如何将变量从 hashportVault 转换为 Jenkinsfile 中的全局变量
我是 Jenkins 的新手,已经连续处理一个问题 3 天了,但无法解决,所以我希望有人可以提供帮助。
我正在尝试将一个秘密从 hashicorpVault 传递到詹金斯管道中,看起来我可以提取该秘密,但我无法在 withVault 语句的大括号之外使用它,有人可以为我指出正确的方向吗?将这个秘密转换为一个全局变量,然后我可以在管道内部使用它?
这是我的代码:
#!/usr/bin/env groovy
def projectProperties = [
[$class: 'BuildDiscarderProperty',strategy: [$class: 'LogRotator', numToKeepStr: '5']]
]
node{
withVault(configuration: [timeout: 60, vaultCredentialId: 'approle', vaultUrl: 'https://redacted.com'], vaultSecrets: [[path: '/secrets/kaniko', secretValues: [[vaultKey: 'key']]]])
{
sh 'echo $key' #Shows that the key has been pulled while running the pipeline
}
}
pipeline {
agent {
kubernetes {
cloud 'openshift'
idleMinutes 15
activeDeadlineSeconds 1800
yaml """
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
volumes:
- name: build-context
emptyDir: {}
- name: kaniko-secret
secret:
secretName: regcred-${NAMESPACE}
items:
- key: .dockerconfigjson
path: config.json
securityContext:
runAsUser: 0
serviceAccount: kaniko
initContainers:
- name: kaniko-init
image: ubuntu
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
args: ["--context=git://${key}@github.com/redacted/dockerfiles.git#refs/heads/${BRANCH}",
"--destination=image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/${IMAGE_NAME}:${IMAGE_TAG}",
"--dockerfile=/jenkins-slave-ansible/Dockerfile",
"--skip-tls-verify"]
resources:
limits:
cpu: 1
memory: 5Gi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- name: build-context
mountPath: /kaniko/build-context
- name: kaniko-secret
mountPath: /kaniko/.docker
restartPolicy: Never
"""
}
}
parameters {
choice(name: 'NAMESPACE', choices: ['engineering', 'ce-jenkins-testing'])
string(defaultValue: 'master', description: 'Please enter your branch name', name: 'BRANCH')
string(defaultValue: 'test', description: 'Please enter your image name (e.g.: jenkins-slave-ansible)', name: 'IMAGE_NAME')
string(defaultValue: 'latest', description: 'Please add your tag (e.g.: 1.72.29)', name: 'IMAGE_TAG')
}
etc..... more code below
我需要能够使用行内上方的密钥:
args: ["--context=git://${key}@github.com/redacted/dockerfiles.git#refs/heads/${BRANCH}"
提前致谢!
I am new to Jenkins and have been dealing with an issue for 3 days nonstop and cant figure it out, so I am hoping someone can help out.
I am trying to pass a secret from hashicorp vault into a jenkins pipeline and it looks like I can pull the secret but I can not use it outside of the curly brackets of the withVault statement, can someone point me in the right direction on how to turn this secret into a global variable that I can then use inside of the pipeline?
Here is my code:
#!/usr/bin/env groovy
def projectProperties = [
[$class: 'BuildDiscarderProperty',strategy: [$class: 'LogRotator', numToKeepStr: '5']]
]
node{
withVault(configuration: [timeout: 60, vaultCredentialId: 'approle', vaultUrl: 'https://redacted.com'], vaultSecrets: [[path: '/secrets/kaniko', secretValues: [[vaultKey: 'key']]]])
{
sh 'echo $key' #Shows that the key has been pulled while running the pipeline
}
}
pipeline {
agent {
kubernetes {
cloud 'openshift'
idleMinutes 15
activeDeadlineSeconds 1800
yaml """
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
volumes:
- name: build-context
emptyDir: {}
- name: kaniko-secret
secret:
secretName: regcred-${NAMESPACE}
items:
- key: .dockerconfigjson
path: config.json
securityContext:
runAsUser: 0
serviceAccount: kaniko
initContainers:
- name: kaniko-init
image: ubuntu
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
args: ["--context=git://${key}@github.com/redacted/dockerfiles.git#refs/heads/${BRANCH}",
"--destination=image-registry.openshift-image-registry.svc:5000/${NAMESPACE}/${IMAGE_NAME}:${IMAGE_TAG}",
"--dockerfile=/jenkins-slave-ansible/Dockerfile",
"--skip-tls-verify"]
resources:
limits:
cpu: 1
memory: 5Gi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- name: build-context
mountPath: /kaniko/build-context
- name: kaniko-secret
mountPath: /kaniko/.docker
restartPolicy: Never
"""
}
}
parameters {
choice(name: 'NAMESPACE', choices: ['engineering', 'ce-jenkins-testing'])
string(defaultValue: 'master', description: 'Please enter your branch name', name: 'BRANCH')
string(defaultValue: 'test', description: 'Please enter your image name (e.g.: jenkins-slave-ansible)', name: 'IMAGE_NAME')
string(defaultValue: 'latest', description: 'Please add your tag (e.g.: 1.72.29)', name: 'IMAGE_TAG')
}
etc..... more code below
I need to be able to use the key from above inside of the line:
args: ["--context=git://${key}@github.com/redacted/dockerfiles.git#refs/heads/${BRANCH}"
Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以将vaultKey绑定到环境变量
然后在需要使用它的地方引用env.KEY
You can bind the vaultKey to an environment variable
And then where you need to use it, reference env.KEY
您需要添加
envVar并将该值拉出 withVault() 范围,您可以对所有三个
key...使用相同的变量名称key变量you need add
envVarand pull this value outside of withVault() scopeyou can use the same variable name
keyfor all threekey...variables