-
Bug
-
Resolution: Unresolved
-
Major
-
None
Environment:
- Jenkins 2.303.3
- Running against a kubernetes cluster with windows and linux nodes
- Docker Pipeline plugin at version 1.26
When:
1. Create a json style credential for a container repository (ours is GCR), with credential type "username and password":
user: _json_key
password:
{ "type": "service_account", "project_id": "myproject", "private_key_id": "94c790****************56129", "private_key": "-----BEGIN PRIVATE KEY-----\nMII***cQQ2SH\n-----END PRIVATE KEY-----\n", "client_email": "accountemail@domain.gserviceaccount.com", "client_id": "12345678901234567890", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/accountemail%40domain.iam.gserviceaccount.com" }
2. In a declarative pipeline, use the credentials to login to a container registry using a linux node:
pipeline {
agent { label 'linux-dockercli' }
options { skipDefaultCheckout() }
stages {
stage('test') {
steps {
container('dockercli') {
script {
docker.withRegistry('https://us.gcr.io', 'myproject') {
echo "success!"
}
}
}
}
}
}
}
3. When running the pipeline, notice that the pipeline succeeds
Executing sh script inside container dockercli of pod linux-dockercli-277rn Executing command: "docker" "login" "-u" "_json_key" "-p" ******** \"type\": \"service_account\", \"project_id\": \"myproject\", \"private_key_id\": \"94c790****************56129\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\nMII***cQQ2SH\n-----END PRIVATE KEY-----\n\", \"client_email\": \"accountemail@domain.iam.gserviceaccount.com\", \"client_id\": \"12345678901234567890\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509accountemail%40domain.iam.gserviceaccount.com\" }" "https://us.gcr.io" exit WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /home/jenkins/agent/workspace/dockers_test@tmp/fd152d38-7cbf-4e0f-89bf-c64e3498048f/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
4. Reuse the same pipeline, but now target a windows node:
pipeline {
agent { label 'windows-dockercli' }
options { skipDefaultCheckout() }
stages {
stage('test') {
steps {
container('dockercli') {
script {
docker.withRegistry('https://us.gcr.io', 'myproject') {
echo "success!"
}
}
}
}
}
}
}
5. Observe that the pipeline failed because we failed to login with docker
Executing cmd script inside container dockercli of pod windows-dockercli-h684b Microsoft Windows [Version 10.0.17763.2300] (c) 2018 Microsoft Corporation. All rights reserved. C:\home\jenkins\agent>Executing command: "docker" "login" "-u" "_json_key" "-p" ******** "type": "service_account", "project_id": "myproject", "private_key_id": "94c790****************56129", "private_key": "-----BEGIN PRIVATE KEY-----\nMII***cQQ2SH\n-----END PRIVATE KEY-----\n", "client_email": "accountemail@domain.iam.gserviceaccount.com", "client_id": "12345678901234567890", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/accountemail%40domain.iam.gserviceaccount.com" }" "https://us.gcr.io" exit set BRANCH_NAME=test C:\home\jenkins\agent>set BUILD_DISPLAY_NAME=#39 C:\home\jenkins\agent>set BUILD_ID=39 C:\home\jenkins\agent>set BUILD_NUMBER=39 [...] C:\home\jenkins\agent>set WORKSPACE_TMP=C:homejenkinsagent/workspace/dockers_ubuntu-linux-20.04@tmp C:\home\jenkins\agent>"docker" "login" "-u" "_json_key" "-p" "{ "type": "service_account", "project_id": "myproject", "private_key_id": "94c790****************56129", "private_key": "-----BEGIN PRIVATE KEY-----\nMII***cQQ2SH\n-----END PRIVATE KEY-----\n", "client_email": "accountemail@domain.iam.gserviceaccount.com", "client_id": "12345678901234567890", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/accountemail%40domain.iam.gserviceaccount.com" }" "https://us.gcr.io" "docker login" requires at most 1 argument. See 'docker login --help'. Usage: docker login [OPTIONS] [SERVER] Log in to a Docker registry
6. Notice that the json key provided with the "-p" argument uses unescaped quotes
Reported Issues:
A. [major] The "-p" argument provided to "docker login" should escape quotes
B. [minor] The secrets retrieved by docker.withRegistry should not appear in clear in the logs, instead the whole json credentials should be blanked
Workaround:
When pre-escaping the json credentials, the "docker login" on the windows node succeeds, however the one on the linux node starts failing. Maintaining two sets of credentials, where one is escaped and the other isn't, works as a workaround.
