release
关键是极狐GitLab CI/CD 中用来发布版本的一个关键字,通常用法如下:
release_job:stage: releaseimage: registry.gitlab.com/gitlab-org/release-cli:latestrules:- if: $CI_COMMIT_TAG script:- echo "running release_job"release: tag_name: '$CI_COMMIT_TAG'description: '$CI_COMMIT_TAG'
整个过程是通过 release-cli
工具来实现的。
近期在探索CI/CD Component & CI/CD Catalog 功能的时候,也是使用 release
关键字将 component 发布到 Catalog 中。
create-release:stage: deployimage: registry.gitlab.com/gitlab-org/release-cli:latestscript: echo "Creating release $CI_COMMIT_TAG"rules:- if: $CI_COMMIT_TAGrelease:tag_name: $CI_COMMIT_TAGdescription: "Release $CI_COMMIT_TAG of components in $CI_PROJECT_PATH"
由于采用了自签名(self-signed certificate)的证书进行了 HTTPS 的配置,在用私有化部署的极狐GitLab 实例做测试时,就会出现 x509 证书不受信任的问题:
$ release-cli create --description "Release 2.0.0 of components in jh-gitlab/cicd-component" --tag-name "2.0.0"
time="2024-02-04T06:38:08Z" level=info msg="Creating Release..." cli=release-cli command=create name= project-id=1 ref=e8786a8fd333280dbfe480417237f97d6f6a7182 server-url="https://jhma.jihulab.net" tag-message= tag-name=2.0.0 version=0.16.0
time="2024-02-04T06:38:09Z" level=fatal msg="run app" cli=release-cli error="failed to create release: failed to do request: Post \"https://jhma.jihulab.net/api/v4/projects/1/releases\": tls: failed to verify certificate: x509: certificate signed by unknown authority" version=0.16.0
提示 tls: failed to verify certificate: x509: certificate signed by unknown authority
。
针对这个问题,有以下两种解决方案。
方法一:设置 --insecure-https
参数
release-cli
的使用方法如下:
release-cli -h
NAME:release-cli - A CLI tool that interacts with GitLab's Releases APIUSAGE:help [global options] command [command options] [arguments...]VERSION:0.16.0DESCRIPTION:CLI tool that interacts with GitLab's Releases API https://docs.gitlab.com/ee/api/releases/.All configuration flags will default to GitLab's CI predefined environment variables (https://docs.gitlab.com/ee/ci/variables/predefined_variables.html).To override these values, use the [GLOBAL OPTIONS].Get started with release-cli https://gitlab.com/gitlab-org/release-cli.AUTHOR:GitLab Inc. <support@gitlab.com>COMMANDS:create Create a Release using GitLab's Releases API https://docs.gitlab.com/ee/api/releases/#create-a-releasecreate-from-file Create a Release using GitLab's Releases API https://docs.gitlab.com/ee/api/releases/#create-a-releaseget Get a Release by tag name using GitLab's Releases API https://docs.gitlab.com/ee/api/releases/index.html#get-a-release-by-a-tag-nameupdate Update a release using GitLab's Releases API https://docs.gitlab.com/ee/api/releases/#update-a-releasehelp, h Shows a list of commands or help for one commandGLOBAL OPTIONS:--server-url value The base URL of the GitLab instance, including protocol and port, for example https://gitlab.example.com:8080 (default: "https://jhma.jihulab.net") [$CI_SERVER_URL]--job-token value Job token used for authenticating with the GitLab Releases API (default: ) [$CI_JOB_TOKEN]--project-id value The current project's unique ID; used by GitLab CI internally (default: "1") [$CI_PROJECT_ID]--timeout value HTTP client's timeout in Go's duration format https://golang.org/pkg/time/#ParseDuration (default: 30s) [$RELEASE_CLI_TIMEOUT]--private-token value Private token used for authenticating with the GitLab Releases API, requires api scope https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html, overrides job-token (default: ) [$GITLAB_PRIVATE_TOKEN]--additional-ca-cert-bundle value Configure a custom SSL CA certificate authority, can be a path to file or the content of the certificate [$ADDITIONAL_CA_CERT_BUNDLE]--insecure-https Set to true if you want to skip the client verifying the server's certificate chain and host name (default: false) [$INSECURE_HTTPS]--debug Set to true if you want extra debug output when running release-cli (default: false) [$DEBUG]--help, -h Show help (default: false)--version, -v Print the version (default: false)
/ # release-cli create -h
NAME:help create - Create a Release using GitLab's Releases API https://docs.gitlab.com/ee/api/releases/#create-a-releaseUSAGE:help create [command options] [arguments...]OPTIONS:--tag-name value (required) The tag the release will be created from (default: "1.0.0") [$CI_COMMIT_TAG]--name value The release name--description value The description of the release; you can use Markdown. A file can be used to read the description contents, must exist inside the working directory; if it contains any whitespace, it will be treated as a string--tag-message value Message to use if creating a new annotated tag--ref value If tag_name doesn’t exist, the release will be created from ref; it can be a commit SHA, another tag name, or a branch name (default: "8b4838090bb46bf40ed77027feae074a47e6a132") [$CI_COMMIT_SHA]--assets-link value JSON string representation of an asset link; (e.g. --assets-link='{"name": "Asset1", "url":"https://<domain>/some/location/1", "type": "other", "filepath": "xzy" }' or --assets-link='[{"name": "Asset1", "url":"https://example.com/some/location/1"}, {"name": "Asset2", "url":"https://example.com/some/location/2"}]' (accepts multiple inputs)--milestone value List of the titles of each milestone the release is associated with (e.g. --milestone "v1.0" --milestone "v1.0-rc)"; each milestone needs to exist (accepts multiple inputs)--released-at value The date when the release will be/was ready; defaults to the current time; expected in ISO 8601 format (2019-03-15T08:00:00Z)--help, -h Show help (default: false)
里面有一个参数 --insecure-https
,描述为 Set to true if you want to skip the client verifying the server's certificate chain and host name (default: false) [$INSECURE_HTTPS]
。也就是说,如果想要跳过客户端对于服务器证书验证的话,就需要将这个参数设置为 true
,而这个参数默认是 false
。也就是默认情况下会进行证书验证。
所以,可以在 CI/CD 流水线中使用 --insecure-https
参数:
create-release:stage: deployimage: name: registry.gitlab.com/gitlab-org/release-cli:latestscript:- release-cli --insecure-https=true create --name "Release $TAG" --description "Release $CI_COMMIT_TAG of components in $CI_PROJECT_PATH" --tag-name "$CI_COMMIT_TAG"tags:- jhrules:- if: $CI_COMMIT_TAG =~ /\d+/
接着触发 CI/CD 流水线,可以看到构建成功:
方法二:设置证书
同样在 release-cli
的使用中有一个关于证书的参数 --additional-ca-cert-bundle
,描述为 Configure a custom SSL CA certificate authority, can be a path to file or the content of the certificate [$ADDITIONAL_CA_CERT_BUNDLE]
。也就是说可以直接制定服务器证书的路径。
所以,CI/CD 流水线就变为了:
create-release:stage: deployimage: name: registry.gitlab.com/gitlab-org/release-cli:latestscript:- release-cli --additional-ca-cert-bundle="path/to/certificate" create --name "Release $TAG" --description "Release $CI_COMMIT_TAG of components in $CI_PROJECT_PATH" --tag-name "$CI_COMMIT_TAG"tags:- jhrules:- if: $CI_COMMIT_TAG =~ /\d+/
接着触发 CI/CD 流水线,可以看到构建成功:
这两种方式都可以解决自签名证书带来的证书不受信任问题。不过如果是生产环境,建议使用购买的 CA,这样这个问题就不存在了。
更多关于极狐GitLab & DevOps 的最佳实践。可以搜索并关注【极狐GitLab】公众号。