问题
I am trying to create a pipeline where docker images are created using JIB (via a Maven Plugin) and pushed to my Gitlab Registry.
This works fine locally as I am logged into my docker registry.
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>1.0.0</version>
<configuration>
<allowInsecureRegistries>true</allowInsecureRegistries>
<from>
<image>dockerhost/projectgroup/alpine</image>
</from>
<to>
<image>dockerhost/project/imagename:${project.version}</image>
</to>
<container>
<useCurrentTimestamp>true</useCurrentTimestamp>
</container>
</configuration>
</plugin>
Say I have a .gitlab-ci.yml which looks like:
stages:
- build_image
build_image:
stage: build_image
tags:
- dev
script: |
mvn compile jib:build
Now I am getting an exception when the pipeline is triggered
Build image failed: Failed to authenticate with registry dockerhost/projectgroup/alpine because: peer not authenticated
I am assuming I am getting this error because I haven't run docker login -u [username] -p [password/token]
How ever I would need a .gitlab-ci.yml which uses a docker-in-docker image to be able to run docker login within my script?
Is there an alternative to using a docker-in-docker image to build this image on my Gitlab CI?
回答1:
Using GitLab you can define secret environement variables that you could use to pass your registry credential to Jib.
- Define secret variables using gitlab
Pass the registry credential using Jib
mvn compile jib:build -Djib.to.image=my-container-image:latest -Djib.to.auth.username=$REGISTRY_USER -Djib.to.auth.password=$REGISTRY_PASSWORD
回答2:
https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#authentication-methods calls out using either credential helpers or placing the creds directly in maven settings. Despite calling these "docker credential helpers", I don't think these credential helpers actually use the docker daemon, rather they are just something that stores creds using the appropriate native store and passes it to jib when jib has to authenticate to push the image to a docker API compatible registry.
https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#quickstart Distinguishes building to a docker daemon from building to a registry, so my guess is if you build to a registry you don't need a daemon accessible, which means you just need an image that's capable of running maven.
Of course it's this kind of vague, untested advice that brought you here in the first place right....
回答3:
You can configure Jib with explicit username and passwords. But note that Jib does not send passwords over unencrypted connections unless explicitly configured with -DsendCredentialsOverHttp.
来源:https://stackoverflow.com/questions/54683567/building-docker-images-with-jib-and-gitlab-ci