1

我在 Kubernetes 中运行我的 jenkins 以根据要求创建动态从属 pod。

每个文件都使用来自 jenkins 的一些凭据。

现在的问题是当我在 sh script:"" 中运行一些命令时,该凭据在 UI 的日志视图选项中可见。

如下图所示。

在此处输入图像描述

我的Jenkinsfile如下所示

podTemplate(
    containers: [
        containerTemplate(name: 'helm', alwaysPullImage: true, image: 'k8s-helm:v3.4.2', command: 'cat',
            ttyEnabled: true)
    ],
    imagePullSecrets: ['registry-credentials']) {
  properties([parameters(
      [string(name: 'dockerImageTag', description: 'Docker image tag to deploy'),
       string(name: 'branchName', defaultValue: 'dev', description: 'Branch being deployed'),
       string(name: 'targetBranch', defaultValue: 'dev', description: 'Target branch against which if a PR is being raised')])])

  currentBuild.description = "branch ${params.branchName}"
  node(POD_LABEL) {

    container('helm') {
      withCredentials([[$class       : 'FileBinding',
                        credentialsId: 'sling-test-kubeconfig',
                        variable     : 'KUBECONFIG'],
                       [$class       : 'StringBinding',
                        credentialsId: 'sd-charts-github-api-token',
                        variable     : 'API_TOKEN']]) {
        stage('Add Helm repository') {
          sh script: "helm repo add stable 'https://charts.helm.sh/stable'",
              label: 'Add stable helm repo'
          sh script: 'helm repo list', label: 'List available helm repos'
        }
        withCredentials([[$class       : 'StringBinding',
                          credentialsId: 'test-env-postgres-password',
                          variable     : 'POSTGRES_PASSWORD'],
                         [$class       : 'StringBinding',
                          credentialsId: 'test-env-rabbitmq-password',
                          variable     : 'RABBITMQ_PASSWORD']]) {

          stage('Deploy') {
            echo "Deploying docker release -> myhost.com/8023/sling/scheduler:${params.dockerImageTag}"
            sh script: "scheduler charts/scheduler " +
                "--set appConfig.postgres.password=${POSTGRES_PASSWORD}," +
                "image.tag=${params.dockerImageTag}," +
                "appConfig.rabbitmq.password=${RABBITMQ_PASSWORD}," +
                "deployment.annotations.buildNumber=${currentBuild.number} " +
                "--wait",
                label: 'Install helm release'
          }
        }
      }
    }
  }
}

该文件有一些凭据(即 RABBITMQ_PASSWORD、POSTGRES_PASSWORD 等......还有更多),我不想在 UI 日志上显示,基本上我不想显示位于

sh script: "scheduler charts/scheduler " +
                "--set appConfig.postgres.password=${POSTGRES_PASSWORD}," +
                "image.tag=${params.dockerImageTag}," +
                "appConfig.rabbitmq.password=${RABBITMQ_PASSWORD}," +
                "deployment.annotations.buildNumber=${currentBuild.number} " +
                "--wait",
                label: 'Install helm release'

我得到了一些参考,但这也不起作用。

有人可以帮我解决这个问题。

4

1 回答 1

1

为避免将凭据泄漏到输出中,您需要在 shell step 方法的 shell 解释器中而不是在 Jenkins Pipeline 中解析它们。由于withCredentials临时分配给环境变量,因此可以通过不在 Groovy 中进行插值来实现:

sh script: 'scheduler charts/scheduler ' + // literal string
           '--set appConfig.postgres.password=${POSTGRES_PASSWORD},' + // no Groovy interpolation
           "image.tag=${params.dockerImageTag}," + // Groovy interpolation
           'appConfig.rabbitmq.password=${RABBITMQ_PASSWORD},' + // no Groovy interpolation
           "deployment.annotations.buildNumber=${currentBuild.number} " +  // Groovy interpolation
           '--wait', // literal string
           label: 'Install helm release'

这将准确地插入字符串 put 参数并将其连接到 shell step 方法,并且不会在 Jenkins Pipeline 输出中暴露您的凭据。

于 2021-01-27T14:08:02.823 回答