NMS-13163: enable Docker Content Trust

.circleci/build.sh

@@ -18,12 +18,17 @@ found_changes() {
   return 1
 }
 
-echo "Detect changes in projects"
-if found_changes; then
+echo "BASH_ENV: $BASH_ENV"
+cat "$BASH_ENV"
+env | grep CONTAINER
+env | grep DOCKER
+
+#echo "Detect changes in projects"
+# if found_changes; then
   ./build_container_image.sh && \
   ~/opennms-container/.circleci/tag.sh && \
   ~/opennms-container/.circleci/publish.sh
-else
-  echo "No changes detected"
-  exit 0
-fi
+#else
+#  echo "No changes detected"
+#  exit 0
+#fi

.circleci/config.yml

@@ -12,11 +12,30 @@ aliases:
     command: ~/opennms-container/.circleci/build.sh
   - &registry_login
     name: Login Container Registry
-    command: docker login -u ${CONTAINER_REGISTRY_LOGIN} -p ${CONTAINER_REGISTRY_PASS}
+    command: |
+      docker login -u ${CONTAINER_REGISTRY_LOGIN} -p ${CONTAINER_REGISTRY_PASS}
+      KEY_FOLDER=~/.docker/trust/private
+      mkdir -p $KEY_FOLDER
+      echo "$DELEGATE_PRIVATE_KEY" | base64 -d > $KEY_FOLDER/$DELEGATE_PRIVATE_KEY_NAME.key
+      chmod 600 $KEY_FOLDER/*
+      env | grep DOCKER
+      echo "BASH_ENV: $BASH_ENV"
+      cat $BASH_ENV
+      echo "SHELL: $SHELL"
+      echo $0
+      docker trust key load $KEY_FOLDER/$DELEGATE_PRIVATE_KEY_NAME.key
+  - &bash_env
+    name: Setup Environment Variables
+    command: |
+      echo "export CONTAINER_REGISTRY=docker.io" >> $BASH_ENV
+      echo "export CONTAINER_REGISTRY_REPO=opennmsdcttest" >> $BASH_ENV
+      echo "export DOCKER_CONTENT_TRUST=1" >> $BASH_ENV
+      echo "export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=\"$DELEGATE_PRIVATE_KEY_PASSPHRASE\"" >> $BASH_ENV
   - &common_steps
     - checkout: *checkout
     - setup_remote_docker
     - run: apk add --no-cache bash
+    - run: *bash_env
     - run: *registry_login
     - attach_workspace:
         at: ~/
@@ -30,6 +49,10 @@ aliases:
   - &common_environment
     docker: *docker_environment
     steps: *common_steps
+    shell: /bin/sh -leo pipefail
+    environment:
+      - BASH_ENV: /etc/profile
+
 
