GitLab CI ssh 注册表登录 [英] GitLab CI ssh registry login
问题描述
我有一个 GitLab 项目 gitlab.com/my-group/my-project,它有一个 CI 管道,用于构建图像并将其推送到项目的 GitLab 注册表 registry.gitlab.com/my-group/my-project:tag.我想将此映像部署到 Google Compute Engine,在那里我有一个运行 docker 的 VM.
I have a GitLab project gitlab.com/my-group/my-project which has a CI pipeline that builds an image and pushes it to the project's GitLab registry registry.gitlab.com/my-group/my-project:tag. I want to deploy this image to Google Compute Engine, where I have a VM running docker.
通过 ssh 进入虚拟机,然后 docker login registry.gitlab.com 和 docker run ... registry.gitlab.com/my-group 手动操作很容易/我的项目:标签.除了 docker login 命令是交互式的,这对 CI 来说是不行的.它可以在命令行上接受用户名和密码,但这几乎不是正确的做法,即使我的登录信息在 秘密变量(将我的 GitLab 登录凭据存储在 GitLab 秘密变量中?...)
Easy enough to do it manually by ssh'ing into the VM, then docker login registry.gitlab.com and docker run ... registry.gitlab.com/my-group/my-project:tag. Except the docker login command is interactive, which is a no-go for CI. It can accept a username and password on the command line, but that hardly feels like the right thing to do, even if my login info is in a secret variable (storing my GitLab login credentials in a GitLab secret variable?...)
这是管道部署阶段的预期工作流程:
This is the intended workflow on the Deploy stage of the pipeline:
- 安装
gcloud工具或使用预安装的映像 gcloud compute ssh my-gce-vm-name --quiet --command "docker login registry.gitlab.com && docker run registry.gitlab.com/my-group/my-project:tag"
- Either install the
gcloudtool or use an image with it preinstalled gcloud compute ssh my-gce-vm-name --quiet --command "docker login registry.gitlab.com && docker run registry.gitlab.com/my-group/my-project:tag"
由于 gcloud 命令将在 GitLab CI Runner 中运行,它可以访问秘密变量,但这确实是登录到来自 GitLab 的 ssh 上的 GitLab 注册表?
Since the gcloud command would be running within the GitLab CI Runner, it could have access to secret variables, but is that really the best way to log in to the GitLab Registry over ssh from GitLab?
推荐答案
我会回答我自己的问题,以防其他人偶然发现它.GitLab 为每个构建创建临时访问令牌的管道 让用户 gitlab-ci-token 访问 GitLab 注册表.解决方案是在构建中以 gitlab-ci-token 用户身份登录.
I'll answer my own question in case anyone else stumbles upon it. GitLab creates ephemeral access tokens for each build of the pipeline that give the user gitlab-ci-token access to the GitLab Registry. The solution was to log in as the gitlab-ci-token user in the build.
.gitlab-ci.yml(摘录):
.gitlab-ci.yml (excerpt):
deploy:
stage: deploy
before_script:
- gcloud compute ssh my-instance-name --command "docker login registry.gitlab.com/my-group/my-project -u gitlab-ci-token -p $CI_BUILD_TOKEN"
这篇关于GitLab CI ssh 注册表登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
