mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-01-18 02:39:30 +00:00
ci: do not use Groovy string interpolation for credentials
Jenkins warns in the output of CI jobs about the following: Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [CREDS_PASSWD, CREDS_USER] See https://jenkins.io/redirect/groovy-string-interpolation for details. Variable with 'single quotes' and without the {curly brackets} are expecred to not be affected. There is some indirection in the strings passed to the `sh` function, so this approach might not fix it? Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
b4fcd2b585
commit
aca3745e24
@ -8,9 +8,27 @@ def git_since = 'ci/centos'
|
|||||||
def base = ''
|
def base = ''
|
||||||
def doc_change = 0
|
def doc_change = 0
|
||||||
// private, internal container image repository
|
// private, internal container image repository
|
||||||
def cached_image = 'registry-ceph-csi.apps.ocp.ci.centos.org/ceph-csi'
|
def ci_registry = 'registry-ceph-csi.apps.ocp.ci.centos.org'
|
||||||
|
def cached_image = 'ceph-csi'
|
||||||
def use_pulled_image = 'USE_PULLED_IMAGE=yes'
|
def use_pulled_image = 'USE_PULLED_IMAGE=yes'
|
||||||
|
|
||||||
|
def ssh(cmd) {
|
||||||
|
sh "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${CICO_NODE} '${cmd}'"
|
||||||
|
}
|
||||||
|
|
||||||
|
def podman_login(registry, username, passwd) {
|
||||||
|
ssh "podman login --authfile=~/.podman-auth.json --username=${username} --password='${passwd}' ${registry}"
|
||||||
|
}
|
||||||
|
|
||||||
|
// podman_pull pulls image from the source (CI internal) registry, and tags it
|
||||||
|
// as unqualified image name and into the destination registry. This prevents
|
||||||
|
// pulling from the destination registry.
|
||||||
|
//
|
||||||
|
// Images need to be pre-pushed into the source registry, though.
|
||||||
|
def podman_pull(source, destination, image) {
|
||||||
|
ssh "podman pull --authfile=~/.podman-auth.json ${source}/${image} && podman tag ${source}/${image} ${image} ${destination}/${image}"
|
||||||
|
}
|
||||||
|
|
||||||
node('cico-workspace') {
|
node('cico-workspace') {
|
||||||
stage('checkout ci repository') {
|
stage('checkout ci repository') {
|
||||||
if (params.ghprbPullId != null) {
|
if (params.ghprbPullId != null) {
|
||||||
@ -67,7 +85,7 @@ node('cico-workspace') {
|
|||||||
base = "--base=${ghprbTargetBranch}"
|
base = "--base=${ghprbTargetBranch}"
|
||||||
}
|
}
|
||||||
sh 'scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ./prepare.sh root@${CICO_NODE}:'
|
sh 'scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ./prepare.sh root@${CICO_NODE}:'
|
||||||
sh "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${CICO_NODE} ./prepare.sh --workdir=/opt/build/go/src/github.com/ceph/ceph-csi --gitrepo=${ci_git_repo} --ref=${ref} ${base}"
|
ssh "./prepare.sh --workdir=/opt/build/go/src/github.com/ceph/ceph-csi --gitrepo=${ci_git_repo} --ref=${ref} ${base}"
|
||||||
}
|
}
|
||||||
|
|
||||||
// - check if the PR modifies the container image files
|
// - check if the PR modifies the container image files
|
||||||
@ -84,11 +102,12 @@ node('cico-workspace') {
|
|||||||
}
|
}
|
||||||
|
|
||||||
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
||||||
sh "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${CICO_NODE} 'podman pull --creds=${CREDS_USER}:${CREDS_PASSWD} ${cached_image}:test'"
|
podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
|
||||||
}
|
}
|
||||||
|
podman_pull(ci_registry, ci_registry, "${cached_image}:test")
|
||||||
}
|
}
|
||||||
stage('test') {
|
stage('test') {
|
||||||
sh "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${CICO_NODE} 'cd /opt/build/go/src/github.com/ceph/ceph-csi && make ENV_CSI_IMAGE_NAME=${cached_image} ${use_pulled_image}'"
|
ssh "cd /opt/build/go/src/github.com/ceph/ceph-csi && make ENV_CSI_IMAGE_NAME=${cached_image} ${use_pulled_image}"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -102,7 +102,7 @@ node('cico-workspace') {
|
|||||||
returnStatus: true)
|
returnStatus: true)
|
||||||
|
|
||||||
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
||||||
podman_login(ci_registry, "${CREDS_USER}", "${CREDS_PASSWD}")
|
podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
|
||||||
}
|
}
|
||||||
|
|
||||||
parallel test: {
|
parallel test: {
|
||||||
|
@ -120,7 +120,7 @@ node('cico-workspace') {
|
|||||||
def d_io_regex = ~"^docker.io/"
|
def d_io_regex = ~"^docker.io/"
|
||||||
|
|
||||||
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
||||||
podman_login(ci_registry, "${CREDS_USER}", "${CREDS_PASSWD}")
|
podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
|
||||||
}
|
}
|
||||||
|
|
||||||
// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
|
// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
|
||||||
|
@ -122,7 +122,7 @@ node('cico-workspace') {
|
|||||||
def d_io_regex = ~"^docker.io/"
|
def d_io_regex = ~"^docker.io/"
|
||||||
|
|
||||||
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
||||||
podman_login(ci_registry, "${CREDS_USER}", "${CREDS_PASSWD}")
|
podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
|
||||||
}
|
}
|
||||||
|
|
||||||
// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
|
// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
|
||||||
|
@ -119,7 +119,7 @@ node('cico-workspace') {
|
|||||||
def d_io_regex = ~"^docker.io/"
|
def d_io_regex = ~"^docker.io/"
|
||||||
|
|
||||||
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
||||||
podman_login(ci_registry, "${CREDS_USER}", "${CREDS_PASSWD}")
|
podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
|
||||||
}
|
}
|
||||||
|
|
||||||
// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
|
// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
|
||||||
|
@ -119,7 +119,7 @@ node('cico-workspace') {
|
|||||||
def d_io_regex = ~"^docker.io/"
|
def d_io_regex = ~"^docker.io/"
|
||||||
|
|
||||||
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
|
||||||
podman_login(ci_registry, "${CREDS_USER}", "${CREDS_PASSWD}")
|
podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
|
||||||
}
|
}
|
||||||
|
|
||||||
// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
|
// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
|
||||||
|
Loading…
Reference in New Issue
Block a user