As a workaround to the withRegistry block, a very simple credentials helper like docker-credential-envvars
can be used and added to the PATH. The helper only need to deal with get, as in the context of CI, if we want to avoid storing secrets. This helper uses read environment variables DOCKER_CREDS_USERNAME and DOCKER_CREDS_PASSWORD to pass authentication details to the docker CLI. It just print the following:
{"ServerURL":"${REGISTRY_HOST}","Username":\"${DOCKER_CREDS_USERNAME}","Secret":"${DOCKER_CREDS_PASSWORD}"
See https://docs.docker.com/engine/reference/commandline/login/#credentials-store for more details on this.
Then in a pipeline, we can add the credsStore to point to the helper and then use withCredentials step to injected username / password credentials with the variable names DOCKER_CREDS_USERNAME and DOCKER_CREDS_PASSWORD.
withEnv(["DOCKER_CONFIG=" + pwd(tmp:true) + "/.docker"]) {
sh '''
mkdir -p \${DOCKER_CONFIG}
echo '{"credsStore":"envvars"}' > \${DOCKER_CONFIG}/config.json
'''
withCredentials([usernamePassword(credentialsId: 'dockerhub-ro', passwordVariable: 'DOCKER_CREDS_PASSWORD', usernameVariable: 'DOCKER_CREDS_USERNAME')]) {
[...]
}
sh "[ -d \$DOCKER_CONFIG ] && rm -rf \$DOCKER_CONFIG"
}
What looks cumbersome here could well be factored out in a global function of a shared library.
Maybe Docker Pipeline could implement such a logic to solve that problem ?
https://github.com/jenkinsci/docker-commons-plugin/blob/docker-commons-1.17/src/main/java/org/jenkinsci/plugins/docker/commons/impl/RegistryKeyMaterialFactory.java#L98-L103