Docker content trust from pipelines

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Docker content trust from pipelines

Albert Domenech
I have an unsolved annoying issue regarding Jenkins pipelines and Docker Content Trust, I hope someone can give me a hand with it.

I'm using Harbor as private registry and I activated Content Trust on my laptop's Docker daemon. Whenever I push a new Image to the registry manually from the shell, the daemon signs the Image as expected using my local signing keys.

Then I followed the delegation process to allow Jenkins user to do the same. I created specific signing keys for it and added them to the registry from my laptop, so now Jenkins user is an allowed signer for specific projects.

If I create and push new images from the Jenkins OS user shell, everything goes as expected also, meaning that the images are signed and pushed to the registry with all the meta info needed.

The problem comes when I try to do the same from a Pipeline, for some strange reason, Docker is not able to find the signing keys, so the image is pushed but not signed. I tried in different ways, but always with the same result. "no valid signing keys for delegation roles"

Curious thing that I observed is that "docker trust inspect ..." works both ways (from shell and pipeline) and shows Jenkins user as an allowed signer, but "notary key list" only works from the pipeline if I add "--configFile ~/.notary/config.json" parameter that in fact points to the default configuration path

Here a partial extract from the stage I'm using:

script {
  withEnv
(['DOCKER_CONTENT_TRUST=1','DOCKER_CONTENT_TRUST_SERVER=https://harbor.example.com:4443']) {
    withCredentials
([usernamePassword(credentialsId: "harbor_jenkins_credentials", usernameVariable: "HARBOR_USERNAME", passwordVariable: "HARBOR_PASSWORD")]) {
      sh
"docker login --username=$HARBOR_USERNAME --password=$HARBOR_PASSWORD harbor.example.com"
   
}
    withCredentials
([string(credentialsId: 'docker-content-trust-repository-passphrase', variable: 'DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE'),
 
string(credentialsId: 'docker-content-trust-root-passphrase', variable: 'DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE')]) {
      sh
"""#!/bin/bash
        printenv
        notary --configFile ~/.notary/config.json key list
        docker trust inspect --pretty harbor.example.com/services/test
        docker push harbor.example.com/services/test:${nextTag}
        docker push harbor.example.com/services/test:${commitHash}
        docker push harbor.example.com/services/test:latest
      """

   
}
 
}
 
}


--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/79ccc6f9-d3f5-453b-9739-4b9b886a555d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Docker content trust from pipelines

alex mozejko
heya, 

in case anyone else gets stuck here my issue was that docker was looking for keys in {workspace}/.docker as opposed to /home/jenkins/.docker. 

mr. jenkins was creating a new root and repo key with each build and did not find the delegation key i was trying to use (which was in /home/jenkins/.docker). 

On Wednesday, 12 June 2019 03:54:57 UTC+8, Albert Domenech wrote:
I have an unsolved annoying issue regarding Jenkins pipelines and Docker Content Trust, I hope someone can give me a hand with it.

I'm using Harbor as private registry and I activated Content Trust on my laptop's Docker daemon. Whenever I push a new Image to the registry manually from the shell, the daemon signs the Image as expected using my local signing keys.

Then I followed the delegation process to allow Jenkins user to do the same. I created specific signing keys for it and added them to the registry from my laptop, so now Jenkins user is an allowed signer for specific projects.

If I create and push new images from the Jenkins OS user shell, everything goes as expected also, meaning that the images are signed and pushed to the registry with all the meta info needed.

The problem comes when I try to do the same from a Pipeline, for some strange reason, Docker is not able to find the signing keys, so the image is pushed but not signed. I tried in different ways, but always with the same result. "no valid signing keys for delegation roles"

Curious thing that I observed is that "docker trust inspect ..." works both ways (from shell and pipeline) and shows Jenkins user as an allowed signer, but "notary key list" only works from the pipeline if I add "--configFile ~/.notary/config.json" parameter that in fact points to the default configuration path

Here a partial extract from the stage I'm using:

script {
  withEnv
(['DOCKER_CONTENT_TRUST=1','DOCKER_CONTENT_TRUST_SERVER=<a href="https://harbor.example.com:4443" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fharbor.example.com%3A4443\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFq8pX4kr1Nz_2Vqj--HgxPgJmfaw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fharbor.example.com%3A4443\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFq8pX4kr1Nz_2Vqj--HgxPgJmfaw&#39;;return true;">https://harbor.example.com:4443']) {
    withCredentials
([usernamePassword(credentialsId: "harbor_jenkins_credentials", usernameVariable: "HARBOR_USERNAME", passwordVariable: "HARBOR_PASSWORD")]) {
      sh
"docker login --username=$HARBOR_USERNAME --password=$HARBOR_PASSWORD <a href="http://harbor.example.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fharbor.example.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGseT1ZxON3IjGy0MXBDkN9aUf-wg&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fharbor.example.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGseT1ZxON3IjGy0MXBDkN9aUf-wg&#39;;return true;">harbor.example.com"
   
}
    withCredentials
([string(credentialsId: 'docker-content-trust-repository-passphrase', variable: 'DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE'),
 
string(credentialsId: 'docker-content-trust-root-passphrase', variable: 'DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE')]) {
      sh
"""#!/bin/bash
        printenv
        notary --configFile ~/.notary/config.json key list
        docker trust inspect --pretty <a href="http://harbor.example.com/services/test" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fharbor.example.com%2Fservices%2Ftest\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFM40jt4iI7p3Zsk50qK5tWCh3WqQ&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fharbor.example.com%2Fservices%2Ftest\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFM40jt4iI7p3Zsk50qK5tWCh3WqQ&#39;;return true;">harbor.example.com/services/test
        docker push <a href="http://harbor.example.com/services/test:$%7BnextTag%7D" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fharbor.example.com%2Fservices%2Ftest%3A%24%257BnextTag%257D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEJ9Cozd8it6E6xAeYuuTdHrOuG5A&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fharbor.example.com%2Fservices%2Ftest%3A%24%257BnextTag%257D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEJ9Cozd8it6E6xAeYuuTdHrOuG5A&#39;;return true;">harbor.example.com/services/test:${nextTag}
        docker push <a href="http://harbor.example.com/services/test:$%7BcommitHash%7D" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fharbor.example.com%2Fservices%2Ftest%3A%24%257BcommitHash%257D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGgbhhMwLWMLatlHOvKtStTd423Fw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fharbor.example.com%2Fservices%2Ftest%3A%24%257BcommitHash%257D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGgbhhMwLWMLatlHOvKtStTd423Fw&#39;;return true;">harbor.example.com/services/test:${commitHash}
        docker push <a href="http://harbor.example.com/services/test:latest" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fharbor.example.com%2Fservices%2Ftest%3Alatest\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzT5Syknr-w_WQOHwPZcLpVIBicQ&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fharbor.example.com%2Fservices%2Ftest%3Alatest\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzT5Syknr-w_WQOHwPZcLpVIBicQ&#39;;return true;">harbor.example.com/services/test:latest
      """

   
}
 
}
 
}


--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/dd6831c0-7abe-47e3-a055-57812e8d4891%40googlegroups.com.