WARNING: Jenkins X version 2.x is unmaintained. Do not use it.
Please refer to thev3 documentation for the latest supported version.
Docker Registry
To be able to create and publish Docker images, we use a Docker Registry.If you want to change the default registry, you need to:
- tell Jenkins X, which Docker registry host to use.
- ensure
env/parameters.yamlcontains the required authentication parameters - ensure your secret store contains the necessary secret
- ensure
values.tmpl.yamlfor your Kubernetes provider contains the correctDockerConfig configuration
The following sections provide more details around these steps.
jx boot locally or create a pull request.For more information refer toChanging your installation in the Boot documentation.Configure Docker registry
To change the default Docker registry, you need set the registry host in theregistry property of yourjx-requirements.yml file.In case you want to use Docker Hub, the configuration would look like this:
cluster:registry:docker.ioEnsure authentication parameters
Next, you have to check the fileenv/parameters.yaml in your checkout of the Boot repository.It needs to contain adocker configuration section, similar to this:
enableDocker:truedocker:email:<email>password:vault:<cluster-name>/docker:passwordurl:<url>username:<username>If you have been using the default registry yourenv/parameters.yaml might not contain adocker section at all.If so, add the required configuration and make sure to setenableDocker: true.
The password uses a special format which allows to reference secrets from your configuredsecret store.Injecting secrets into the parameters describes in more detail how secrets work in conjunction withenv/parameters.yaml.
enableDocker: true and runjx boot locally.In this case, it will interactively ask for the required parameters again and persist them intoenv/parameters.yaml and the underlying secret store.Update secret store
The next step is to make sure the password is stored in the secret store.Assuming you are usingVault as the secret store, you need to make sure the secret identified by the URIvault:<cluster-name>/docker:password exists.This can be achieved by running (you need thevault CLI installed for that):
eval$(jx get vault-config)vault kv put /secret/<cluster-name>/docker password=<my-password>You can find more information on how to interact with Vault secrets in theManage your secrets section.
Update Kubernetes provider configuration
Finally, you need to make sure that the correct Docker authenticationconfig.json gets generated and stored in the Kubernetes Secretjenkins-docker-cfg (within your development namespace).Ultimately, this secret is mounted into the Pod executing thedocker push and is responsible for authenticating against the configured Docker registry.
If you are running an oldjx install based cluster, changing your Docker registry credentials comes just down to changing thejenkins-docker-cfg Secret.
kubectl delete secret jenkins-docker-cfg -n jxkubectl create secret generic jenkins-docker-cfg -n jx --from-file=./config.jsonWith Jenkins X Boot, thejenkins-docker-cfg Secret is created in the Kubernetes provider-specific filevalues.tmpl.yaml.You can find this file in thekubeProviders subdirectory of your Boot configuration repository.The Docker specific configuration invalues.tmpl.yaml for GKE looks like this:
jenkins-x-platform:PipelineSecrets:{{-if eq .Parameters.enableDocker true }}DockerConfig: |- { "auths":{ {{ .Parameters.docker.url | quote }}: { "auth": {{ printf "%s:%s" .Parameters.docker.username .Parameters.docker.password | b64enc | quote}}, "email": {{ .Parameters.docker.email | quote}} } } }{{-else}}# lets enable GCR Docker buildsDockerConfig: |- { "credHelpers": { "gcr.io": "gcr", "us.gcr.io": "gcr", "eu.gcr.io": "gcr", "asia.gcr.io": "gcr", "staging-k8s.gcr.io": "gcr" } }{{-end}}You can see how theenableDocker parameter discussed inEnsure authentication parameters is used to switch between the different formats ofconfig.json.You need to ensure that the enabledDockerConfig matches your requirements.If that is not the case adjustvalues.tmpl.yaml to match the format required by your registry.
The following sections describe some of the typicalconfig.json formats used by various Docker registries.
Google Container Registry (GCR)
If you want to use GCR, you can create yourconfig.json by running:
gcloud auth configure-dockerThe above command will ask you to confirm writing acredHelpers section to yourconfig.json in your home directory under.docker/config.json.It is sufficient to place thecredHelpers section into a newconfig.json.The content should look similar to:
{"credHelpers": {"gcr.io":"gcloud","marketplace.gcr.io":"gcloud","eu.gcr.io":"gcloud","us.gcr.io":"gcloud","staging-k8s.gcr.io":"gcloud","asia.gcr.io":"gcloud" }}Elastic Container Registry (ECR)
For AWS and its Elastic Container Registry (ECR), theconfig.json looks like:
{"credsStore":"ecr-login"}Docker Hub
If you want to publish images to Docker Hub, then you need aconfig.json with andauth section containing your Docker Hub auth token.For example:
{"auths": {"https://index.docker.io/v1/": {"auth":"MyDockerHubToken" } }}Check.docker/config.json in your home directory to see whether it contains the required configuration.
If you don’t have a.docker/config.json, you can run:
docker login -u <username> -p <password>On macOS you might find something like this:
"credsStore":"osxkeychain"in.docker/config.json without anauths section.In this case, you can edit thecredsStore line and set the value of this property to “”.Then run:
docker logoutdocker login -u <username> -p <password>jFrog BinTray (Artifactory)
It is also possible to use jFrog BinTray as a private registry.The content should look similar to:
{"auths": {"https://private-reg.bintray.io": {"auth":"username:password (base64 encoded)","email":"myemail@acme.com" } }}Feedback
Was this page helpful?
Glad to hear it! Pleasetell us how we can improve.
Sorry to hear that. Pleasetell us how we can improve.