I have Jenkinsfile that creates mt object and passes vaultToken to psl library:
Jenkinsfile:
#Library('shared-library#psl')
Maintenance mt = new Maintenance()
mt.setVaultToken(config.vaultToken)
mt.setApiUrl(config.apiUrl)
pslService.createMaintenance(mt)
pslService:
String createMaintenance(Maintenance mt){
dockerBuildHelper.getDockerImage(dockerBuildHelper.getWdBuildDockerImageName()).inside('-u root'){
String cmd = "curl -X POST '${mt.getApiUrl()}'" +
" -H 'Content-Type: application/json'" +
" -H 'Authorization: Api-Token ${mt.getVaultToken()}'" +
" -d ${mt.getPayload()} | jq -r '.id'"
return sh(script: cmd, returnStdout: true).trim()
}
}
But this prints curl command and exposes vault token in the pipeline.
Does anyone know how I can hide the sensitive info and/or entire curl command?
I do not want to store this in credentials store, unless I have no choice.
I heard I can use set +x. But I am not sure how to use it and if it helps. Any thoughts?
Try to use mask password plugin. Or create secrets in jenkins and call them in environment block of pipeline.
I went with set +x
String cmd = """set +x
curl -X POST '${mt.getApiUrl()}' -H 'Content-Type: application/json' -H 'Authorization: Api-Token ${mt.getVaultToken()}' -d ${mt.getPayload()} | jq -r '.id'
"""
return sh(script: cmd, returnStdout: true).trim()
Related
I have a Jenkins pipeline where this command works and send me a notification through google chat :
script {
sh 'curl -k "https://chat.googleapis.com/v1/spaces/AAAABHT3HT0/messages?key=*****&token=******" -d "#chat_notification.json" -XPOST -H "Content-Type: application/json; charset=UTF-8"'
}
But if I enter the url in a variable, that does not work any more :
script {
url = "https://chat.googleapis.com/v1/spaces/AAAAfF9CGEQ/messages?key=******&token=******"
sh 'curl -k ${url} -d "#chat_notification.json" -XPOST -H "Content-Type: application/json; charset=UTF-8"'
}
With the error :
curl -k -d #chat_notification.json -XPOST -H 'Content-Type: application/json; charset=UTF-8'
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information
It's probably a quote issue ?
Yes, if you are using single quotes in Groovy, that means you cannot interpolate the string with variables using the $ syntax.
See https://groovy-lang.org/syntax.html#_string_interpolation .
Same thing applies to shell code, by the way, or sh in this case.
But since you are not using any shell variables in your code, simply swapping the quotes, i.e. quoting your Groovy string with ", and using ' within the curl command would probably work.
Yes it is a quote issue try to use "" instead of '' to use the value of url variable in curl command. You should also seperate -X and POST (you have -XPOST in your script)
script {
url = "https://chat.googleapis.com/v1/spaces/AAAAfF9CGEQ/messages?key=******&token=******"
sh "curl -k ${url} -d #chat_notification.json -X POST -H Content-Type: application/json; charset=UTF-8"
}
I have triggered a build in Jenkins after creating a new pull request in bitbucket.
I want to automatically decline the pull request right away when building fail in Jenkins.
How do I do it and how can I set up it.
Is it possible to use a shell script in your case?
Something like this:
#!/usr/bin/env bash
if test $1 -ne 0; then
curl https://api.bitbucket.org//2.0/repositories/{workspace}/{repo_slug}/pullrequests/{pull_request_id}/decline \
-u $3:$4 \
--request POST \
--header 'Content-Type: application/json' \
--data '{}'
fi
exit $1
Then, you can call the script as:
chmod +x decline-pull-request.sh
decline-pull-request.sh $(status) $(pullRequestId) $(bitbucketUsername) $(bitbucketPassword)
I try to launch a curl with json data in a jenkinsfile.
But I have strange issue with quote.
CUB_CONFIG = "1614874915062/v0001a0x_test.conf"
url = "https://..."
sh "curl $url -d {'iro': '${CUB_CONFIG}', 'src': '/app/data/'} -H 'Content-Type: application/json'"
It is interpreted like (and so do not work...) :
curl https://... -d '{iro:' 1614874915062/v0001a0x_test.conf, src: '/app/data/}' -H 'Content-Type: application/json'
How I should write these damn quote ??
{ and } have special meaning in shell scripts, so when a literal { or } character is desired they must be quoted or escaped.
Here is your correct sh call (I use """ so I don't need to use \" escapes):
sh """curl '$url' -d '{"iro": "${CUB_CONFIG}", "src": "/app/data/"}' -H 'Content-Type: application/json'"""
I have one shell script when i execute it showing only 64 tags from 300 tags docker hub.
Here is the below command which i'm executing in shell script through curl.
IMAGE_TAGS=$(curl -s -H "Authorization: JWT ${HUB_TOKEN} https://hub.docker.com/v2/repositories/$username/issues/tags/?page_size=300" | jq --raw-output '.results[] | .name')
Even after giving page_size also it is not showing my all tags
Note :- Tags using for Private Repositories
Please help me how can i solve it
Try API version 1 which help me to get all the tags
https://registry.hub.docker.com/v1/repositories/mysql/tags open in browser and you can modify it as per your need
Or have a look to Github https://gist.github.com/robv8r/fa66f5e0fdf001f425fe9facf2db6d49 This is exactly what you want
UPDATE
Add this in a shell script file
#!/usr/bin/env bash
docker-tags() {
arr=("$#")
for item in "${arr[#]}";
do
tokenUri="https://auth.docker.io/token"
data=("service=registry.docker.io" "scope=repository:$item:pull")
token="$(curl --silent --get --data-urlencode ${data[0]} --data-urlencode ${data[1]} $tokenUri | jq --raw-output '.token')"
listUri="https://registry-1.docker.io/v2/$item/tags/list"
authz="Authorization: Bearer $token"
result="$(curl --silent --get -H "Accept: application/json" -H "Authorization: Bearer $token" $listUri | jq --raw-output '.')"
echo $result
done
}
docker-tags "<YOUR_DOCKER_IMAGE_NAME>"
Replace <YOUR_DOCKER_IMAGE_NAME> with your docker image.
have a look to this for more info Listing the tags of a Docker image on a Docker hub through the HTTP API
What is a secure way to use credentials to make REST API calls from a Jenkinsfile?
For example, the following would not be secure because the username and password are exposed in code:
sh "curl -D- -u username:password -X GET -H 'Content-Type: application/json' http://<ip-of-server-with-rest-api>/path/to/api/endpoint"
You should use Credentials Binding Plugin
Here is an example:
withCredentials([usernamePassword(credentialsId: 'amazon',
usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
// available as an env variable, but will be masked if you try to print it
out any which way
// note: single quotes prevent Groovy interpolation; expansion is by
Bourne Shell, which is what you want
sh 'echo $PASSWORD'
// also available as a Groovy variable
echo USERNAME
// or inside double quotes for string interpolation
echo "username is $USERNAME"
sh "curl -D- -u $USERNAME:$PASSWORD -X GET -H 'Content-Type: application/json' http://<ip-of-server-with-rest-api>/path/to/api/endpoint"
}
Your credentials will be hidden in Console Output.