10

I am trying to load Jenkins pipeline script from SCM. I have to build a docker image and push it to GCR. In the docker image, I need to install private git repositories. Here, I am trying to get git username password from Jenkins input. But I'm not sure how I can use it in the Dockerfile to pull the git repo. These are my Jenkinsfile and Dockerfile in SCM. Any suggestions?

Jenkinsfile :

node {
def app

stage('Clone repository') {
    checkout scm

    def COMMITHASH = sh(returnStdout: true, script: "git log -n 1 --pretty=format:'%h'").trim()
    echo ("Commit hash: "+COMMITHASH.substring(0,7))
}

stage('Build image') {

    timeout(time: 600, unit: 'SECONDS') { 
        gitUser = input(
           id: 'gitUser', 
           message: 'Please enter git credentials :', 
           parameters: [
           [$class: 'TextParameterDefinition', defaultValue: "", description: 'Git user name', name: 'username'],
           [$class: 'PasswordParameterDefinition', defaultValue: "", description: 'Git password', name: 'password']
        ])
    }

    /* Build docker image */
    println('Build image stage');
    app = docker.build("testBuild")

}

stage('Push image') {
    /* Push image to GCR */

    docker.withRegistry('https://us.gcr.io', 'gcr:***') {
        app.push("${env.BUILD_NUMBER}")
        app.push("latest")
    }
}
}

Dockerfile :

# use a ubuntu 16.04 base image
FROM ubuntu:16.04

MAINTAINER "someuser@company.com"

# Set environment variables
ENV DEBIAN_FRONTEND noninteractive
ENV LC_ALL C.UTF-8

# Upgrade the system
RUN apt-get update && apt-get -y upgrade && apt-get install -y python-software-properties software-properties-common

# Install cert bot and apache
RUN apt-get install -y apache2

#Enable apache modules
RUN a2enmod ssl 
RUN a2enmod headers
RUN a2enmod rewrite

# Create directory for web application
RUN mkdir -p /var/www/myApp


# Expose ssl port
EXPOSE 443

I want to install my private bitbucket repository in /var/www/myApp. Also, I want to avoid ssh authentication.

Nitesh
  • 1,067
  • 1
  • 10
  • 19
  • I would recommend to use credentialID's which is saver. You can get your user and password from the credentialsID like here: https://www.tikalk.com/devops/how-to-mask-credentials-in-jenkins/ After that I would recommend to build your image with --build-arg and use your username/passwd there. That will be easy but not fully secure. To be fully secure you have to create docker secrets from the credentials and use the secrets to build your image. But I have to admit I don't know if that's possible already. – lvthillo Jan 05 '18 at 08:35
  • Why do you want to checkout the git repository in your web application folder? Shouldn't the web application be a Docker image as well? If you consider that your private bitbucket repository was in its own image, you could use a multistage docker build to accomplish the goal. https://docs.docker.com/develop/develop-images/multistage-build/#before-multi-stage-builds . – andrew May 07 '18 at 14:11

2 Answers2

3

Do you have the requirement to always prompt for the credentials? If not, you could store them in the Jenkins credential store and retrieve them via withCredentials step from the Jenkins Credentials Binding plugin. That way they are hidden in the logs if you do the build within the closure.

withCredentials([usernamePassword(
  credentialsId: 'privateGitCredentials',
  usernameVariable: 'USERNAME',
  passwordVariable: 'PASSWORD'
)]) {
  sh "docker build --build-arg username=$USERNAME --build-arg password=$PASSWORD -t <your tag> ."
}
Christopher
  • 1,103
  • 1
  • 6
  • 18
2

You should pass your git username and password as environment variables during docker build and then call these variables inside Dockerfile.

Example Dockerfile - 

FROM test
ARG username
ARG password
RUN git clone https://${username}:${password}@github.com/private-repo-name.git

Build command: 

docker build --build-arg username=$git_username --build-arg password=$git_password -t <your tag> .
sai
  • 430
  • 1
  • 3
  • 15
  • 2
    Thanks for the reply. I considered this scenario. The problem with this is Jenkins outputs `git clone` command in logs during build process. so, the username and password for git are being exposed in the jenkins log which i want to avoid because other developers have the access of Jenkins. – Nitesh Oct 05 '18 at 04:29
  • https://stackoverflow.com/questions/33621242/why-is-arg-in-a-dockerfile-not-recommended-for-passing-secrets – sai Oct 13 '18 at 03:34