Closed panepintog closed 1 year ago
Prerequisite
1. Enable Content Trust on the registry.
az acr config content-trust update --name $REGISTRY_NAME --status enabled
2. Create a service principal and assign acrpush and AcrImageSigner role.
REGISTRY_ID=$(az acr show --name $REGISTRY_NAME --query id --output tsv)
SP_PASSWD=$(az ad sp create-for-rbac --name http://$SP_NAME --scopes $REGISTRY_ID --role acrpush --query password --output tsv)
SP_APP_ID=$(az ad sp show --id http://$SP_NAME --query appId --output tsv)
az role assignment create --scope $REGISTRY_ID --role AcrImageSigner --assignee $SP_APP_ID
[NOTE]: The reason to create the service principal is because Tasks is currently unable to generate the qualified access token for content trust .
3. Generate content trust delegation key and register it (public key) to sign the target repository. The private key will be used by Tasks to sign the image.
docker trust key generate $SIGNER_NAME
docker trust signer add --key $SIGNER_NAME.pub $SIGNER_NAME $(az acr show --name $REGISTRY_NAME --query loginServer --outpu tsv)/$REGISTRY_REPOSITORY
Tasks basic workflow
1. Login to the registry using the service principal.
2. Save and load the delegation private key to local content trust store.
3. Docker build and push image with content-trust enabled (eg, --disable-content-trust=false)
Example
[NOTE]: The following example uses values (values.yaml) to pass signing key and other credentials.
acb.yaml
version: v1.1.0
# need to save the key to .docker/trust/private folder first and make it read-write only for current user
- cmd: bash -c 'mkdir -p $HOME/.docker/trust/private'
- cmd: |
bash -c 'echo "-----BEGIN ENCRYPTED PRIVATE KEY-----
{{.Values.SIGNING_KEY_CONTENT | indent 6}}
-----END ENCRYPTED PRIVATE KEY-----" > $HOME/.docker/trust/private/{{.Values.SIGNING_KEY_NAME}}'
- cmd: bash -c 'chmod 600 $HOME/.docker/trust/private/{{.Values.SIGNING_KEY_NAME}}'
- cmd: docker trust key load $HOME/.docker/trust/private/{{.Values.SIGNING_KEY_NAME}}
env:
- DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE={{.Values.SIGNING_KEY_PASSPHRASE}}
# build and push an image with content trust enabled
- cmd: bash -c 'echo "FROM bash" > Dockerfile'
- cmd: docker build -t {{.Values.REGISTRY}}/bash:{{.Run.ID}} .
- cmd: docker push --disable-content-trust=false {{.Values.REGISTRY}}/bash:{{.Run.ID}}
env:
- DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE={{.Values.SIGNING_KEY_PASSPHRASE}}
values.yaml
SIGNING_KEY_NAME: 0e0332442d730e071c82dbc60fe893655c14ab5d2ed20851bc0f47e898938b78.key
SIGNING_KEY_PASSPHRASE: abcd
SIGNING_KEY_CONTENT: |-
role: bindu
MIHuMEkSDFDSFSFSDFSDFSFSsBsGCSqGSIb3DQEFDDAOBAibk1RlrhGT3wICCAAw
HQYJYIZIAWUDBAEqBBAwE8RT2SFSDFSFSFDSFSFSDIGgXBLeXskLcz1V3+r65Qzx
Yijp9zyL6SAL8Mgo3CQBJBqv24cIzuBkkfKKNV0zE1UobR7R2gOLH6QiV388nE22
O5cKzPliIVNK6UJpI5hMAdIqqP5Y1zG0xJVwLKZMUSFDSFSSFSFSDFSFFTmKOuWP
RkVwXgnaEThVg1/UVuSwWs0yQn0mXEWGCqPBSDFSDFSDFSDFSFDSFSFS5AgQ4tCC
mQ==
REGISTRY_USER: 5ca3bd53-1111-1111-1111-653e3e54cf01
REGISTRY_PASSWORD: e0d7801a-1111-1111-1111-3c8fdb74c9f2
REGISTRY: myregsitry.azurecr.io
cli
az acr run -r myregsitry --auth-mode None -f acb.yaml --values values.yaml .
Closing as this has been inactive for over three months. Please open a support ticket with our team for assistance.
Hello,
I am creating an ACR task with the following YAML definition:
I get the following error when running the task
Error: error contacting notary server: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information
If I remove the variable
- DOCKER_CONTENT_TRUST_SERVER=https://{{.Run.Registry}}:443
and it all works as expectedMy objective is to force the docker client to use the notary server exposed by ACR, how do I authenticate the task against the notary endpoint?