Uploaded image for project: 'Jenkins Artifactory Plug-in'
  1. Jenkins Artifactory Plug-in
  2. HAP-1190

Make Artifactory Plugin work with TLS secured Docker socket

    XMLWordPrintable

    Details

    • Type: Feature Request
    • Status: Resolved
    • Priority: 4 - Normal
    • Resolution: Done
    • Affects Version/s: 3.2.1
    • Fix Version/s: 3.4.0
    • Component/s: None

      Description

      We are using Jenkins with Pipeline Multibranch Plugin, Docker Pipeline Plugin, Credentials Plugin and Artifactory Plugin.

      Our builds are running inside plain Docker JNLP slaves. The Docker daemon sockets used in our Jenkins Docker cloud are TLS secured (–tlsverify set) so we have configured Docker client credentials in Jenkins.

      When building Docker images with scripted pipeline we are using Docker Pipeline Plugin to set Docker Host and credentials:

       

      docker.withServer(env.DOCKER_HOST, 'jenkins_docker_credentials') {
       image = docker.build(buildImageTag)
       sh 'do something'
      }

       

      This works fine for building images but not for pushing or pulling images to/from Artifactory with Artifactory Plugin.

      This:

       

      def artServer = Artifactory.server(env.ART_SERVER)
      def artDocker = Artifactory.docker server: artServer, host: env.DOCKER_HOST
      docker.withServer(env.DOCKER_HOST, 'jenkins_docker_credentials') {
       artDocker.push(buildImageTag, artRepoDeploy, buildInfo)
      }
      

       

      never uses the Docker credentials set by Docker Pipeline Plugin. Instead Artifactory tries to connect to env.DOCKER_HOST without TLS. Since there is no credential parameter for Artifactory.docker I am looking for a way to configure Artifactory Plugin for TLS with Docker.

      What I found from looking at the code:

      The underlying docker-java supports system environment, system properties, property file and programmatic configuration for setting TLS client credentials. Since we are using plain Jenkins Docker JNLP clients there seems to be no way to set system environment or system properties for the JNLP client process which runs Artifactory Plugin.

      As a workaround we are writing a property file to configure docker-java for TLS:

       

      docker.withServer(env.DOCKER_HOST, 'jenkins_docker_credentials') {
       writeFile file: "${env.JENKINS_HOME}/.docker-java.properties", text: "DOCKER_TLS_VERIFY=${env.DOCKER_TLS_VERIFY}\nDOCKER_CERT_PATH=${env.DOCKER_CERT_PATH}" 
       artDocker.push(buildImageTag, artRepoDeploy, buildInfo)
      }

       

      This works but is ugly and error prone. I can think of two better solutions:

      1. Implement Docker Credential handling in Artifactory Plugin
      2. Use Docker Credentials from Jenkins EnvVars set by Docker Pipeline Plugin

      It would be nice if you could take a look into this. I tried with support but had problems to explain what our problem is.

      I have a working implementation of 2. It's evaluates Jenkins EnvVars and only sets docker-java DefaultDockerClientConfig TLS options if DOCKER_CERT_PATH and DOCKER_TLS_VERIFY are found. There is no additional plugin dependency. I could open a PR for this.

       

        Attachments

          Activity

            People

            Assignee:
            eyalb Eyal Ben Moshe
            Reporter:
            matthias.weber Matthias Weber
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: