I have an unsolved annoying issue regarding Jenkins pipelines and Docker
Content Trust, I hope someone can give me a hand with it.
I'm using Harbor as private registry and I activated Content Trust on my
laptop's Docker daemon. Whenever I push a new Image to the registry
manually from the shell, the daemon signs the Image as expected using my
local signing keys.
Then I followed the delegation process to allow Jenkins user to do the
same. I created specific signing keys for it and added them to the registry
from my laptop, so now Jenkins user is an allowed signer for specific
projects.
If I create and push new images from the Jenkins OS user shell, everything
goes as expected also, meaning that the images are signed and pushed to the
registry with all the meta info needed.
The problem comes when I try to do the same from a Pipeline, for some
strange reason, Docker is not able to find the signing keys, so the image
is pushed but not signed. I tried in different ways, but always with the
same result. "no valid signing keys for delegation roles"
Curious thing that I observed is that "docker trust inspect ..." works both
ways (from shell and pipeline) and shows Jenkins user as an allowed signer,
but "notary key list" only works from the pipeline if I add "--configFile
~/.notary/config.json" parameter that in fact points to the default
configuration path
Here a partial extract from the stage I'm using:
script {
withEnv(['DOCKER_CONTENT_TRUST=1',
'DOCKER_CONTENT_TRUST_SERVER=https://harbor.example.com:4443']) {
withCredentials([usernamePassword(credentialsId:
"harbor_jenkins_credentials", usernameVariable: "HARBOR_USERNAME",
passwordVariable: "HARBOR_PASSWORD")]) {
sh "docker login --username=$HARBOR_USERNAME
--password=$HARBOR_PASSWORD harbor.example.com"
}
withCredentials([string(credentialsId:
'docker-content-trust-repository-passphrase', variable:
'DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE'),
string(credentialsId: 'docker-content-trust-root-passphrase', variable:
'DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE')]) {
sh """#!/bin/bash
printenv
notary --configFile ~/.notary/config.json key list
docker trust inspect --pretty harbor.example.com/services/test
docker push harbor.example.com/services/test:${nextTag}
docker push harbor.example.com/services/test:${commitHash}
docker push harbor.example.com/services/test:latest
"""
}
}
}
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/79ccc6f9-d3f5-453b-9739-4b9b886a555d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
