Azure ACR notary authentication

[panepintog]

Hello,

I am creating an ACR task with the following YAML definition:

version: v1.1.0
env: 
  - DOCKER_CONTENT_TRUST=1
  - DOCKER_CONTENT_TRUST_SERVER=https://{{.Run.Registry}}:443
secrets:
  - id: gittoken
    keyvault: https://<KVNAME>.vault.azure.net/secrets/git-devops2

steps:
  - cmd: 
      bash echo "Hello"

  - build: >
     -t {{.Run.Registry}}/app_container:app_{{.Run.ID}}
     -f ./Dockerfile https://{{.Secrets.gittoken}}:<ORGNAME>@dev.azure.com/<ORGNAME>/dev_team/_git/container_creation#main

  - push: 
    - "{{.Run.Registry}}/app_container:app_{{.Run.ID}}"

2021/08/19 06:55:57 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
2021/08/19 06:56:01 Creating Docker network: acb_default_network, driver: 'bridge'
2021/08/19 06:56:01 Successfully set up Docker network: acb_default_network
2021/08/19 06:56:01 Setting up Docker configuration...
2021/08/19 06:56:02 Successfully set up Docker configuration
2021/08/19 06:56:02 Logging in to registry: registryname.azurecr.io
2021/08/19 06:56:03 Successfully logged into registryname.azurecr.io
2021/08/19 06:56:03 Executing step ID: acb_step_0. Timeout(sec): 600, Working directory: '', Network: 'acb_default_network'
2021/08/19 06:56:03 Launching container with name: acb_step_0
---
2021/08/19 06:56:03 Successfully executed container: acb_step_0
2021/08/19 06:56:03 Executing step ID: acb_step_1. Timeout(sec): 600, Working directory: '', Network: 'acb_default_network'
2021/08/19 06:56:03 Scanning for dependencies...
2021/08/19 06:56:07 Successfully scanned dependencies
2021/08/19 06:56:07 Launching container with name: acb_step_1
Sending build context to Docker daemon  67.11kB
error during connect: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.41/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=Dockerfile&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&shmsize=0&t=registryname.azurecr.io%2Fapp_container%3Aapp_ds1a&target=&ulimits=null&version=1: Error: error contacting notary server: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
2021/08/19 06:56:08 Container failed during run: acb_step_1. No retries remaining.
failed to run step ID: acb_step_1: exit status 1

I get the following error when running the task Error: error contacting notary server: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information

If I remove the variable - DOCKER_CONTENT_TRUST_SERVER=https://{{.Run.Registry}}:443 and it all works as expected

My objective is to force the docker client to use the notary server exposed by ACR, how do I authenticate the task against the notary endpoint?

[northtyphoon]

Prerequisite

1. Enable Content Trust on the registry.

az acr config content-trust update --name $REGISTRY_NAME --status enabled

2. Create a service principal and assign acrpush and AcrImageSigner role.

REGISTRY_ID=$(az acr show --name $REGISTRY_NAME --query id --output tsv)
SP_PASSWD=$(az ad sp create-for-rbac --name http://$SP_NAME --scopes $REGISTRY_ID --role acrpush --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SP_NAME --query appId --output tsv)
az role assignment create --scope $REGISTRY_ID --role AcrImageSigner --assignee $SP_APP_ID

[NOTE]: The reason to create the service principal is because Tasks is currently unable to generate the qualified access token for content trust .

3. Generate content trust delegation key and register it (public key) to sign the target repository. The private key will be used by Tasks to sign the image.

docker trust key generate $SIGNER_NAME
docker trust signer add --key $SIGNER_NAME.pub $SIGNER_NAME $(az acr show --name $REGISTRY_NAME --query loginServer --outpu tsv)/$REGISTRY_REPOSITORY

Tasks basic workflow

1. Login to the registry using the service principal.

2. Save and load the delegation private key to local content trust store.

3. Docker build and push image with content-trust enabled (eg, --disable-content-trust=false)

Example

[NOTE]: The following example uses values (values.yaml) to pass signing key and other credentials.

acb.yaml

version: v1.1.0

  # need to save the key to .docker/trust/private folder first and make it read-write only for current user
  - cmd: bash -c 'mkdir -p $HOME/.docker/trust/private'
  - cmd: |
      bash -c 'echo "-----BEGIN ENCRYPTED PRIVATE KEY-----
      {{.Values.SIGNING_KEY_CONTENT | indent 6}}
      -----END ENCRYPTED PRIVATE KEY-----" > $HOME/.docker/trust/private/{{.Values.SIGNING_KEY_NAME}}'
  - cmd: bash -c 'chmod 600 $HOME/.docker/trust/private/{{.Values.SIGNING_KEY_NAME}}'
  - cmd: docker trust key load $HOME/.docker/trust/private/{{.Values.SIGNING_KEY_NAME}}
    env:
     - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE={{.Values.SIGNING_KEY_PASSPHRASE}}
  # build and push an image with content trust enabled
  - cmd: bash -c 'echo "FROM bash" > Dockerfile'
  - cmd: docker build -t {{.Values.REGISTRY}}/bash:{{.Run.ID}} .
  - cmd: docker push --disable-content-trust=false {{.Values.REGISTRY}}/bash:{{.Run.ID}}
    env:
     - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE={{.Values.SIGNING_KEY_PASSPHRASE}}

values.yaml

SIGNING_KEY_NAME: 0e0332442d730e071c82dbc60fe893655c14ab5d2ed20851bc0f47e898938b78.key
SIGNING_KEY_PASSPHRASE: abcd
SIGNING_KEY_CONTENT: |-
    role: bindu

    MIHuMEkSDFDSFSFSDFSDFSFSsBsGCSqGSIb3DQEFDDAOBAibk1RlrhGT3wICCAAw
    HQYJYIZIAWUDBAEqBBAwE8RT2SFSDFSFSFDSFSFSDIGgXBLeXskLcz1V3+r65Qzx
    Yijp9zyL6SAL8Mgo3CQBJBqv24cIzuBkkfKKNV0zE1UobR7R2gOLH6QiV388nE22
    O5cKzPliIVNK6UJpI5hMAdIqqP5Y1zG0xJVwLKZMUSFDSFSSFSFSDFSFFTmKOuWP
    RkVwXgnaEThVg1/UVuSwWs0yQn0mXEWGCqPBSDFSDFSDFSDFSFDSFSFS5AgQ4tCC
    mQ==
REGISTRY_USER: 5ca3bd53-1111-1111-1111-653e3e54cf01
REGISTRY_PASSWORD: e0d7801a-1111-1111-1111-3c8fdb74c9f2
REGISTRY: myregsitry.azurecr.io

cli

az acr run -r myregsitry --auth-mode None -f acb.yaml --values values.yaml .

[terencet-dev]

Closing as this has been inactive for over three months. Please open a support ticket with our team for assistance.