Docker content trust from pipelines
572 views
Skip to first unread message
Albert Domenech
Jun 11, 2019, 3:54:57 PM6/11/19
to Jenkins Users
I have an unsolved annoying issue regarding Jenkins pipelines and Docker Content Trust, I hope someone can give me a hand with it.
I'm using Harbor as private registry and I activated Content Trust on my laptop's Docker daemon. Whenever I push a new Image to the registry manually from the shell, the daemon signs the Image as expected using my local signing keys.
Then I followed the delegation process to allow Jenkins user to do the same. I created specific signing keys for it and added them to the registry from my laptop, so now Jenkins user is an allowed signer for specific projects.
If I create and push new images from the Jenkins OS user shell, everything goes as expected also, meaning that the images are signed and pushed to the registry with all the meta info needed.
The problem comes when I try to do the same from a Pipeline, for some strange reason, Docker is not able to find the signing keys, so the image is pushed but not signed. I tried in different ways, but always with the same result. "no valid signing keys for delegation roles"
Curious thing that I observed is that "docker trust inspect ..." works both ways (from shell and pipeline) and shows Jenkins user as an allowed signer, but "notary key list" only works from the pipeline if I add "--configFile ~/.notary/config.json" parameter that in fact points to the default configuration path
Here a partial extract from the stage I'm using:
I'm using Harbor as private registry and I activated Content Trust on my laptop's Docker daemon. Whenever I push a new Image to the registry manually from the shell, the daemon signs the Image as expected using my local signing keys.
Then I followed the delegation process to allow Jenkins user to do the same. I created specific signing keys for it and added them to the registry from my laptop, so now Jenkins user is an allowed signer for specific projects.
If I create and push new images from the Jenkins OS user shell, everything goes as expected also, meaning that the images are signed and pushed to the registry with all the meta info needed.
The problem comes when I try to do the same from a Pipeline, for some strange reason, Docker is not able to find the signing keys, so the image is pushed but not signed. I tried in different ways, but always with the same result. "no valid signing keys for delegation roles"
Curious thing that I observed is that "docker trust inspect ..." works both ways (from shell and pipeline) and shows Jenkins user as an allowed signer, but "notary key list" only works from the pipeline if I add "--configFile ~/.notary/config.json" parameter that in fact points to the default configuration path
Here a partial extract from the stage I'm using:
script {
withEnv(['DOCKER_CONTENT_TRUST=1','DOCKER_CONTENT_TRUST_SERVER=https://harbor.example.com:4443']) {
withCredentials([usernamePassword(credentialsId: "harbor_jenkins_credentials", usernameVariable: "HARBOR_USERNAME", passwordVariable: "HARBOR_PASSWORD")]) {
sh "docker login --username=$HARBOR_USERNAME --password=$HARBOR_PASSWORD harbor.example.com"
}
withCredentials([string(credentialsId: 'docker-content-trust-repository-passphrase', variable: 'DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE'),
string(credentialsId: 'docker-content-trust-root-passphrase', variable: 'DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE')]) {
sh """#!/bin/bash
printenv
notary --configFile ~/.notary/config.json key list
docker trust inspect --pretty harbor.example.com/services/test
docker push harbor.example.com/services/test:${nextTag}
docker push harbor.example.com/services/test:${commitHash}
docker push harbor.example.com/services/test:latest
"""
}
}
}
alex mozejko
Mar 24, 2020, 2:49:39 PM3/24/20
to Jenkins Users
heya,
in case anyone else gets stuck here my issue was that docker was looking for keys in {workspace}/.docker as opposed to /home/jenkins/.docker.
mr. jenkins was creating a new root and repo key with each build and did not find the delegation key i was trying to use (which was in /home/jenkins/.docker).
Reply all
Reply to author
Forward
0 new messages