SpringBoot项目的CI配置 # 安全变量

Posted 三度

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SpringBoot项目的CI配置 # 安全变量相关的知识,希望对你有一定的参考价值。

安全变量

GitLab CI/CD的安全变量有两种,群组安全变量和项目安全变量,群组安全变量可作用于当前群组下所有项目以及子群组项目,递归继承;项目安全变量只作用当前项目。

实际项目配置的群组变量有:CI_REGISTRY(本地Docker Registry的地址),项目变量有:CI_REGISTRY_IMAGE(项目构建的docker镜像名称)

# Dockerfile

FROM java:8-jre

ADD target/discovery-server-1.0.0.jar app.jar

RUN bash -c ‘touch /app.jar‘

EXPOSE 10030

ENTRYPOINT ["java", "-Djava.security.edg=file:/dev/./urandom", "-Duser.timezone=Asia/Shanghai", "-Xmx128m", "-Xms64m", "-jar", "/app.jar"]
 
        Copied!
    

# .gitlab-ci.yml

.gitlab-ci.yml文件可以使用的变量除了手动配置的安全变量外,默认还可以使用预定义变量(详情见GitLab CI/CD Variables

)。

示例:

image: docker:latest

services:
  - name: docker:dind
    command: ["--insecure-registry=172.17.0.1:5000"]    # 将本地Docker Registry私服设置为insecure,避免registry默认需要https才能访问

stages:
  - package
  - build
  - deploy
  
maven-package:
  image: maven:3.5-jdk-8-alpine
  tags:
    - maven
  stage: package
  script:
    - mvn clean install -Dmaven.test.skip=true
  artifacts:
    paths:
      - target/*.jar    # 将maven构建成功的jar包作为构建产出导出,可在下一个stage的任务中使用

build-master:
  tags:
    - docker
  stage: build
  script:
    - docker build --pull -t "$CI_REGISTRY/$CI_REGISTRY_IMAGE" .
    - docker push "$CI_REGISTRY/$CI_REGISTRY_IMAGE"
  only:
    - master

build:
  tags:
    - docker
  stage: build
  script:
    - docker build --pull -t "$CI_REGISTRY/$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" .
    - docker push "$CI_REGISTRY/$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
  except:
    - master
 
        Copied!
    

# Runner容器的配置

将maven构建runner容器使用的maven仓库使用数据卷方式进行共享,解决容器每次构建时都要重新下载依赖的问题。具体方法为使用 docker exec -it gitlab-runner /bin/bash 进入gitlab-runner容器,编辑 /etc/gitlab-runner/config.toml 文件,在maven构建runner下的volumes加上 /root/.m2 本地仓库的数据卷映射关系。

docker构建runner的privileged设置为true,以root用户身份进入容器进行构建任务,避免了由于权限不足无法访问/var/run/docker.sock的问题。

concurrent = 6
check_interval = 0

[[runners]]
  name = "public docker runner"
  url = "http://172.17.0.1:800/"
  token = "5223e807ba2c42b18e2aadeceb0e0b"
  executor = "docker"
  [runners.docker]
    registry_mirrors = ["https://ub9x5g6o.mirror.aliyuncs.com/"]
    extra_hosts = ["git.yupaits.com:172.17.0.1"]
    tls_verify = false
    image = "docker:latest"
    privileged = true
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]

[[runners]]
  name = "public maven runner"
  url = "http://172.17.0.1:800/"
  token = "b97734914a435c7f3409bea71e122a"
  executor = "docker"
  [runners.docker]
    extra_hosts = ["git.yupaits.com:172.17.0.1"]
    tls_verify = false
    image = "maven:3.5-jdk-8-alpine"
    privileged = true
    disable_cache = false
    volumes = ["/cache", "/home/maven/.m2:/root/.m2"]
    pull_policy = "if-not-present"
    shm_size = 0
  [runners.cache]

[[runners]]
  name = "public node runner"
  url = "http://172.17.0.1:800/"
  token = "e0dea1b0cb42a8d2e1df94ee442b82"
  executor = "docker"
  [runners.docker]
    extra_hosts = ["git.yupaits.com:172.17.0.1"]
    tls_verify = false
    image = "node:8-alpine"
    privileged = true
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]

[[runners]]
  name = "public ssh runner"
  url = "http://172.17.0.1:800/"
  token = "266dc28d04f012a5ead3987c1f004e"
  executor = "ssh"
  [runners.ssh]
    user = "root"
    password = "password"
    host = "172.17.0.1"
    port = "22"
    identity_file = "/root/.ssh/id_rsa"
  [runners.cache]

以上是关于SpringBoot项目的CI配置 # 安全变量的主要内容,如果未能解决你的问题,请参考以下文章

Java网络商城项目 SpringBoot+SpringCloud+Vue 网络商城(SSM前后端分离项目)八(文件的上传FastDFS和校验)(Nginx的请求前缀配置,在发布项目的时候要注意)(代

基于springboot实现快递代取管理系统

自动化 CI 的安全问题

社区公愤!Travis CI 漏洞致数千个开源项目机密泄露

springboot学习总结外部配置(命令行参数配置常规属性配置类型安全的配置之基于properties)

SpringBoot项目配置明文密码泄露问题处理