jenkins 证书是否需要在YAML文件中缩进才能正确读入?

y4ekin9u  于 2023-02-11  发布在  Jenkins
关注(0)|答案(2)|浏览(198)

我目前有一个Jenkins管道构建一个应用程序,但是我遇到了一个问题,将服务器密钥(cert)注入到YAML文件中。服务器密钥已经添加到Jenkins上的凭据管理器中,我正在通过一个变量(withCredentials)拉取它。拉取它不是问题,简单地注入它,这样它就可以被服务器读取了。
作为参考,YAML文件如下所示:

edge:
  [...]
  certificates:
    ingress:
      name: certs
      key: |
        ------BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      [...]

而证书看起来像(是的,一个里面有很多):

-----BEGIN CERTIFICATE-----
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
-----END CERTIFICATE-----

我的Python脚本

import yaml
import os

with open("file.yaml") as f:
  y = yaml.load(f)
  y["edge"]["certificates"]["ingress"]["key"] = os.getenv("KEY_CERT")

with open("file.yaml", "w") as f:
  yaml.dump(y, f)

我通过shell执行它,如下所示:

python -c 'exec """\nimport yaml\nimport os\n\nwith open("file.yaml") as f:\n  y = yaml.load(f)\n  y["edge"]["certificates"]["ingress"]["key"] = os.getenv("KEY_CERT")\n\nwith open("file.yaml", "w") as f:\n  yaml.dump(y, f)\n"""'

服务器记录:边缘:10808:无法从/etc/proxy/tls/sidecar/ca. crt加载可信CA证书
它在服务器上的外观:

-----BEGIN CERTIFICATE-----         TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT         -----END CERTIFICATE-----         -----BEGIN CERTIFICATE-----         TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT         -----END CERTIFICATE-----         -----BEGIN CERTIFICATE-----         TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT         -----END CERTIFICATE-----         -----BEGIN CERTIFICATE-----         TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT         -----END CERTIFICATE-----         -----BEGIN CERTIFICATE-----         TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT         -----END CERTIFICATE-----         -----BEGIN CERTIFICATE-----         TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT
TEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXTTEXT         -----END CERTIFICATE-----

所以这真的有关系吗?我该怎么去解决它...
(or如果还有其他方法可以将证书注入到YAML文件中,那就太好了!)
最初,它都是硬编码的,但当然出于安全考虑,在生产环境中不能硬编码。
我访问过一些其他的StackOverflow响应,但是没有一个提到注入遵循常规YAML文件中所示的传统格式的证书。
我希望服务器能够接收证书。

3bygqnnd

3bygqnnd1#

不幸的是,我不知道这个问题的解决方案,一个解决方案是简单地运行一些shell命令来生成证书并通过该方法注入它们。
不能真正扩展其他细节,因为它是特定于整个项目(它如何与RH和其他组件交互)。

vnzz0bqm

vnzz0bqm2#

没有证书不需要缩进。它们只需要从YAML文档中加载,加载的程序可以使用它们。如果必须是多行字符串的形式,你可以选择在YAML中使用带引号的标量。它可以把所有东西放在一条线上(其中\n用于换行。另一个选项是使用文字标量(仅在块样式中可用),如示例所示,这样的标量需要缩进。
如果您只需要一个标量(字符串)作为文本样式标量,我建议您使用ruamel.yaml和它的LiteralScalarString来设置值,然后转储。

相关问题