Dockerizing Jenkins 2, part 3: Securing password with docker-compose, docker-secret and jenkins credentials plugin
This is 3rd part of Dockerizing Jenkins series, you can find more about previous parts here:
Dockerizing Jenkins 2, Part 1: Declarative Build Pipeline With SonarQube Analysis
Dockerizing Jenkins 2, part 2: Deployment with maven and JFrog Artifactory
In this part we will look at:
- How to use docker-compose to run containers
- How to use passwords in docker environment with docker-secrets
- How to hide sensitive information in Jenkins with credentials plugin
In the part 1 we created basic jenkins docker image in order to run java maven pipeline with test and sonarqube analysis and then in the part 2 we looked at how to perform deployment using maven settings file. As you remember we saved the password in the file without any encryption, which is not you would obviously ever do, of course.
All code for this and previous parts is in my GitHub repo https://github.com/kenych/dockerizing-jenkins and I decided to create a branch for every part, as master branch will change with every part and older article would refer to wrong code base, for this part the code will be in the branch “dockerizing_jenkins_part_3_docker_compose_docker_secret_credentials_plugin” and you can run the below command to check it out:
git clone https://github.com/kenych/dockerizing-jenkins && \ cd dockerizing-jenkins && \ git checkout dockerizing_jenkins_part_3_docker_compose_docker_secret_credentials_plugin
In this part we will remove password from the source code and let credentials plugin apply credentials to Config File Provider Plugin. But before changing any code, we will need to switch to using docker-compose instead of using docker run command. This will give us a chance to leverage docker secrets feature along with many other features which you will love.
I updated runall.sh script which we used in two parts before and replaced with docker-compose and download.sh script which will just download the minimum stuff we will need in advance. I also removed java 7 and java 8 installation in favour to use embedded java 8 from jenkins container as otherwise our download script takes too long and java comes for free in the image anyway, you can check it later once our jenkins container running.
If you were following part one and two you should know how to pick up specific java version anyway using maven tool mechanism and if you want to play with that just uncomment these lines in download script, java.groovy and in the pipeline as well. Now let’s run download to make sure we have everything we need:
➜ ./download.sh 2.60.1: Pulling from library/jenkins Digest: sha256:fa62fcebeab220e7545d1791e6eea6759b4c3bdba246dd839289f2b28b653e72 Status: Image is up to date for jenkins:2.60.1 6.3.1: Pulling from library/sonarqube Digest: sha256:d5f7bb8aecaa46da054bf28d111e5a27f1378188b427db64cc9fb392e1a8d80a Status: Image is up to date for sonarqube:6.3.1 5.4.4: Pulling from jfrog/artifactory-oss Digest: sha256:404a3f0bfdfa0108159575ef74ffd4afaff349b856966ddc49f6401cd2f20d7d Status: Image is up to date for docker.bintray.io/jfrog/artifactory-oss:5.4.4 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8334k 100 8334k 0 0 445k 0 0:00:18 0:00:18 --:--:-- 444k
Please note if you haven’t ever downloaded the images, it will take some time. Now, while it is downloading the stuff we need, let’s look at docker-compose.ym:
version: "3.1" services: myjenkins: build: context: . image: myjenkins ports: - "8080:8080" depends_on: - mysonar - artifactory links: - mysonar - artifactory volumes: - "./jobs:/var/jenkins_home/jobs/" - "./m2deps:/var/jenkins_home/.m2/repository/" - "./downloads:/var/jenkins_home/downloads" secrets: - artifactoryPassword mysonar: image: sonarqube:6.3.1 ports: - "9000" artifactory: image: docker.bintray.io/jfrog/artifactory-oss:5.4.4 ports: - "8081" secrets: artifactoryPassword: file: ./secrets/artifactoryPassword
If you were curious, you would ask why did I call the file docker-compose.yml?