Implementing ECR in Jenkins Pipeline

Jul 14, 2017

Basic terminology and links

Jenkins - a leading open source automation server.
Jenkins pipeline - a suite of plugins which supports implementing and integrating continuous delivery pipelines into Jenkins.
Jenkins declarative pipeline - a simplified and opinionated syntax on top of the Pipeline sub-systems.
AWS ECR - Amazon EC2 Container Registry.
Docker - the world’s leading software container platform.

Implementing ECR in Jenkins (declarative) Pipeline

This article will demonstrate how to implement ECR in Jenkins Pipeline. The code examples are in declarative pipeline, but can be easily adjusted to scripted pipeline, and some of it even are embeded as scripted pipleines using the ‘script’ blocks. The main pipeline is to build a Docker image and to upload it to ECR. In addition, the article shows how to pull an image from ECR and usage of it.

ECR and Jenkins preparations

In order to be able to ECR, you must perform the following actions:

Register to AWS and enable the ECR service. Ask your AWS administrator to do it or use AWS help pages for it.
Create ECR repository for your product
Create AWS ACCESS KEY ID and AWS SECRET ACCESS KEY. Ask your AWS administrator to do it or use AWS help pages for it.
Install aws CLI on the Jenkins server and it better be set in the PATH for ‘jenkins’ user.
run aws configure command for jenkins user or put ~/.aws/credentials file for ‘jenkins’ user. The file must contain the AWS ACCESS KEY ID and AWS SECRET ACCESS KEY and can contains also the default region as well.
Install Jenkins Amazon ECR Plugin
Install and configure CloudBees AWS Credentials Jenkins Plugin using the AWS ACCESS KEY ID and AWS SECRET ACCESS KEY in it.

The pipeline for building and pushing a Docker image to ECR

The Docker image build and push to ECR Jenkinsfile:

pipeline
{
    options
    {
        buildDiscarder(logRotator(numToKeepStr: '3'))
    }
    agent any
    environment 
    {
        VERSION = 'latest'
        PROJECT = 'tap_sample'
        IMAGE = 'tap_sample:latest'
        ECRURL = 'http://999999999999.dkr.ecr.eu-central-1.amazonaws.com'
        ECRCRED = 'ecr:eu-central-1:tap_ecr'
    }
    stages
    {
        stage('Build preparations')
        {
            steps
            {
                script 
                {
                    // calculate GIT lastest commit short-hash
                    gitCommitHash = sh(returnStdout: true, script: 'git rev-parse HEAD').trim()
                    shortCommitHash = gitCommitHash.take(7)
                    // calculate a sample version tag
                    VERSION = shortCommitHash
                    // set the build display name
                    currentBuild.displayName = "#${BUILD_ID}-${VERSION}"
                    IMAGE = "$PROJECT:$VERSION"
                }
            }
        }
        stage('Docker build')
        {
            steps
            {
                script
                {
                    // Build the docker image using a Dockerfile
                    docker.build("$IMAGE","examples/pipelines/TAP_docker_image_build_push_ecr")
                }
            }
        }
        stage('Docker push')
        {
            steps
            {
                script
                {
                    // login to ECR - for now it seems that that the ECR Jenkins plugin is not performing the login as expected. I hope it will in the future.
                    sh("eval \$(aws ecr get-login --no-include-email | sed 's|https://||')")
                    // Push the Docker image to ECR
                    docker.withRegistry(ECRURL, ECRCRED)
                    {
                        docker.image(IMAGE).push()
                    }
                }
            }
        }
    }
    
    post
    {
        always
        {
            // make sure that the Docker image is removed
            sh "docker rmi $IMAGE | true"
        }
    }
}

[ Code source: tikal-advanced-pipeline ]

Please notice that:

For ECR login I’ve used aws CLI command. I was expecting that the ECR plugin will perform the login, but it doesn’t.
The version calculations are not the main topic here, it is just an example

Here’s an image of the pipeline job main screen after few builds:

PIPELINE SCREENSHOT

Here’s an image of the ECR repository screen after the image upload:

ECR REPOSITORY

The pipeline for pulling a Docker image from ECR

The Docker image pull from ECR Jenkinsfile:

pipeline
{
    options
    {
        buildDiscarder(logRotator(numToKeepStr: '3'))
    }

    agent any
    environment 
    {
        PROJECT = 'tap_sample'
        ECRURL = 'http://999999999999.dkr.ecr.eu-central-1.amazonaws.com'
        ECRCRED = 'ecr:eu-central-1:tap_ecr'
    }
    stages
    {
        stage('Docker image pull')
        {
            steps
            {
                script
                {
                    sh("eval \$(aws ecr get-login --no-include-email | sed 's|https://||')")
                    docker.withRegistry(ECRURL, ECRCRED)
                    {
                        docker.image(PROJECT).pull()
                    }
                }
            }
        }
    }
}

[ Code source: tikal-advanced-pipeline ]

For any help on this, contact me: yorammi

Yoram Michaeli

DevOps Tech Leader

DevOps Group

Thank you for your interest!

We will contact you as soon as possible.