Using AWS Elastic Container Registry (ECR) with CloudBees CI

  • store Docker images for faster builds

  • manage Docker images for better repeatability

  • deploy Docker images for easier development

This document gives you an overview of using ECR with CloudBees CI. Refer to the official documentation for full coverage of ECR:

Create an ECR registry

First you must create a registry in ECR. You can do this via the AWS Console or via the AWS SDK. Once you create your registry take note of your registry hostname which will be formatted like this:

# {id-number}.dkr.ecr.{region}.amazonaws.com
123456789012.dkr.ecr.us-east-1.amazonaws.com

Using an ECR registry in a Jenkins pipeline

CloudBees CI relies on the Jenkins Kubernetes Plugin to run Docker images in your Kubernetes cluster. The Jenkins Kubernetes Plugin documentation explains how to specify which Docker images are used in your pipelines.

As part of running CloudBees CI on AWS, your pipelines will be running on AWS EC2 instances. AWS EC2 instances are automatically authenticated and authorized to use ECR (as long as the IAM profile used on the nodes allows access to ECR). For other private registries, the Jenkins Kubernetes Plugin uses a Kubernetes Secret imagePullSecret with the registry login credentials for the registry.

Deploying the CloudBees CI images from ECR

If you want to deploy CloudBees CI itself from your ECR registry, you must pull the images from Docker Hub and push them to your registry. Use the following steps:

Step 1: Pull CloudBees CI images from Docker Hub

Log in to Docker Hub via docker login and pull the two images. Examine the CloudBees CI Kubernetes configuration file cloudbees-core.yml file to determine which version number to use for these images. Here’s an example for version 2.176.1.4 that first pulls the cloudbees-cloud-core-oc Operations Center image and then the cloudbees-core-mm Managed Master image.

$ docker pull cloudbees/cloudbees-cloud-core-oc:2.176.1.4
$ docker pull cloudbees/cloudbees-core-mm:2.176.1.4

Step 2: Push images to your ECR registry

Once you have pulled the images, tag the images and push them to your ECR registry.

When you tag them you must replace cloudbees with your registry hostname. For example:

$ docker tag cloudbees/cloudbees-cloud-core-oc:2.176.1.4  123456789012.dkr.ecr.us-east-1.amazonaws.com/cloudbees-cloud-core-oc:2.176.1.4
$ docker tag cloudbees/cloudbees-core-mm:2.176.1.4  123456789012.dkr.ecr.us-east-1.amazonaws.com/cloudbees-core-mm:2.176.1.4

Next, push the images to ECR:

$ docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/cloudbees-cloud-core-oc:2.176.1.4
$ docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/cloudbees-core-mm:2.176.1.4

Step 3: Change cloudbees-core.yml to use your AWS Registry

Change the CloudBees CI Kubernetes configuration file cloudbees-core.yml to use the images from your private ECR registry rather than Docker Hub. Use the tag assigned earlier (for example, 123456789012.dkr.ecr.us-east-1.amazonaws.com/cloudbees-cloud-core-oc:2.176.1.4) as the image name.

Use your favorite editor to edit the cloudbees-core.yml file and to search for the StatefulSet named cjoc. Look for the "spec" element inside the cjoc StatefulSet. The excerpt below shows where the image name is specified. Make sure that the image name matches the tag that you applied to cloudbees-cloud-core-oc above:

    spec:
      serviceAccountName: cjoc
      terminationGracePeriodSeconds: 10
      containers:
      - name: jenkins
        image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/cloudbees-cloud-core-oc:2.176.1.4

Save the file and then use kubectl to apply it, following the instructions in the CloudBees CI Installation Guide to deploy to your Kubernetes cluster.

An image pull secret is not required because ECR automatically authenticates and authorizes image AWS EC2 instances.

Step 4: After you deploy, specify your Managed Master image

After you deploy but before you launch a Master from the Operations Center, you must tell the Operations Center to use the Managed Master image from your ECR registry.

Once your CloudBees CI cluster is running, sign in to the Operations Center and open Manage Jenkins  Configure System  Container Master Provisioning. Replace the image (or images) with a new entry for your cje-mm image.

aws private registry

The Managed Master will be pulled from your private registry rather than Docker Hub.