2

JHipster now uses the maven-jib-plugin. Before that, my jenkins server running in a docker-container was able to build a docker image with the *.war-file and push it to my own docker-registry with a pipeline using a 'Jenkinsfile' (for gradle, but I switched to Maven now), and after job completion another job pulled the newly build docker-image into a new docker-container on my server by executing shell scripts on the remote host using ssh.

The stages for this task were:

    def dockerImage
    stage('build docker') {
        sh "cp -Rvvv src/main/docker build/"
        sh "cp -vvv build/libs/*.war build/docker/"
        dockerImage = docker.build("$IMAGE_NAME:$IMAGE_TAG", "build/docker")
    }

    stage('publish docker') {
        docker.withRegistry("$REGISTRY_URL", "$REGISTRY_USER") {
            dockerImage.push "$IMAGE_TAG"
        }
    }

    stage('Remove Unused docker image') {
        sh "docker rmi $IMAGE_NAME:$IMAGE_TAG"
    }

Now as far as I can understand with jib making it easier and the relevant section in the Jenkinsfile produced with $ jhipster ci-cd it comes down to

    def dockerImage
    stage('publish docker') {
        sh "./mvnw -ntp jib:build -Dimage=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG  -Djib.to.auth.username=$REGISTRY_USER"
    }

Unfortunately jib seems not to be using the credentials for the docker-registry user-login of the given $REGISTRY_USER any more which are saved in the Jenkins' 'credentials'-section as before with the docker daemon running in Jenkins.

How can I tell the jib-plugin in the jenkins pipeline to use the credentials for the docker-registry-login which are stored in my jenkins account, which I thought was/is a secure solution? I don't want the credentials - especially the password - to be handled on every client nor on github.

Jochen Haßfurter
  • 875
  • 2
  • 13
  • 27
  • Can you try `stage('publish docker') { docker.withRegistry("$REGISTRY_URL", "$REGISTRY_USER") { sh "./mvnw -ntp jib:build -Dimage=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG" } } `? No need to pass `-Djib.to.auth.username`. – Chanseok Oh Dec 10 '19 at 16:16
  • You are right concerning the parameter `-Djib.to.auth.username` - instead, it needs a way to tell maven concerning `jib` in the Jenkins `'publish docker'`-stage, that the credentials for `-Djib.to.auth.username` and `-Djib.to.auth.password` can be found in the Jenkins global credentials for `$REGISTRY_USER` (which is a Jenkins credentials-user account, not a docker-registry account). I tried your suggestion - before and now again to be sure - and it can't work because I have to tell Jenkins to complete the `jib`-buildstep with the saved global credentials somehow I think. Right? – Jochen Haßfurter Dec 11 '19 at 12:52
  • Should it be `-Dimage=$REGISTRY_URL/...` instead of `$REGISTRY/...`? In any case, I thought `withRegistry()` would basically do `docker login` (but I am completely new to Jenkins). If that is not the case, at least I think this workaround will probably work: https://issues.jenkins-ci.org/browse/JENKINS-41051?focusedCommentId=329137&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-329137 That is, do `docker login` yourself before running Jib. You will need to provide the correct registry URL (perhaps `docker login -u ... -p ... $REGISTRY_URL`). – Chanseok Oh Dec 11 '19 at 16:12
  • Also, provide `-X` to `/.mvnw` to figure out what exactly is failing. – Chanseok Oh Dec 11 '19 at 16:14
  • It should be `./mvnw -ntp -X ...`. `-X` will make Maven verbose, printing DEBUG level logs. But in any case, I think the workaround I linked above should work. As long as `docker push` works, Jib should work. – Chanseok Oh Dec 11 '19 at 19:48

2 Answers2

5

One way to provide credentials through environment variables is to use withCredentials() in the following way, as hinted in this comment.

    def dockerImage
    stage('publish docker') {
        withCredentials([usernamePassword(credentialsId: 'myregistry-login', passwordVariable: 'DOCKER_REGISTRY_PWD', usernameVariable: 'DOCKER_REGISTRY_USER')]) {
            // assumes Jib is configured to use the environment variables
            sh "./mvnw -ntp jib:build"
        }
    }
Chanseok Oh
  • 3,920
  • 4
  • 23
  • 63
2
pipeline{
  agent any
  stages{
   stage("Docker login"){
      steps{
      withCredentials([string(credentialsId: 'DockerHubPwd', variable: 'dockerpwd')]) {
      sh "docker login -u username -p ${dockerpwd}"
            }
        }
   }
}
DiwakarReddy
  • 21
  • 2
  • 2
    Welcome to Stack Overflow, and thank you for contributing an answer. Would you kindly edit your answer to include an explanation of your code? That will help future readers better understand what is going on, and especially those members of the community who are new to the language and struggling to understand the concepts. That's especially important when there's already an accepted answer that's been validated by the community. Under what conditions might your approach be preferred? Are you taking advantage of new capabilities? – Jeremy Caney Nov 17 '21 at 01:26