heya,
in case anyone else gets stuck here my issue was that docker was looking
for keys in {workspace}/.docker as opposed to /home/jenkins/.docker.
mr. jenkins was creating a new root and repo key with each build and did
not find the delegation key i was trying to use (which was in
/home/jenkins/.docker).
On Wednesday, 12 June 2019 03:54:57 UTC+8, Albert Domenech wrote:
>
> I have an unsolved annoying issue regarding Jenkins pipelines and Docker
> Content Trust, I hope someone can give me a hand with it.
>
> I'm using Harbor as private registry and I activated Content Trust on my
> laptop's Docker daemon. Whenever I push a new Image to the registry
> manually from the shell, the daemon signs the Image as expected using my
> local signing keys.
>
> Then I followed the delegation process to allow Jenkins user to do the
> same. I created specific signing keys for it and added them to the registry
> from my laptop, so now Jenkins user is an allowed signer for specific
> projects.
>
> If I create and push new images from the Jenkins OS user shell, everything
> goes as expected also, meaning that the images are signed and pushed to the
> registry with all the meta info needed.
>
> The problem comes when I try to do the same from a Pipeline, for some
> strange reason, Docker is not able to find the signing keys, so the image
> is pushed but not signed. I tried in different ways, but always with the
> same result. "no valid signing keys for delegation roles"
>
> Curious thing that I observed is that "docker trust inspect ..." works
> both ways (from shell and pipeline) and shows Jenkins user as an allowed
> signer, but "notary key list" only works from the pipeline if I add
> "--configFile
> ~/.notary/config.json" parameter that in fact points to the default
> configuration path
>
> Here a partial extract from the stage I'm using:
>
> script {
> withEnv(['DOCKER_CONTENT_TRUST=1','DOCKER_CONTENT_TRUST_SERVER=
> https://harbor.example.com:4443']) {
> withCredentials([usernamePassword(credentialsId:
> "harbor_jenkins_credentials", usernameVariable: "HARBOR_USERNAME",
> passwordVariable: "HARBOR_PASSWORD")]) {
> sh "docker login --username=$HARBOR_USERNAME
> --password=$HARBOR_PASSWORD harbor.example.com"
> }
> withCredentials([string(credentialsId:
> 'docker-content-trust-repository-passphrase', variable:
> 'DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE'),
> string(credentialsId: 'docker-content-trust-root-passphrase', variable:
> 'DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE')]) {
> sh """#!/bin/bash
> printenv
> notary --configFile ~/.notary/config.json key list
> docker trust inspect --pretty harbor.example.com/services/test
> docker push harbor.example.com/services/test:${nextTag}
> <http://harbor.example.com/services/test:$%7BnextTag%7D>
> docker push harbor.example.com/services/test:${commitHash}
> <http://harbor.example.com/services/test:$%7BcommitHash%7D>
> docker push harbor.example.com/services/test:latest
> """
> }
> }
> }
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/dd6831c0-7abe-47e3-a055-57812e8d4891%40googlegroups.com.
