0

Is there an option to add further login-information to the git-login-process like a certificate? As far as i can see, just basic credentials are possible in the configuration. credentials

Is there a chance to add some further config? maybe with the azure-pipelines.yml?

gratinierer
  • 1,748
  • 1
  • 10
  • 10
  • May I know how's the status of this? Does below methods has any help to you? Free to comment if you still has puzzle or question. – Mengdi Liang Feb 28 '20 at 08:46

2 Answers2

1

In the Get source step of build pipeline, SSL is the default option in it.

So, here has 2 method you can consider.

Method 1:

1) Store the SSL certificate into Azure Key Vault.

2) Then connect this Azure Key Vault source into Variable group.

3) Involve this Variable group and including the azure key vault.

For above, there has detailed steps described in this blog. You can have a check.

Now, in azure devops, we add one build-in step Azure Key Vault task while you enable and link Azure key vault into pipeline. Also, this build-in step executed before Get sources step. So, at this time, the certificate can be installed and used by Get sources correctly.

enter image description here

Method 2:

Another method is, you config one self-agent and run below commands in your build machine:

git config --global http.sslBackend schannel

git config --global http.sslCAPath <the path/to/your/certificate.crt>
Mengdi Liang
  • 17,577
  • 2
  • 28
  • 35
  • Thanks for your quick reply. I tested method 1, but within my enterprise account there are some rigths missing to authorize the usage: `Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription`. In the Method 2 - as far as I understand - I would either need a separate preconfigured VM or use a initial `azure-pipelines.yml` located e.g. within the pipeline's repo and then do the git pull from within the then started `vmImage: 'windows-2019'`-VM. right? – gratinierer Mar 02 '20 at 11:50
  • @gratinierer. For your first issue, you may need contact your admin to assign you Owner role in Azure Subscription (Note, owner is the role in azure instead of azure devops). For the second one, do not need a VM, just machine/PC which can install [self-agent](https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser#install) is okay. – Mengdi Liang Mar 04 '20 at 03:25
  • @gratinierer, `vmImage: 'windows-2019'` This is used for YAML pipeline, and it is the schema that running with Hosted agent. As I said, here you could make use of self agent. At this time, it can not be used. And you should replace that schema to `pool: {pool name}` . See this: https://learn.microsoft.com/en-us/azure/devops/pipelines/yaml-schema?view=azure-devops&tabs=example%2Cparameter-schema#pool – Mengdi Liang Mar 04 '20 at 03:28
  • @Liang but also with pool: everything starts with a `yml`-file, that must be placed in a repository. So the job must be able to access that repo in the very first step of the run of the job. In other words: in the second solution I can't place my `yml` file in in the private repo, because it is not accessible by the job on a direct way configured in the azure devpos frontend. right? – gratinierer Mar 04 '20 at 08:50
0

got it solved in the following way:

step 1

created a template file for the clone-job:

parameters:
- name: RepoUrl
  type: string
- name: cloneIntoDir
  type: string
steps:
- task: DownloadSecureFile@1
  name: cainfo
  displayName: 'Download cainfo'
  inputs:
    secureFile: 'cainfo.cert'
- task: DownloadSecureFile@1
  name: cert
  displayName: 'Download cert.crt'
  inputs:
    secureFile: 'cert.crt'
- task: DownloadSecureFile@1
  name: keypem
  displayName: 'Download key.pem'
  inputs:
    secureFile: 'key.pem'
- script: mkdir ${{ parameters.cloneIntoDir }}
  displayName: creating directory ${{ parameters.cloneIntoDir }}    
- script: |
    cd ${{ parameters.cloneIntoDir }}
    git config --global http.sslCAInfo "$(cainfo.secureFilePath)"
    git config --global http.sslCert "$(cert.secureFilePath)"
    git config --global http.sslKey "$(keypem.secureFilePath)"
    git clone https://$(User):$(Password)@${{ parameters.RepoUrl }} .

This template does all the git-magic with files downloaded from the pipeline's library.

step 2

used the template-file within the build-yml

trigger: none

strategy:
  matrix:
    linux:
      imageName: 'ubuntu-latest'
    windows:
      imageName: 'windows-2019'

pool:
  vmImage: $(imageName)

variables:
- group: Credentials


steps:
- template: ../templates/clone-repo-template.yml
  parameters:
    RepoUrl: 'www.repos_url.com/project.git'
    cloneIntoDir: 'myRepoDir'

Important here: The variables-group for the credentials must be included in that file, although the credentials are only needed in the template (reasons: variables can't be positioned within step)

At that point it's done, the code from your repo now is in myRepoDir. You can extend the file in step 2 with your specific build-commands. But you can go one step further: Probably you want to have your build-yml integrated within your repo and maybe the developers event don't have access to the azure-repo but should be able to edit the build-yml. For that:

step 3

create another template 

parameters:
- name: RepoUrl 
  type: string
- name: copyScript
  type: string  

jobs:
- job: SyncRepos
  pool:
    vmImage: 'ubuntu-latest'
  variables:
   - name: remoteRepoDir
     value: 'DirectoryToCloneInto'
   - group: Credentials

  steps:
  - template: ../templates/clone-repo-template.yml
    parameters:
      RepoUrl: ${{ parameters.RepoUrl }}
      cloneIntoDir: $(remoteRepoDir)
  - script: 'git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" clone $(Build.Repository.Uri)'
    displayName: 'Clone Azure-Repo $(Build.Repository.Uri)'
  - script: |
        cd '$(Build.Repository.Name)'
        ${{ parameters.copyScript }}
    displayName: 'Copy file to direcorty $(Build.Repository.Name)'
  - script: |
        git config --global user.email "you@example.com"
        git config --global user.name "Your Name"
    displayName: 'Configure Git for commit'
  - script: |
        cd '$(Build.Repository.Name)'
        git add -A
        git commit -m "auto commit from azure sync"
        git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" push
    displayName: 'push changes'

As you can see, this template also uses the template from step 1

step 4

trigger: none

jobs:
- template: ../templates/sync-repo-files-template.yml
  parameters:
    copyScript: |
        cp -f ../$(remoteRepoDir)/azure-pipeline.yml .
    RepoUrl: 'www.repos_url.com/project.git'

Running that yml in a pipeline will clone your repo,clone the azure-repo, copy the azure-pipeline.yml-file from your repo to the azure repo, stash, commit and push.

You just have to assure that the Build Service-user has also the right to contribute to your repo: enter image description here

In the end you can: * Edit the azure pipeline-file in your private repo, commit + push * Let the sync-pipeline from step 4 run * After that the azure repo contains the updated pipeline-file * You can run your build-job on the updated file

gratinierer
  • 1,748
  • 1
  • 10
  • 10