Declarative Jenkins pipeline: is it possible to build Dockerfile with SSH credentials?

Question

I'm trying to set up the following Jenkins pipeline:

1. Pipeline checked out from SCM
2. Build runs inside a Docker container
3. Docker image is built from a Dockerfile
4. Docker image needs SSH access, therefore --ssh flag is used

There's the ssh-agent plugin, but it can only be used after the container is built, which means docker layer cache can't be used. I could also use a scripted pipeline, but then it forces my whole pipeline to be scripted.

I also tried to pass the credentials file using --secret flag in docker, but I couldn't find a way to use credentials in additionalBuildArgs : if I call credentials() , I just get a non-transformed pipeline object. If this worked, it could actually be a solution:

agent {
    dockerfile {
        additionalBuildArgs('--secret id=secret,src=' + credentials('credential'))
    }
}

I also thought of moving out the agent definition outside the declarative pipeline object but found no way of using the agent later in pipeline .

Is there a way to make this work with declarative pipelines, or at least to keep most of it declarative?

Answer 1

At the time of posting this answer, it is not possible to accomplish that with a declarative pipeline. Transformation and execution of declarative agent declaration is not flexible enough to allow this kind of thing to happen. What is, however, possible, is to create a pipeline library function to call docker.build within an sshagent block. This, of course, will not be as clean as using declarative agents.

One can view source code of Docker integration here:

https://github.com/jenkinsci/docker-workflow-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/docker/workflow/Docker.groovy