Docker credential helper

[samuelbernardolip]

A credential helper is required for docker login to resolve a security issue when setting password (avoid to be written to disk). Instead of using one of the credential helper solutions that keep their own encrypted database for secrets with a more complex setup, I propose to create a bash script that responds to the expect protocol using environment variables for Jenkins integration.

[samuelbernardolip]

I follow the next referencies to use docker credential helper and I couldn't get it working: https://docs.docker.com/engine/reference/commandline/login/ https://docs.docker.com/docker-hub/access-tokens/ https://stackoverflow.com/questions/30970591/automatic-docker-login-within-a-bash-script https://github.com/docker/docker-credential-helpers/issues/102 https://github.com/docker/docker-credential-helpers

[micafer]

Hi @samuelbernardolip, I found a reference with instructions of how to use the docker-credential-pass tool: https://www.techrepublic.com/article/how-to-setup-secure-credential-storage-for-docker/ I have tested and it works.

[samuelbernardolip]

Hi @micafer ,

I found a reference with instructions of how to use the docker-credential-pass tool: https://www.techrepublic.com/article/how-to-setup-secure-credential-storage-for-docker/ I have tested and it works.

Thank you very much for the test and the reference.

[samuelbernardolip]

There is a security flaw in Jenkins for docker push with a password generated with special characters. The warning is relative to string interpolation from variables translated outside container that appear as string inside container. This is an issue in Jenkins service side since JPL_DOCKERUSER appear masked, only JPL_DOCKERUSER with special characters don't. But as I could read from [1] this could be caused by special characters such as "/ \ $ & % ^ > < | ;" that are parsed at two stages (outside and inside container) that results in string injection flaw the override the expected behavior in interpolation.

Using docker helper to manage the authentication don't solve the requirement of using passwords. It will be only useful in the case where multiple authentications are required. docker helper works like ssh-agent to manage the password protected private keys.

To use the docker helper solution (issue open about this in JePL) the following steps would be required:

• user add the credentials to config.yml (JPL_USERNAME JPL_PASSWORD)
• create a new gpg key without password protection to initialize the pass keystore
• insert the user credentials in protected store after running the first time the command docker login
• then during the pipeline all docker commands in the host will use the stored credentials

For this to work is required that we set docker configurations for Jenkins user and install the required software to support the credential helper in each worker node. Also demand that we configure the access control for builds and associate a user with each project, so we can keep the configurations and credentials database isolated for each project.

All of this turns easier when using Kubernetes. We only need to add a k8s cluster to Jenkins. After this step we can use all features provided by kubernetes to manage all above details only required for docker-compose.

[1] https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#injection-via-interpolation