如何为jenkins传递凭据以将docker映像推送到我自己的注册表中? [英] How to pass credentials for jenkins to push a docker image to my own registry?

问题描述

JHipster现在使用maven-jib-plugin.在此之前，我在docker-container中运行的jenkins服务器能够使用* .war-file构建docker映像，并使用'Jenkinsfile'(用于gradle，但通过切换将其推送到我自己的docker-registry)到现在的Maven)，在完成工作后，另一项工作通过使用ssh在远程主机上执行shell脚本，将新构建的docker-image拉到了我服务器上的新docker-container中.

此任务的阶段为:

    def dockerImage
    stage('build docker') {
        sh "cp -Rvvv src/main/docker build/"
        sh "cp -vvv build/libs/*.war build/docker/"
        dockerImage = docker.build("$IMAGE_NAME:$IMAGE_TAG", "build/docker")
    }

    stage('publish docker') {
        docker.withRegistry("$REGISTRY_URL", "$REGISTRY_USER") {
            dockerImage.push "$IMAGE_TAG"
        }
    }

    stage('Remove Unused docker image') {
        sh "docker rmi $IMAGE_NAME:$IMAGE_TAG"
    }

据我对jib的理解，现在变得更容易了，$ jhipster ci-cd产生的Jenkinsfile中的相关部分归结为

    def dockerImage
    stage('publish docker') {
        sh "./mvnw -ntp jib:build -Dimage=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG  -Djib.to.auth.username=$REGISTRY_USER"
    }

不幸的是，jib似乎不再使用给定$ REGISTRY_USER的docker-registry用户登录凭据，这些凭据已像以前在Jenkins中运行的docker守护程序一样，保存在Jenkins的凭据"部分中.

如何告诉jenkins管道中的jib -plugin使用存储在我的jenkins帐户中的docker-registry-login凭据，我认为这是/是安全的解决方案?我不希望在每个客户端或github上都处理凭据(尤其是密码).

解决方案

通过环境变量提供凭据的一种方法是按照以下方式使用withCredentials()，如

JHipster now uses the maven-jib-plugin. Before that, my jenkins server running in a docker-container was able to build a docker image with the *.war-file and push it to my own docker-registry with a pipeline using a 'Jenkinsfile' (for gradle, but I switched to Maven now), and after job completion another job pulled the newly build docker-image into a new docker-container on my server by executing shell scripts on the remote host using ssh.

The stages for this task were:

    def dockerImage
    stage('build docker') {
        sh "cp -Rvvv src/main/docker build/"
        sh "cp -vvv build/libs/*.war build/docker/"
        dockerImage = docker.build("$IMAGE_NAME:$IMAGE_TAG", "build/docker")
    }

    stage('publish docker') {
        docker.withRegistry("$REGISTRY_URL", "$REGISTRY_USER") {
            dockerImage.push "$IMAGE_TAG"
        }
    }

    stage('Remove Unused docker image') {
        sh "docker rmi $IMAGE_NAME:$IMAGE_TAG"
    }

Now as far as I can understand with jib making it easier and the relevant section in the Jenkinsfile produced with $ jhipster ci-cd it comes down to

    def dockerImage
    stage('publish docker') {
        sh "./mvnw -ntp jib:build -Dimage=$REGISTRY/$IMAGE_NAME:$IMAGE_TAG  -Djib.to.auth.username=$REGISTRY_USER"
    }

Unfortunately jib seems not to be using the credentials for the docker-registry user-login of the given $REGISTRY_USER any more which are saved in the Jenkins' 'credentials'-section as before with the docker daemon running in Jenkins.

How can I tell the jib-plugin in the jenkins pipeline to use the credentials for the docker-registry-login which are stored in my jenkins account, which I thought was/is a secure solution? I don't want the credentials - especially the password - to be handled on every client nor on github.

解决方案

One way to provide credentials through environment variables is to use withCredentials() in the following way, as hinted in this comment.

    def dockerImage
    stage('publish docker') {
        withCredentials([usernamePassword(credentialsId: 'myregistry-login', passwordVariable: 'DOCKER_REGISTRY_PWD', usernameVariable: 'DOCKER_REGISTRY_USER')]) {
            // assumes Jib is configured to use the environment variables
            sh "./mvnw -ntp jib:build"
        }
    }

这篇关于如何为jenkins传递凭据以将docker映像推送到我自己的注册表中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！