From b2ee54ed66cfacc9f3ae472720c82c48485c45e4 Mon Sep 17 00:00:00 2001 From: andytson-inviqa Date: Tue, 14 Mar 2023 10:20:34 +0000 Subject: [PATCH] Support ssh private key Jenkins credentials for chart publish (#747) --- src/_base/application/overlay/Jenkinsfile.twig | 9 +++++++-- src/_base/harness/attributes/common.yml | 6 ++++-- src/_base/harness/config/pipeline.yml | 10 ++++++---- 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/src/_base/application/overlay/Jenkinsfile.twig b/src/_base/application/overlay/Jenkinsfile.twig index 4f4518b1b..87669f265 100644 --- a/src/_base/application/overlay/Jenkinsfile.twig +++ b/src/_base/application/overlay/Jenkinsfile.twig @@ -67,11 +67,16 @@ pipeline { {% endif %} {% if bool(@('pipeline.publish.enabled')) %} stage('Publish') { -{% if @('pipeline.publish.environment') %} +{% set env = @('pipeline.publish.environment') %} +{% set ssh_credential_id = @('pipeline.publish.chart.git.ssh_credential_id') %} +{% if env or ssh_credential_id %} environment { -{% for key, value in @('pipeline.publish.environment') %} +{% for key, value in env %} {{ key }} = {{ value }} {% endfor %} +{% if ssh_credential_id %} + WS_APP_PUBLISH_CHART_SSH_PRIVATE_KEY = credentials('{{ ssh_credential_id }}') +{% endif %} } {% endif %} when { diff --git a/src/_base/harness/attributes/common.yml b/src/_base/harness/attributes/common.yml index b8a8b4779..dfadbdb14 100644 --- a/src/_base/harness/attributes/common.yml +++ b/src/_base/harness/attributes/common.yml @@ -44,14 +44,16 @@ attributes.default: # * is deprecated and will be limited to one branch by default in a future release branches: - '*' - # For defining environment variables in Jenkins, e.g. loading up docker username/password from a Jenkins - # credential + # For defining environment variables in Jenkins environment: {} # when enabled the application helm chart will be published # to the given git repository. chart: enabled: false git: + # A SSH Username with private key Jenkins credential id. + # Preferred over ssh_private_key to store credentials local development doesn't need + ssh_credential_id: ~ # private key with write access to the repository ssh_private_key: = @('pipeline.publish.chart.git.key') # eg. git@github.com:organisation/project.git diff --git a/src/_base/harness/config/pipeline.yml b/src/_base/harness/config/pipeline.yml index 8a93ce4b1..8f4118a3a 100644 --- a/src/_base/harness/config/pipeline.yml +++ b/src/_base/harness/config/pipeline.yml @@ -60,10 +60,13 @@ command('app publish chart '): #!bash(workspace:/)|@ run rm -rf build-artifacts-repository - echo "${SSH_PRIVATE_KEY}" | base64 -d > id_rsa - chmod 0600 id_rsa - export GIT_SSH_COMMAND='ssh -i ./id_rsa -o "IdentitiesOnly yes" -F /dev/null -o StrictHostKeyChecking=no' + if [ -n "${SSH_PRIVATE_KEY:-}" ]; then + WS_APP_PUBLISH_CHART_SSH_PRIVATE_KEY="$(pwd)/id_ssh" + (umask 0077 && echo "${SSH_PRIVATE_KEY}" | base64 -d > "${WS_APP_PUBLISH_CHART_SSH_PRIVATE_KEY}") + fi + + export GIT_SSH_COMMAND='ssh -i '"$(printf '%q' "$WS_APP_PUBLISH_CHART_SSH_PRIVATE_KEY")"' -o "IdentitiesOnly yes" -F /dev/null -o StrictHostKeyChecking=no' run git clone "$REPOSITORY" ./build-artifacts-repository run git -C ./build-artifacts-repository config user.name "${GIT_USER_NAME}" @@ -72,7 +75,6 @@ command('app publish chart '): run mkdir -p $ARTIFACTS_PATH run rsync --exclude='*.twig' --exclude='_twig' --delete -a .my127ws/helm/app/ "${ARTIFACTS_PATH}/" - export GIT_SSH_COMMAND='ssh -i ../id_rsa -o "IdentitiesOnly yes" -F /dev/null -o StrictHostKeyChecking=no' run git -C ./build-artifacts-repository add . run "git -C ./build-artifacts-repository commit --allow-empty -m '${MESSAGE}'" run git -C ./build-artifacts-repository push origin -u HEAD