NMS-13163: enable Docker Content Trust #21
Conversation
| name: Setup Environment Variables | ||
| command: | | ||
| echo "export CONTAINER_REGISTRY=docker.io" >> $BASH_ENV | ||
| echo "export CONTAINER_REGISTRY_REPO=opennmsdcttest" >> $BASH_ENV |
There was a problem hiding this comment.
The CONTAINER_REGISTRY (docker.io) and CONTAINER_REGISTRY_REPO/ORGANISATION (opennmsdcttest) are now given by CircleCI config instead of the config in the repository. What I see right now are three options:
- Container registry and organization directly in the repo in a config
- Container registry and organization directly in the CI/CD script
- Container registry and organization as an environment injected by a CircleCI context
Just double checking here if this is the best place to define the target publishing images with just in mind we might want to switch to a different registry structure. It's not super critical, read this here more like an informal comment not as a change request :)
There was a problem hiding this comment.
If the registry / organization should be settable from the outside then we should rethink how we handle the "no build args in FROM" limitation of docker builds with content trust. Some base images have to be addressed by the registry / organization.
Issue: https://issues.opennms.org/browse/NMS-13163
Before this can be merged DCT must be setup for the various image collections on GitHub. In particular, in a one-time action the root key for the OpenNMS repo, targets keys for the various image collections, and a delegate (signer) key must be created (and backed up).
After GitHub has been setup, additional environment variables have to be configured in Circle-CI, namely:
DELEGATE_PRIVATE_KEY: The base64 encoded value of the private keyDELEGATE_PRIVATE_KEY_NAME: The name (hash) of the private key fileDELEGATE_PRIVATE_KEY_PASSPHRASE: The passphrase to unlock the delegate key