how to use a secure variable in git materails url?
682 views
Skip to first unread message
Michael Godeck
May 29, 2014, 5:02:24 PM5/29/14
to go...@googlegroups.com
I can see how to declare a secure variable, but don't see how to reference it in the materials declaration dialog, for a git repository.
Say I declare a secure variable called "git_secure_password"
I was guessing that the git URL would be https://myusername:${go.git_secure_password}@mygithost.com/my_repo
Is that the correct way of referencing a Go environment variable? ${variable_name}
Thanks
Say I declare a secure variable called "git_secure_password"
I was guessing that the git URL would be https://myusername:${go.git_secure_password}@mygithost.com/my_repo
Is that the correct way of referencing a Go environment variable? ${variable_name}
Thanks
srinivas upadhya
May 31, 2014, 2:24:18 AM5/31/14
to Michael Godeck, go...@googlegroups.com
You cannot use secure environment variables in your materials. They are to be used during task execution only. We support dynamic data (substitution) in config through "Parameters" but we do not yet support secure parameters.
Right now we do not support encryption of password in URL field in config. We would like to, sometime soon. One approach could be to have separate user & password fields (apart from URL field) in Git & Hg (like SVN, Perforce & TFS) and make password a secure field. If you want to contribute we would be happy to help.
Options:
Create a read only user on the repo & specify those credentials in Go.
Use ssh keys. But this will require that you add the key into "server" & all "agent" machines individually.
--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Carl Reid
Sep 2, 2016, 8:08:02 AM9/2/16
to go-cd, mgo...@gmail.com
This post is a couple of years old but I wanted to check that this was still the case. From a security perspective having plain text passwords exposed in a url does not comply with our company policy and therefore we need to find an alternative.
I have looked in the release notes but cannot see any enhancements for this and there is an open issue on GitHub so I assume it's still not implemented: https://github.com/gocd/gocd/issues/1696
Also I cannot see much in the way of documentation on setting up GIT using SSH keys - can you provide any guidance or links on how to do this?
Thanks
Carl
Moritz Lenz
Sep 5, 2016, 3:52:54 AM9/5/16
to go-cd, mgo...@gmail.com
Hi,
On Friday, 2 September 2016 14:08:02 UTC+2, Carl Reid wrote:
This post is a couple of years old but I wanted to check that this was still the case. From a security perspective having plain text passwords exposed in a url does not comply with our company policy and therefore we need to find an alternative.I have looked in the release notes but cannot see any enhancements for this and there is an open issue on GitHub so I assume it's still not implemented: https://github.com/gocd/gocd/issues/1696Also I cannot see much in the way of documentation on setting up GIT using SSH keys - can you provide any guidance or links on how to do this?
There's not much to it.
Go uses the command line git client as system user 'go', so if you give that user a private (passwordless) SSH key, say in ~go/.ssh/id-rsa, you can use that to authenticate for SSH-based URLs.
Note that this needs to happen both on the server (for update checks) and on the agent machines (for cloning the repos).
Cheers,
Moritz
Go uses the command line git client as system user 'go', so if you give that user a private (passwordless) SSH key, say in ~go/.ssh/id-rsa, you can use that to authenticate for SSH-based URLs.
Note that this needs to happen both on the server (for update checks) and on the agent machines (for cloning the repos).
Cheers,
Moritz
Carl Reid
Sep 5, 2016, 12:58:16 PM9/5/16
to go-cd, mgo...@gmail.com
Thanks for responding.
The agent machines we are using are Windows based and the service runs as LOCAL SYSTEM. The repo is in GiHub and I have setup the SSH key for the user.
I understand that the system should look for a file called into a directory called ".ssh" under the user profile however this does not appear to be working.
I have created the following directory path (GO is a 32-bit process and therefore the System32 folder is redirected to SysWow64)
C:\Windows\SysWOW64\config\systemprofile\.sshAnd I have copied the SSH private key to a file called id_rsa under that path however the error is
Failed to run git clone command STDERR: Cloning into '/var/lib/go-server/pipelines/flyweight/89e2db45-bbf0-483d-a7c9-af9e7ebf615d'... STDERR: ssh: connect to host github.com port 22: Connection refused STDERR: fatal: Could not read from remote repository. STDERR: STDERR: Please make sure you have the correct access rights STDERR: and the repository exists.Is there a way of telling the GO git client where to find the private key file in Windows? Do I have the incorrect location specified?
Thanks
Carl
Reply all
Reply to author
Forward
0 new messages