 jobs:
   shellcheck:
@@ -156,84 +179,111 @@ workflows:
   container_build:
     jobs:
       - shellcheck
-      - tomcat:
-          requires:
-            - shellcheck
+#      - tomcat:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
       - centos:
+          context: "build-context"
           requires:
             - shellcheck
-      - ubuntu:
-          requires:
-            - shellcheck
-      - antora:
-          requires:
-            - shellcheck
-      - confd:
-          requires:
-            - centos
-      - net-snmp:
-          requires:
-            - shellcheck
-      - isc-dhcp:
-          requires:
-            - shellcheck
-      - mini-mail:
-          requires:
-            - shellcheck
-      - gobgp:
-          requires:
-            - centos
-      - openjdk-8:
-          requires:
-            - centos
+#      - ubuntu:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - antora:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - confd:
+#          context: "build-context"
+#          requires:
+#            - centos
+#      - net-snmp:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - isc-dhcp:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - mini-mail:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - gobgp:
+#          context: "build-context"
+#          requires:
+#            - centos
+#      - openjdk-8:
+#          context: "build-context"
+#          requires:
+#            - centos
       - openjdk-11:
+          context: "build-context"
           requires:
             - centos
-      - maven-jdk8:
-          requires:
-            - openjdk-8
+#      - maven-jdk8:
+#          context: "build-context"
+#          requires:
+#            - openjdk-8
       - maven-jdk11:
+          context: "build-context"
           requires:
             - openjdk-11
-      - netlify-cli:
-          requires:
-            - shellcheck
-      - ghr:
-          requires:
-            - shellcheck
-      - gulp:
-          requires:
-            - shellcheck
-      - build-env-jdk8:
-          requires:
-            - maven-jdk8
-      - build-env-jdk11:
-          requires:
-            - maven-jdk11
-      - debian:
-          requires:
-            - shellcheck
-      - debian-openjdk-8:
-          requires:
-            - debian
-      - debian-openjdk-11:
-          requires:
-            - debian
-      - debian-build-env-jdk8:
-          requires:
-            - debian-openjdk-8
-      - debian-build-env-jdk11:
-          requires:
-            - debian-openjdk-11
-      - snapcraft:
-          requires:
-            - shellcheck
-      - yum-repo:
-          requires:
-            - shellcheck
-      - gns3-horizon:
-          requires:
-            - shellcheck
-      - gns3-minion:
-          requires:
-            - shellcheck
+#      - netlify-cli:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - ghr:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - gulp:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - build-env-jdk8:
+#          context: "build-context"
+#          requires:
+#            - maven-jdk8
+#      - build-env-jdk11:
+#          context: "build-context"
+#          requires:
+#            - maven-jdk11
+#      - debian:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - debian-openjdk-8:
+#          context: "build-context"
+#          requires:
+#            - debian
+#      - debian-openjdk-11:
+#          context: "build-context"
+#          requires:
+#            - debian
+#      - debian-build-env-jdk8:
+#          context: "build-context"
+#          requires:
+#            - debian-openjdk-8
+#      - debian-build-env-jdk11:
+#          context: "build-context"
+#          requires:
+#            - debian-openjdk-11
+#      - snapcraft:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - yum-repo:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - gns3-horizon:
+#          context: "build-context"
+#          requires:
+#            - shellcheck
+#      - gns3-minion:
+#          context: "build-context"
+#          requires:
+#            - shellcheck

.circleci/publish.sh

@@ -7,12 +7,12 @@ source ./config.sh
 # shellcheck disable=SC1091
 source ../registry-config.sh
 
-if [ "${CIRCLE_BRANCH}" == "master" ]; then
-  echo "Publish images for master branch ..."
+#if [ "${CIRCLE_BRANCH}" == "master" ]; then
+#  echo "Publish images for master branch ..."
   for TAG in ${CONTAINER_VERSION_TAGS[*]}; do
     docker push "${CONTAINER_REGISTRY}/${CONTAINER_REGISTRY_REPO}/${CONTAINER_PROJECT}:${TAG}"
   done
-else
-  echo "Skip publishing for working branches other than master."
-  echo "Build images for branches are available in the CircleCI build artifacts."
-fi
+#else
+#  echo "Skip publishing for working branches other than master."
+#  echo "Build images for branches are available in the CircleCI build artifacts."
+#fi

.circleci/tag.sh

@@ -7,6 +7,8 @@ source ./config.sh
 # shellcheck disable=SC1091
 source ../registry-config.sh
 
+echo "tag for registry/repo"
+
 for TAG in ${CONTAINER_VERSION_TAGS[*]}; do
   docker tag "${CONTAINER_PROJECT}:${IMAGE_VERSION}" "${CONTAINER_REGISTRY}/${CONTAINER_REGISTRY_REPO}/${CONTAINER_PROJECT}:${TAG}"
 done

projects/centos/Dockerfile

@@ -2,9 +2,8 @@ ARG BASE_IMAGE="centos"
 ARG BASE_IMAGE_VERSION="8"
 ARG VERSION=${BASE_IMAGE_VERSION}
 
-FROM ${BASE_IMAGE}:${BASE_IMAGE_VERSION}
-
-ARG VERSION=${BASE_IMAGE_VERSION}
+FROM centos:8
+# FROM ${BASE_IMAGE}:${BASE_IMAGE_VERSION}
 
 RUN dnf -y --nodocs update && \
     dnf clean all && \

projects/centos/build_container_image.sh

@@ -21,4 +21,4 @@ docker build -t "${CONTAINER_PROJECT}:${IMAGE_VERSION[0]}" \
   --build-arg BUILD_BRANCH="${CIRCLE_BRANCH}" \
   .
 
