 不适用于自动构建系统
推荐答案
我想为我的团队创建一个基础镜像,这样他们就可以从我们的 Azure 容器注册表中提取一个可以访问我们的 devops nuget 提要的镜像.
I would like to create a base image for my team that would allow them to just pull an image from our Azure Container Registry that has access to our devops nuget feed.
您可以在图像中包含凭据以实现此目的,但出于安全考虑,您最好添加一些额外的步骤或代码以从图像外部传递凭据.
You can include the credentials inside your image to achieve this, But for security concern, you've better add some extra steps or codes to pass the credentials from outside the image.
根据您当前的解决方案,您可以使用 系统预定义变量 $(System.AccessToken) 以获取 azure devops CICD 管道中的安全令牌.然后在 docker build 任务中,将访问令牌作为参数传递给 ARG IT_PAT,
Based on your current solution, you can use the system predefined variable $(System.AccessToken) to get the security token in the azure devops CICD pipeline. Then in the docker build task, you pass the access token to the ARG IT_PAT as arguement,
--build-arg IT_PAT=$(System.AccessToken)
除了使用 NuGet 凭据插件之外,您还可以使用 dotnet cli 向 nuget 源添加凭据.然后在构建参数中传递 $(System.AccessToken) .见下文:
Besides using the NuGet credential plugin, You can also use the dotnet cli to add credentials to the nuget source. And then pass the $(System.AccessToken) in the build arguements. See below:
ARG PAT
COPY . .
RUN dotnet nuget add source "your-source-url" --name "source-name" --username "useless" --password "$PAT" --store-password-in-clear-text
RUN dotnet restore
另一种解决方法是在构建上下文中包含 nuget.config.但是您需要先包含一个没有凭据的 nuget.config 文件,然后再添加一个额外的 nuget 任务 将凭据添加到配置文件中.然后将 nuget.config 复制到您的 docker 文件中.见下文:
Another workaround is to include the nuget.config in the build context. But you need to include a nuget.config file without the credentials first, and then add an extra nuget task to add the credentials to the config file. Then copy the nuget.config in your docker file . See below:
在自定义命令下添加 nuget 任务以将凭据添加到 nuget.config 文件中.
Add a nuget task to run below custom command to add the credentials to the nuget.config file.
sources Add -Name "MyPackages" -Source "https://my.pkgs.visualstudio.com/_packaging/MyPackages/nuget/v3/index.json" -username any -password $(System.AccessToken) -ConfigFile Source/Nuget.config -StorePasswordInClearText
复制docker文件中的nuget.config,还原完成后不要忘记删除nuget.config文件:
Copy the nuget.config in the docker file, Donot forget to delete the nuget.config file when the restore is complete:
COPY *.csproj .
COPY ./nuget.config .
RUN dotnet restore
RUN rm nuget.config
如果您使用的是基于 Yaml 的管道.您还可以查看 container工作.然后你通过设置 容器端点.然后您可以直接使用管道中的还原任务.请参见下面的示例,nuget 还原任务将在您的私有容器中运行,它可以通过为您的 nuget 提要指定属性 vstsFeed 来直接访问您的 azure 提要:
If you are using Yaml based pipeline. You can also check out container jobs. Then you use your private container by setting up the container endpoints. And then you can directly use the restore tasks in your pipeline. See below example, the nuget restore task will run in your private container, and it can access to your azure feeds directly by specifying attribute vstsFeed to your nuget feed:
当您在管道中指定容器时,代理将首先获取并启动容器.然后,作业的每一步都将在容器内运行.
When you specify a container in your pipeline, the agent will first fetch and start the container. Then, each step of the job will run inside the container.
container:
image: myprivate/registry:ubuntu1604
endpoint: private_dockerhub_connection
steps:
- task: NuGetCommand@2
inputs:
command: 'restore'
feedsToUse: 'select'
vstsFeed: 'my-azure-nuget-feed'
restoreSolution: '**/*.sln'
有关更多信息,您可以查看此主题.
For more information you can check out this thread.
这篇关于Azure Devops nuget 工件提要和 docker的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
