我有一个 Jenkins 管道,它使用凭据来验证来自网站的
GET
请求。我想防止敏感的环境变量被 Groovy 字符串插值泄露。
按照 Jenkins 用户手册的建议,
Jenkinsfile
将是:
pipeline {
agent any
environment {
EXAMPLE_CREDS = credentials('example-credentials-id')
}
stages {
stage('Example') {
steps {
sh('curl -u $EXAMPLE_CREDS_USR:$EXAMPLE_CREDS_PSW https://example.com/')
}
}
}
}
这适用于 URL 固定的情况,但我希望我的 URL 包含变量(请参阅下面代码片段中的
${EXTENSION}
)。
environment {
EXAMPLE_CREDS = credentials('example-credentials-id')
EXTENSION = 'url/extended/'
}
stages {
stage('Example') {
steps {
sh('curl -u $EXAMPLE_CREDS_USR:$EXAMPLE_CREDS_PSW https://example.com/${EXTENSION}')
}
}
问题是 Groovy 解释器在运行时不会将
${EXTENSION}
替换为 url/extended/
。 Jenkins 日志中的输出是:
+ curl -u ****:**** https://example.com/${EXTENSION}
我尝试用 withCredentials 块替换凭据环境变量,并将命令周围的撇号替换为引号,
environment {
EXTENSION = 'url/extended/'
}
stages {
stage('Example') {
withCredentials([usernamePassword(credentialsId: "example-credentials-id", passwordVariable: "EXAMPLE_CREDS_PSW ", usernameVariable: "EXAMPLE_CREDS_USR")]) {
steps {
sh("curl -u $EXAMPLE_CREDS_USR:$EXAMPLE_CREDS_PSW https://example.com/${EXTENSION}")
}
}
功能正常,但报告以下警告:
Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [EXAMPLE_CREDS_USR, EXAMPLE_CREDS_PSW, example-credentials-id]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
+ curl -u ****:**** https://example.com/url/extended/
我的工作是编写一个 Jenkins 调用的 SH 脚本。 Jenkins 会将凭据作为输入参数传递,脚本将处理变量替换。
environment {
EXAMPLE_CREDS = credentials('example-credentials-id')
}
stages {
stage('Example') {
steps {
sh('bash script.sh $EXAMPLE_CREDS_USR $EXAMPLE_CREDS_PSW')
}
}
是否有可能在 Jenkins 中继续完成这一壮举,还是外包是唯一的解决方案?
请参阅 Stephan Wright 发布的问题。解决方案涉及使用引号并在凭据之前转义
$
。两种可能的解决方案是
environment {
EXAMPLE_CREDS = credentials('example-credentials-id')
EXTENSION = 'url/extended/'
}
stages {
stage('Example') {
steps {
sh("curl -u \$EXAMPLE_CREDS_USR:\$EXAMPLE_CREDS_PSW https://example.com/${EXTENSION}")
}
}
或
environment {
EXTENSION = 'url/extended/'
}
stages {
stage('Example') {
withCredentials([usernamePassword(credentialsId: "example-credentials-id", passwordVariable: "EXAMPLE_CREDS_PSW ", usernameVariable: "EXAMPLE_CREDS_USR")]) {
steps {
sh("curl -u \$EXAMPLE_CREDS_USR:\$EXAMPLE_CREDS_PSW https://example.com/${EXTENSION}")
}
}
我的偏好是第一个解决方案,有利于保持“更平坦”的管道。