-docker image save "${CONTAINER_PROJECT}:${IMAGE_VERSION[0]}" -o "${CONTAINER_IMAGE}"
+docker image save "${CONTAINER_PROJECT}:${IMAGE_VERSION[0]}" -o "${CONTAINER_IMAGE}"

projects/centos/config.sh

@@ -2,6 +2,8 @@
 
 # shellcheck disable=SC2034
 
+CONTAINER_PROJECT="centos"
+
 # Configure base image dependency
 BASE_IMAGE="centos"
 VERSION="8"

projects/maven-jdk11/Dockerfile

@@ -1,7 +1,8 @@
-ARG BASE_IMAGE=opennms/openjdk
+ARG BASE_IMAGE="opennms/openjdk"
 ARG BASE_IMAGE_VERSION="11.0.4.11"
 
-FROM ${BASE_IMAGE}:${BASE_IMAGE_VERSION}
+FROM opennmsdcttest/openjdk:11.0.11.0.9
+# FROM ${BASE_IMAGE}:${BASE_IMAGE_VERSION}
 
 ARG MAVEN_VERSION="3.6.1"
 

projects/maven-jdk11/config.sh

@@ -6,10 +6,10 @@
 CONTAINER_PROJECT="maven"
 
 # Base Image Dependency
-BASE_IMAGE="opennms/openjdk"
-JDK_VERSION="11.0.9.11"
+BASE_IMAGE="$CONTAINER_REGISTRY_REPO/openjdk"
+JDK_VERSION="11.0.11.0.9"
 MAVEN_VERSION="3.6.3"
-BASE_IMAGE_VERSION="${JDK_VERSION}-b5706"
+BASE_IMAGE_VERSION="${JDK_VERSION}-b${CIRCLE_BUILD_NUM}"
 BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%S%z")"
 
 # inherit $BASE_IMAGE_VERSION

projects/openjdk-11/Dockerfile

@@ -1,7 +1,8 @@
 ARG BASE_IMAGE="centos"
 ARG BASE_IMAGE_VERSION="8"
 
-FROM ${BASE_IMAGE}:${BASE_IMAGE_VERSION}
+FROM opennmsdcttest/centos:8
+#FROM ${BASE_IMAGE}:${BASE_IMAGE_VERSION}
 
 ARG JDK_MAJOR_VERSION=11
 ARG JDK_VERSION_DETAIL=${MAJOR_VERSION}.0.4.11

projects/openjdk-11/config.sh

@@ -6,16 +6,16 @@
 CONTAINER_PROJECT="openjdk"
 
 # Base Image Dependency
-BASE_IMAGE="opennms/centos"
-BASE_IMAGE_VERSION="8-b5649"
+BASE_IMAGE="$CONTAINER_REGISTRY_REPO/centos"
+BASE_IMAGE_VERSION="8-b${CIRCLE_BUILD_NUM}"
 BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%S%z")"
 
 # inherit $BASE_IMAGE_VERSION
 PARENT_PROJECT="centos"
 
 # Specific container config
 JDK_MAJOR_VERSION="11"
-JDK_VERSION_DETAIL="${JDK_MAJOR_VERSION}.0.9.11"
+JDK_VERSION_DETAIL="${JDK_MAJOR_VERSION}.0.11.0.9"
 IMAGE_VERSION=("${JDK_VERSION_DETAIL}")
 
 # Most specific tag when it is not build locally and in CircleCI

projects/registry-config.sh

@@ -10,8 +10,6 @@ if [ -z "${CONTAINER_PROJECT}" ]; then
 fi
 
 # Container registry and tags
-CONTAINER_REGISTRY="docker.io"
-CONTAINER_REGISTRY_REPO="opennms"
 CONTAINER_VERSION_TAGS=${IMAGE_VERSION[*]}
 
 # Container Image Artifact