Docker in Jenkins and private modules

Question

I'm looking for a way to securely clone private npm modules from a proxy repository inside a Docker container that is spun up by a Jenkins that runs on Ubuntu. The Docker image will be thrown away, but it is supposed to compile the project and run the unit tests.

The Jenkinsfile used for the build looks, simplified, like this:

node('master') {
    stage('Checkout from version control') {
      checkout scm
    }
    stage('Build within Docker') {
        docker.build("intermediate-image", ".")
    }
}

The Dockerfile at the moment:

FROM node:10-alpine
COPY package.json package-lock.json .npmrc ./    
RUN npm ci && \
    rm -f .npmrc 
COPY . .
RUN npm run build && \
    npm run test

The .npmrc file (anonymized):

@domain:registry=https://npm.domain.com/
//npm.domain.com/:_authToken=abcdefg

The problem is that the COPY command creates a layer with the .npmrc file. Should I build outside of my own Jenkins server, the layer would be cached by the build provider.

• Building manually, I could specify the token as a docker environment variable. Is there a way to set the environment variable on Ubuntu and have Jenkins pass it through to Docker?
• (Maybe) I could inject environment variables into Jenkins and then into the pipeline? The user claims that the plugin is not fully compatible with the pipeline plugin though.
• Should I use the fact that Docker and Jenkins run on the same machine and mount something into the container?

Or do I worry too much, considering that the image will not be published and the Jenkins is private too?

What I want to achieve is that a build can use an arbitrary node version that is independent of that of the build server's.

Answer 1

I have decided that, because the docker host is the same (virtual) machine as the Jenkins host, it is no problem if I bake the .npmrc file into a docker layer.

Anyone with access to the Docker host can, currently, steal the local .npmrc token anyway.

Furthermore, the group that has access to our private npm modules is a complete subgroup of people with access to the source control repository. Therefore, exposing the npm token to the build machine, Jenkins, Docker intermediate image, Docker image layer and/or repository poses no additional authentication problems as of now. Revoking access should then go hand in hand with rotating the npmrc token (so that removed developers do not use the build token), but that is a small attack surface, in any case waay smaller than people copying the code to a hard drive.

We will have to re-evaluate our options should this setup change. Hopefully, we will find a solution then, but it is not worth the trouble now. One possible solution could be requesting the token from a different docker container with the sole purpose of answering these (local) calls.