Azure Devops nuget 工件源和 docker [英] Azure Devops nuget artifact feed and docker

问题描述

是否有一种为 Devops 创建身份验证机制以便能够访问工件 NuGet 提要的好方法?我想为我的团队创建一个基础镜像，允许他们从我们的 Azure 容器注册表中提取一个可以访问我们的 devops nuget 提要的镜像.理想情况下，人们不必在每个从主机构建系统中获取 PAT 的项目中都拥有相同的 dockerfile 代码.这也可以让我们更好地进行 CICD.

Is there a good way to create an authentication mechanism to Devops to be able to access the artifact NuGet feed? I would like to create a base image for my team that would allow them to just pull an image from our Azure Container Registry that has access to our devops nuget feed. Ideally people wouldn't have to have the same stock dockerfile code in every single project that grabs a PAT from their host build system. This would also allow us to CICD this a little more nicely.

我目前的解决方案

FROM mcr.microsoft.com/dotnet/core/sdk:3.1 AS build-env
WORKDIR /app

ARG IT_PAT
ENV VSS_NUGET_EXTERNAL_FEED_ENDPOINTS "{"endpointCredentials": [{"endpoint": "https://pkgs.dev.azure.com/MNPIT/_packaging/MNP/nuget/v3/index.json","username": "build","password": "${IT_PAT}"}]}"
RUN mkdir -p $HOME/.nuget/plugins
WORKDIR /deps

# Downloads and installs the NuGet credential plugin so we can login to the private NuGet feed
RUN curl https://github.com/microsoft/artifacts-credprovider/releases/download/v0.1.24/Microsoft.NetCore2.NuGet.CredentialProvider.tar.gz -L -o creds.tar.gz -s
RUN tar -xzf creds.tar.gz
RUN cp -r plugins/netcore/ ~/.nuget/plugins

• 每个构建文件中的代码
• 每个用户都使用 PAT 配置他们的环境变量
• 在每个构建中传递 PAT
• 不适用于自动构建系统

推荐答案

我想为我的团队创建一个基础映像，让他们可以从我们的 Azure 容器注册表中提取一个可以访问我们的 devops nuget 提要的映像.

I would like to create a base image for my team that would allow them to just pull an image from our Azure Container Registry that has access to our devops nuget feed.

您可以在图像中包含凭据以实现此目的，但出于安全考虑，您最好添加一些额外的步骤或代码以从图像外部传递凭据.

You can include the credentials inside your image to achieve this, But for security concern, you've better add some extra steps or codes to pass the credentials from outside the image.

根据您当前的解决方案，您可以使用 系统预定义变量 $(System.AccessToken) 以获取 azure devops CICD 管道中的安全令牌.然后在 docker build 任务中，将访问令牌作为参数传递给 ARG IT_PAT，

Based on your current solution, you can use the system predefined variable $(System.AccessToken) to get the security token in the azure devops CICD pipeline. Then in the docker build task, you pass the access token to the ARG IT_PAT as arguement,

--build-arg IT_PAT=$(System.AccessToken)

除了使用 NuGet 凭据插件外，您还可以使用 dotnet cli 将凭据添加到 nuget 源.然后在构建参数中传递 $(System.AccessToken) .见下文:

Besides using the NuGet credential plugin, You can also use the dotnet cli to add credentials to the nuget source. And then pass the $(System.AccessToken) in the build arguements. See below:

ARG PAT
COPY . .
RUN dotnet nuget add source "your-source-url" --name "source-name" --username "useless" --password "$PAT" --store-password-in-clear-text
RUN dotnet restore

另一种解决方法是将 nuget.config 包含在构建上下文中.但是您需要先包含一个没有凭据的 nuget.config 文件，然后再添加一个额外的 nuget task 将凭据添加到配置文件.然后将 nuget.config 复制到 docker 文件中.见下文:

Another workaround is to include the nuget.config in the build context. But you need to include a nuget.config file without the credentials first, and then add an extra nuget task to add the credentials to the config file. Then copy the nuget.config in your docker file . See below:

添加要在自定义命令下运行的 nuget 任务，以将凭据添加到 nuget.config 文件.

Add a nuget task to run below custom command to add the credentials to the nuget.config file.

sources Add -Name "MyPackages" -Source "https://my.pkgs.visualstudio.com/_packaging/MyPackages/nuget/v3/index.json" -username any -password $(System.AccessToken) -ConfigFile Source/Nuget.config -StorePasswordInClearText

复制docker文件中的nuget.config，还原完成后不要忘记删除nuget.config文件:

Copy the nuget.config in the docker file, Donot forget to delete the nuget.config file when the restore is complete:

COPY *.csproj .
COPY ./nuget.config .
RUN dotnet restore
RUN rm nuget.config

如果您使用的是基于 Yaml 的管道.您还可以查看 容器工作.然后通过设置 容器端点.然后您可以直接使用管道中的还原任务.请参见下面的示例，nuget restore 任务将在您的私有容器中运行，它可以通过为您的 nuget feed 指定属性 vstsFeed 直接访问您的 azure feed:

If you are using Yaml based pipeline. You can also check out container jobs. Then you use your private container by setting up the container endpoints. And then you can directly use the restore tasks in your pipeline. See below example, the nuget restore task will run in your private container, and it can access to your azure feeds directly by specifying attribute vstsFeed to your nuget feed:

当您在管道中指定容器时，代理将首先获取并启动容器.然后，作业的每一步都将在容器内运行.

When you specify a container in your pipeline, the agent will first fetch and start the container. Then, each step of the job will run inside the container.

container:
  image: myprivate/registry:ubuntu1604
  endpoint: private_dockerhub_connection

steps:
- task: NuGetCommand@2
  inputs:
    command: 'restore'
    feedsToUse: 'select'
    vstsFeed: 'my-azure-nuget-feed'
    restoreSolution: '**/*.sln'

有关更多信息，您可以查看 此线程.

For more information you can check out this thread.

这篇关于Azure Devops nuget 工件源和 docker的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！