I have done this in the past following a recipe that involves the following:
1.
The docker://<image coordinates> syntax for the "pipe" call
see https://support.atlassian.com/bitbucket-cloud/docs/configure-bitbucket-pipelinesyml/
2.
A private "insecure" Docker registry
3.
A custom pipeline Docker image derived from the Atlassian pipeline image and deployed to the "insecure" Docker registry
4.
A custom docker-in-docker image derived from "docker:dind"
with --insecure-registry pointing to the "insecure" Docker registry
FROM docker:dind
ENV CUSTOM_DOCKER_OPTS="--insecure-registry=myinsecureregistryhost:myinsecureregistryport $DOCKER_OPTS"
ENTRYPOINT [ "sh", "-c", "dockerd-entrypoint.sh $CUSTOM_DOCKER_OPTS" ]
5.
The following in the bitbucket-pipelines.yml
definitions:
services:
docker:
image: myinsecureregistryhost:myinsecureregistryport/mydockerindockerimage
- pipe: docker: variables:
BITBUCKET_USERNAME: ...
BITBUCKET_APP_PASSWORD: ...
REPOSITORY: ...
REF_TYPE: ...
REF_NAME: ...
The complete recipe includes:
runners on private Docker servers
using custom images for "pause", "auth_proxy" and "clone" operations
all derived from the originals and deployed to the "insecure" registry mentioned above.
see https://support.atlassian.com/bitbucket-cloud/docs/use-your-docker-images-in-self-hosted-runners/
This way all the executable parts of the build are privately hosted and secure.
I hope this helps everyone.
However, I have to agree, even though I have been using my recipe successfully for over a year now, this is indeed a strange limitation and rather unfriendly or complicated to setup for company environments which are expected to have less permissive policies.
It's really weird to me that this is not supported. Granted, it seems like that's just Bitbucket in general. I've never had to roll so much custom tooling to support a CI solution before, it's nuts.
Anyways, for any unfortunate soul that stumbles upon this, just wanted to confirm the 'workaround' still works.
I've provided an example below for how I did this, for context we have self-hosted Bitbucket pipeline runners on swarm and our registry uses https. This approach should work for ECR as well.