jbauer opened 2 years ago
|
|||||
I'd recommend to checkout via SSH in this case, as git The simplest is to define a common build user with its own private key, with minimum permission to the system. And configure this private key as secret in some root project so that all child projects can inherit. You may configure authorized branches of the private key secret so that only certain branches can access it. Or you can define different build user for different project tree if a common user is way too permissive. |
|||||
Robin Shen changed state to 'Closed' 2 years ago
|
|||||
jbauer changed state to 'Open' 2 years ago
|
|||||
Sorry for the late reply. Using a common build user does not seem to work. I have done the following: 1.) Create user buildbot using code read permissions on all projects 2.) Added an ecdsa publickey to buildbot and added the corresponding private key as a job secret to a top level project (so all other inherit it) 3.) Defined a job with step checkout and used SSH + the created SSH private key job secret for buildbot user Now when running the job there the following output: Error:
1.) The job secret used for SSH private key is always treated as RSA key (job tries to load Not sure how to continue. I am already thinking about a custom Docker image that does the git checkout into the workspace. However I will probably run into the same issue if using some of the |
|||||
Please upgrade to 6.3.23 to see if it solves the issue. |
|||||
6.3.23 seems to work. Only the known hosts warning is shown. But am I right, that I have to use RSA key? Or can elliptic curve based keys be used as well for the checkout step? |
|||||
The ECDSA key will also work. Known host warning is not a problem as it only means that ssh client can not find host key by ip address. OneDev only populates host key by host name which is enough. |
|||||
Ok verified that ECDSA also works. However I am still having an issue during the build to access git tags. The build needs to setup some env variables containing information obtained from git so in my OneDev build I need to retrieve git tags. I have defined a second step of type
Seems like the credentials are not setup correctly in the second build step? |
|||||
This is now fixed in build #2428 |
|||||
Robin Shen changed state to 'Closed' 2 years ago
|
|||||
Just updated OneDev and indeed it works now. Thanks! |
Type |
Question
|
Priority |
Normal
|
Assignee |
I have a OneDev installation in Docker and a reverse proxy pointing to OneDev. The reverse proxy provides SSL using a self signed CA development certificate. This development CA is trusted on developer hosts and thus the server certificate for the reverse proxy is trusted as well.
When I define a build with a checkout step there is a section
Clone Credentials
containingDefault, HTTP(S), SSH
.When using
Default
the checkout fails withCan I somehow configure the
Default
checkout to trust the self signed CA certificate so that the server HTTPS cert is considered valid? As a last resort an option to tell git to not verify the SSL cert might be needed. However I would prefer to be able to trust a self signed cert instead of simply ignoring it.When I choose
HTTP(S)
I have to define a build secret containing an access token and choosingSSH
asks for a build secret containing a private key. Given thatHTTPS
generally does not work for now because of the self signed CA I would chooseSSH
for the time being. Which private key should I choose then? What is the best practice? Should I create a new "build" user account which has that private key configured and has access to that (or all) project(s)? When I define a SSH key then all developers who can trigger builds basically act as a different account any maybe gain access to that private key and may use it to gain access to repositories they should not access? Not quite sure how to configure it in a secure manner.