如何将在一个阶段更改的文件正确传递到另一个管道阶段

时间:2021-07-12 09:11:13

标签: encryption gitlab gitlab-ci

提前道歉,因为我对编写 GitLab 管道不是很自信。我有一对加密的公钥和私钥,提交给 GitLab 存储库。为了解密密钥和部署,我在我的管道中引入了一个新阶段。

decryption:
  stage: decryption

  allow_failure: false

  before_script:
    - mkdir -p ~/.ssh
    - eval $(ssh-agent -s)
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'

  script:
    - chmod 660 ./keys/vault_password.txt
    - echo $ANSIBLE_VAULT_PASSWORD > ./keys/vault_password.txt
    - chmod 660 ./keys/private.key
    - chmod 660 ./keys/public.key
    - ansible-vault decrypt --vault-password-file ./keys/vault_password.txt ./keys/private.key
    - ansible-vault decrypt --vault-password-file ./keys/vault_password.txt ./keys/public.key
    - echo "$(cat ./keys/private.key)"
    - echo "$(cat ./keys/public.key)"

  artifacts:
    untracked: true

我的下一阶段是build

build:
  stage: build

  allow_failure: false

  dependencies:
    - decryption

  script:
    - rm -rf vendor/drupal/coder
    - composer install
    - ./vendor/bin/robo ci:build
    - ls -la vendor/drupal/coder
    - echo "$(cat ./keys/private.key)"
    - echo "$(cat ./keys/public.key)"

  artifacts:
    name: "mycompany_build_{$CI_COMMIT_SHA}"
    expire_in: '1 week'
    paths:
      - ./build

当我尝试在 decryption 阶段回显密钥时,我可以看到 解密 密钥。但是,当我尝试在如下所示的 build 阶段访问这样的密钥时,它会显示加密文件。我只是想看看我是否可以在 build 阶段访问解密的文件,然后我可以传递这些要部署的密钥。很明显,管道有问题。

    - echo "$(cat ./keys/private.key)"
    - echo "$(cat ./keys/public.key)"

也许需要更改我编写管道的方式,以便将更改后的未跟踪 public.key 和 private.key 传递到构建阶段,也可能传递到 deploy 阶段。

有人可以指出我正确的方向吗?我是否必须更改工件中的某些内容?我怎样才能做到这一点?。提前致谢。

1 个答案:

答案 0 :(得分:0)

我对 GitLab-ci 不太了解,但我认为您没有正确引用解密文件,在解密步骤中,您应该将解密值保存到一个变量中,然后在构建步骤中调用它,方式您现在所做的是在构建步骤中引用文件本身,该文件未解密,您在解密步骤中解密并保存解密后的值以备后用。 我不确定这是否行得通,但也许你能明白: 解密:

decryption:
  stage: decryption

  allow_failure: false

  before_script:
    - mkdir -p ~/.ssh
    - eval $(ssh-agent -s)
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'

  script:
    - chmod 660 ./keys/vault_password.txt
    - echo $ANSIBLE_VAULT_PASSWORD > ./keys/vault_password.txt
    - chmod 660 ./keys/private.key
    - chmod 660 ./keys/public.key
    - ansible-vault decrypt --vault-password-file ./keys/vault_password.txt ./keys/private.key
    - ansible-vault decrypt --vault-password-file ./keys/vault_password.txt ./keys/public.key
    - echo "private_key_value=$(cat ./keys/private.key)"
    - echo "public_key_value=$(cat ./keys/public.key)"

  artifacts:
    untracked: true

And then the build step:

```yml
uild:
  stage: build

  allow_failure: false

  dependencies:
    - decryption

  script:
    - rm -rf vendor/drupal/coder
    - composer install
    - ./vendor/bin/robo ci:build
    - ls -la vendor/drupal/coder
    - echo $private_key_value
    - echo $public_key_value

  artifacts:
    name: "mycompany_build_{$CI_COMMIT_SHA}"
    expire_in: '1 week'
    paths:
      - ./build
相关问题
最新问题