Issue
I have developed a Dockerized Spring Boot Application using as base image AdoptOpenJDK and using jib-maven-plugin
.
My plugin configuration is:
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>${jib-maven-plugin.version}</version>
<configuration>
<from>
<image>adoptopenjdk:11-jre-hotspot</image>
</from>
<to>
<image>public/my-app</image>
<tags>
<tag>latest</tag>
<tag>${project.version}</tag>
</tags>
</to>
<container>
<entrypoint>
<shell>bash</shell>
<option>-c</option>
<arg>/entrypoint.sh</arg>
</entrypoint>
<ports>
<port>8080</port>
</ports>
<environment>
<SPRING_OUTPUT_ANSI_ENABLED>ALWAYS</SPRING_OUTPUT_ANSI_ENABLED>
<JHIPSTER_SLEEP>0</JHIPSTER_SLEEP>
</environment>
<creationTime>USE_CURRENT_TIMESTAMP</creationTime>
</container>
<extraDirectories>
<paths>src/main/jib</paths>
<permissions>
<permission>
<file>/entrypoint.sh</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
</configuration>
</plugin>
Everything is OK, and the app is builded correctly when launch ./mvnw package -Pprod -DskipTests jib:build -T16.0C
. Now I'm integrating my app in a CI/CD Jenkins Pipeline and I'm creating a command like the first but passing Auth data using variables:
./mvnw -ntp -T2.0C jib:build -Djib.from.auth.username=myUserName -Djib.from.auth.password=mygitlabtoken01 -Dimage=registry.gitlab.com/myapp -X
When I run it i get:
[INFO] Using credentials from Docker config (/Users/myUser/.docker/config.json) for registry.gitlab.com/neoris-emea-internal/ianthe/ianthe-app/ianthe
[DEBUG] attempting bearer auth for registry.gitlab.com/app...
[INFO] The base image requires auth. Trying again for adoptopenjdk:11-jre-hotspot...
[INFO] Using credentials from <from><auth> for adoptopenjdk:11-jre-hotspot
[DEBUG] Trying basic auth for adoptopenjdk:11-jre-hotspot...
[DEBUG] configured basic auth for registry-1.docker.io/library/adoptopenjdk
[DEBUG] TIMED Authenticating push to registry.gitlab.com : 1091.927 ms
[DEBUG] TIMED Building and pushing image : 1122.522 ms
[ERROR] I/O error for image [registry-1.docker.io/library/adoptopenjdk]:
[ERROR] javax.net.ssl.SSLHandshakeException
[ERROR] Remote host terminated the handshake
I do not understand anything:
- Why jib plugin is using my
.docker/config.json
if I have indicated the auth info with-Djib.from.auth.username=myUserName
? - Why am I getting
SSLHandshakeException
? Although the build is using my credentials, these are correct.
Solution
If you look at the log messages carefully, Jib did use your credentials you specified via from.auth.username|password
for adoptopenjdk
(which is hosted on Docker Hub).
Using credentials from <from><auth> for adoptopenjdk:11-jre-hotspot
Note the following line says the Docker config is used for registry.gitlab.com
(the target registry).
Using credentials from Docker config (/Users/myUser/.docker/config.json) for registry.gitlab.com/neoris-emea-internal/ianthe/ianthe-app/ianthe
About the SSLHandshakeException
, it has nothing to do with any Docker credentials. The error is from a much lower network layer (TLS protocol), so the failure is fundamentally unrelated to Jib or any application running in the JVM on Jenkins. It is basically telling you that any Java app on the JVM just cannot make a secure TLS connection to some hosts. There is no simple answer or solution to a TLS handshake failure, so get some help from a network and TLS expert if possible. Also check out other SO questions like this one.
Answered By - Chanseok Oh