Using AWS Elastic Container Registry (ECR) with CloudBees Core

  • store Docker images for faster builds

  • manage Docker images for better repeatability

  • deploy Docker images for easier development

This document will give you an overview of using ECR with CloudBees Core. Refer to the official documentation for full coverage of ECR:

Create an ECR registry

First you must create a registry in ECR. You can do this via the AWS Console or via the AWS SDK. Once you create your registry take note of your registry hostname which will be formatted like this:

# {id-number}.dkr.ecr.{region}

Using an ECR registry in a Jenkins pipeline

CloudBees Core relies on the Jenkins Kubernetes Plugin to run Docker images in your Kubernetes cluster. The Jenkins Kubernetes Plugin documentation explains how to specify which Docker images are used in your pipelines.

As part of running CloudBees Core on AWS, your pipelines will be running on AWS EC2 instances. AWS EC2 instances are automatically authenticated and authorized to use ECR (as long as the IAM profile used on the nodes allows access to ECR). For other private registries, the Jenkins Kubernetes Plugin uses a Kubernetes Secret imagePullSecret with the registry login credentials for the registry.

Deploying the CloudBees Core images from ECR

If you want to deploy CloudBees Core itself from your ECR registry, you must pull the images from Docker Hub and push them to your registry. Use the following steps:

Step 1: Pull CloudBees Core images from Docker Hub

Login to Docker Hub via docker login and pull the two images. Examine the CloudBees Core Kubernetes configuration file cloudbees-core.yml file to determine which version number to use for these images. Here’s an example for version that first pulls the cloudbees-cloud-core-oc Operations Center image and then the cloudbees-core-mm Managed Master image.

$ docker pull cloudbees/cloudbees-cloud-core-oc:
$ docker pull cloudbees/cloudbees-core-mm:

Step 2: Push images to your ECR registry

Once you have pulled the images, tag the images and push them to your ECR registry.

When you tag them you must replace "cloudbees" with your registry hostname. For example:

$ docker tag cloudbees/cloudbees-cloud-core-oc:
$ docker tag cloudbees/cloudbees-core-mm:

Next, push the images to ECR:

$ docker push
$ docker push

Step 3: Change cloudbees-core.yml to use your AWS Registry

Change the CloudBees Core Kubernetes configuration file cloudbees-core.yml to use the images from your private ECR registry rather than Docker Hub. Use the tag assigned earlier (for example, as the image name.

Use your favorite editor to edit the cloudbees-core.yml file and to search for the StatefulSet named cjoc. Look for the "spec" element inside the cjoc StatefulSet. The excerpt below shows where the image name is specified. Make sure that the image name matches the tag that you applied to cloudbees-cloud-core-oc above:

      serviceAccountName: cjoc
      terminationGracePeriodSeconds: 10
      - name: jenkins

Save the file and then use kubectl to apply it, following the instructions in the CloudBees Core Installation Guide to deploy to your Kubernetes cluster.

An image pull secret is not required because ECR automatically authenticates and authorizes image AWS EC2 instances.

Step 4: After you deploy, specify your Managed Master image

After you deploy but before you launch a Master from the Operations Center, you must tell the Operations Center to use the Managed Master image from your ECR registry.

Once your CloudBees Core cluster is running, log in to the Operations Center and open Manage Jenkins  Configure System  Container Master Provisioning. Replace the image (or images) with a new entry for your cje-mm image.

aws private registry

The Managed Master will be pulled from your private registry rather than Docker Hub.

Copyright © 2010-2020 CloudBees, Inc.Online version published by CloudBees, Inc. under the Creative Commons Attribution-ShareAlike 4.0 license.CloudBees and CloudBees DevOptics are registered trademarks and CloudBees Core, CloudBees Flow, CloudBees Flow Deploy, CloudBees Flow DevOps Insight, CloudBees Flow DevOps Foresight, CloudBees Flow Release, CloudBees Accelerator, CloudBees Accelerator ElectricInsight, CloudBees Accelerator Electric Make, CloudBees CodeShip, CloudBees Jenkins Enterprise, CloudBees Jenkins Platform, CloudBees Jenkins Operations Center, and DEV@cloud are trademarks of CloudBees, Inc. Most CloudBees products are commonly referred to by their short names — Accelerator, Automation Platform, Flow, Deploy, Foresight, Release, Insight, and eMake — throughout various types of CloudBees product-specific documentation. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Jenkins is a registered trademark of the non-profit Software in the Public Interest organization. Used with permission. See here for more info about the Jenkins project. The registered trademark Jenkins® is used pursuant to a sublicense from the Jenkins project and Software in the Public Interest, Inc. Read more at Apache, Apache Ant, Apache Maven, Ant and Maven are trademarks of The Apache Software Foundation. Used with permission. No endorsement by The Apache Software Foundation is implied by the use of these marks.Other names may be trademarks of their respective owners. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this content, and CloudBees was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this content, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.