Jenkins podTemplate 禁用默认回显

Jenkins podTemplate disbale default echo

我正在 运行在 Kubernetes 中设置我的 jenkins 以根据需求创建动态从 pod。

每个文件都使用来自 jenkins 的一些凭据。

现在的问题是,当我 运行 在 sh 脚本中执行某些命令时:“”然后在 UI 的日志视图选项中可以看到凭据。

如下截图。

我的 Jenkinsfile 如下所示

podTemplate(
    containers: [
        containerTemplate(name: 'helm', alwaysPullImage: true, image: 'k8s-helm:v3.4.2', command: 'cat',
            ttyEnabled: true)
    ],
    imagePullSecrets: ['registry-credentials']) {
  properties([parameters(
      [string(name: 'dockerImageTag', description: 'Docker image tag to deploy'),
       string(name: 'branchName', defaultValue: 'dev', description: 'Branch being deployed'),
       string(name: 'targetBranch', defaultValue: 'dev', description: 'Target branch against which if a PR is being raised')])])

  currentBuild.description = "branch ${params.branchName}"
  node(POD_LABEL) {

    container('helm') {
      withCredentials([[$class       : 'FileBinding',
                        credentialsId: 'sling-test-kubeconfig',
                        variable     : 'KUBECONFIG'],
                       [$class       : 'StringBinding',
                        credentialsId: 'sd-charts-github-api-token',
                        variable     : 'API_TOKEN']]) {
        stage('Add Helm repository') {
          sh script: "helm repo add stable 'https://charts.helm.sh/stable'",
              label: 'Add stable helm repo'
          sh script: 'helm repo list', label: 'List available helm repos'
        }
        withCredentials([[$class       : 'StringBinding',
                          credentialsId: 'test-env-postgres-password',
                          variable     : 'POSTGRES_PASSWORD'],
                         [$class       : 'StringBinding',
                          credentialsId: 'test-env-rabbitmq-password',
                          variable     : 'RABBITMQ_PASSWORD']]) {

          stage('Deploy') {
            echo "Deploying docker release -> myhost.com/8023/sling/scheduler:${params.dockerImageTag}"
            sh script: "scheduler charts/scheduler " +
                "--set appConfig.postgres.password=${POSTGRES_PASSWORD}," +
                "image.tag=${params.dockerImageTag}," +
                "appConfig.rabbitmq.password=${RABBITMQ_PASSWORD}," +
                "deployment.annotations.buildNumber=${currentBuild.number} " +
                "--wait",
                label: 'Install helm release'
          }
        }
      }
    }
  }
}

这个文件有一些凭据(即 RABBITMQ_PASSWORD、POSTGRES_PASSWORD 等......还有很多)我不想在 UI 日志中显示,基本上我不想显示位于

的整个命令
sh script: "scheduler charts/scheduler " +
                "--set appConfig.postgres.password=${POSTGRES_PASSWORD}," +
                "image.tag=${params.dockerImageTag}," +
                "appConfig.rabbitmq.password=${RABBITMQ_PASSWORD}," +
                "deployment.annotations.buildNumber=${currentBuild.number} " +
                "--wait",
                label: 'Install helm release'

我得到了一些 但这也不起作用。

谁能帮我解决这个问题。

为避免将您的凭据泄漏到输出中,您需要在 shell 步骤方法的 shell 解释器中解析它们,而不是在 Jenkins 管道中。由于 withCredentials 临时分配给环境变量,这可以通过不在 Groovy:

内插值来实现
sh script: 'scheduler charts/scheduler ' + // literal string
           '--set appConfig.postgres.password=${POSTGRES_PASSWORD},' + // no Groovy interpolation
           "image.tag=${params.dockerImageTag}," + // Groovy interpolation
           'appConfig.rabbitmq.password=${RABBITMQ_PASSWORD},' + // no Groovy interpolation
           "deployment.annotations.buildNumber=${currentBuild.number} " +  // Groovy interpolation
           '--wait', // literal string
           label: 'Install helm release'

这将准确地将字符串 put 参数插入并连接到 shell 步骤方法,并且不会在 Jenkins 管道输出中暴露您的凭据。