如何为jenkins传递凭据以将docker映像推送到我自己的注册表中? [英] How to pass credentials for jenkins to push a docker image to my own registry?
问题描述
JHipster现在使用maven-jib-plugin.在此之前,我在docker-container中运行的jenkins服务器能够使用* .war-file构建docker映像,并使用'Jenkinsfile'(用于gradle,但通过切换将其推送到我自己的docker-registry)到现在的Maven),在完成工作后,另一项工作通过使用ssh在远程主机上执行shell脚本,将新构建的docker-image拉到了我服务器上的新docker-container中.
此任务的阶段为:
def dockerImage
stage('build docker') {
sh "cp -Rvvv src/main/docker build/"
sh "cp -vvv build/libs/*.war build/docker/"
dockerImage = docker.build("$IMAGE_NAME:$IMAGE_TAG", "build/docker")
}
stage('publish docker') {
docker.withRegistry("$REGISTRY_URL", "$REGISTRY_USER") {
dockerImage.push "$IMAGE_TAG"
}
}
stage('Remove Unused docker image') {
sh "docker rmi $IMAGE_NAME:$IMAGE_TAG"
}
据我对jib
的理解,现在变得更容易了,$ jhipster ci-cd
产生的Jenkinsfile
中的相关部分归结为
def dockerImage
stage('publish docker') {
sh "./mvnw -ntp jib:build -Dimage=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG -Djib.to.auth.username=$REGISTRY_USER"
}
不幸的是,jib
似乎不再使用给定$ REGISTRY_USER的docker-registry用户登录凭据,这些凭据已像以前在Jenkins中运行的docker守护程序一样,保存在Jenkins的凭据"部分中.
如何告诉jenkins管道中的jib
-plugin使用存储在我的jenkins帐户中的docker-registry-login凭据,我认为这是/是安全的解决方案?我不希望在每个客户端或github上都处理凭据(尤其是密码).
通过环境变量提供凭据的一种方法是按照以下方式使用 JHipster now uses the maven-jib-plugin. Before that, my jenkins server running in a docker-container was able to build a docker image with the *.war-file and push it to my own docker-registry with a pipeline using a 'Jenkinsfile' (for gradle, but I switched to Maven now), and after job completion another job pulled the newly build docker-image into a new docker-container on my server by executing shell scripts on the remote host using ssh. The stages for this task were: Now as far as I can understand with Unfortunately How can I tell the One way to provide credentials through environment variables is to use
这篇关于如何为jenkins传递凭据以将docker映像推送到我自己的注册表中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!withCredentials()
,如 def dockerImage
stage('build docker') {
sh "cp -Rvvv src/main/docker build/"
sh "cp -vvv build/libs/*.war build/docker/"
dockerImage = docker.build("$IMAGE_NAME:$IMAGE_TAG", "build/docker")
}
stage('publish docker') {
docker.withRegistry("$REGISTRY_URL", "$REGISTRY_USER") {
dockerImage.push "$IMAGE_TAG"
}
}
stage('Remove Unused docker image') {
sh "docker rmi $IMAGE_NAME:$IMAGE_TAG"
}
jib
making it easier and the relevant section in the Jenkinsfile
produced with $ jhipster ci-cd
it comes down to def dockerImage
stage('publish docker') {
sh "./mvnw -ntp jib:build -Dimage=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG -Djib.to.auth.username=$REGISTRY_USER"
}
jib
seems not to be using the credentials for the docker-registry user-login of the given $REGISTRY_USER any more which are saved in the Jenkins' 'credentials'-section as before with the docker daemon running in Jenkins.jib
-plugin in the jenkins pipeline to use the credentials for the docker-registry-login which are stored in my jenkins account, which I thought was/is a secure solution? I don't want the credentials - especially the password - to be handled on every client nor on github.withCredentials()
in the following way, as hinted in this comment. def dockerImage
stage('publish docker') {
withCredentials([usernamePassword(credentialsId: 'myregistry-login', passwordVariable: 'DOCKER_REGISTRY_PWD', usernameVariable: 'DOCKER_REGISTRY_USER')]) {
// assumes Jib is configured to use the environment variables
sh "./mvnw -ntp jib:build"
}
}