-
Bug
-
Resolution: Unresolved
-
Major
-
Jenkins = 2.319.2
docker-commons-plugin = 1.18
docker-workflow-plugin = 1.27
Until now we had a parametrized name of our internal Docker registry configured in the Jenkins main config. We used an environment variable like ${REGISTRY} which was evaluated/expanded properly.
However, after updating the Docker Commons and Docker Workflow plugins to their current latest versions, this is no longer supported.
The workaround that worked is to just hardcode the Docker registry name instead.
This is almost certainly due to the security fix for SECURITY-1878 in docker-workflow-plugin gb3a6996 (included in release 1.27), which stopped the parameters passed in from being evaluated in the shell environment context.
Based on the example given in https://github.com/jenkinsci/docker-commons-plugin/pull/93#issuecomment-1028331791, the issue was seen with
DOCKER_IMAGE = docker.build('${ECR_REGISTRY}/${ECR_REPO}:${COMMIT_HASH}')
and I believe the intended fix is to instead call
DOCKER_IMAGE = docker.build("${env.ECR_REGISTRY}/${env.ECR_REPO}:${env.COMMIT_HASH}")
i.e. to evaluate those variables in the Pipeline script using ", so that the values passed into the shell do not need to be evaluated again, and can be treated literally as the current code intends.
However, this will not be so trivial if the image name depends on environment variables available in the shell but not available in the Pipeline script, or even depended on more-complex expansions, e.g. shell built-ins or inline exec.