feat: add image digest support

57998b26 · Pierre Smeyers · a159fce3 · 57998b26 · 57998b26
Commit 57998b26 authored 2 years ago by Pierre Smeyers
--- a/README.md
+++ b/README.md
@@ -30,7 +30,7 @@ activate the Docker-in-Docker build at your own risks by setting `DOCKER_DIND_BU

 The Docker template uses some global configuration used throughout all jobs.

-| Name                  | description                            | default value     |
+| Name                  | Description                            | Default value     |
 | --------------------- | -------------------------------------- | ----------------- |
 | `DOCKER_DIND_BUILD`   | Set to enable Docker-in-Docker build (:warning: unsecured, requires privileged runners). | _(none)_ (kaniko build by default) |
 | `DOCKER_KANIKO_IMAGE` | The Docker image used to run kaniko - _for kaniko build only_ | `gcr.io/kaniko-project/executor:debug` (use `debug` images for GitLab) |
@@ -41,7 +41,7 @@ The Docker template uses some global configuration used throughout all jobs.

 In addition to this, the template supports _standard_ Linux proxy variables:

-| Name                  | description                                 | default value |
+| Name                  | Description                                 | Default value |
 | --------------------- | ------------------------------------------- | ------------- |
 | `http_proxy`          | Proxy used for http requests                | _none_        |
 | `https_proxy`         | Proxy used for https requests               | _none_        |
@@ -67,7 +67,7 @@ In practice:

 The **snapshot** and **release** images are defined by the following variables:

-| Name                      | description           | default value                                     |
+| Name                      | Description           | Default value                                     |
 | ------------------------- | --------------------- | ------------------------------------------------- |
 | `DOCKER_SNAPSHOT_IMAGE`   | Docker snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` |
 | `DOCKER_RELEASE_IMAGE`    | Docker release image  | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME`          |
@@ -92,7 +92,7 @@ But when using other registry(ies), you'll have also to **configure appropriate
 If you use the **same registry** for both snapshot and release images, you shall use the following configuration
 variables:

-| Name                             | description                            |
+| Name                             | Description                            |
 | -------------------------------- | -------------------------------------- |
 | :lock: `DOCKER_REGISTRY_USER`    | Docker registry username for image registry |
 | :lock: `DOCKER_REGISTRY_PASSWORD`| Docker registry password for image registry  |
@@ -101,7 +101,7 @@ variables:

 If you use **different registries** for snapshot and release images, you shall use separate configuration variables:

-| Name                                     | description                            |
+| Name                                     | Description                            |
 | ---------------------------------------- | -------------------------------------- |
 | :lock: `DOCKER_REGISTRY_SNAPSHOT_USER`   | Docker registry username for snapshot image registry |
 | :lock: `DOCKER_REGISTRY_SNAPSHOT_PASSWORD`| Docker registry password for snapshot image registry |
@@ -139,7 +139,7 @@ If you need to redefine a variable with the same value for all your Dockerfiles,

 ```yaml
 variables:
-  DOCKER_DIND_BUILD: "True"
+  DOCKER_DIND_BUILD: "true"
 ```

 ### Secrets management
@@ -164,9 +164,9 @@ This job performs a [Lint](https://github.com/projectatomic/dockerfile_lint) on

 It is bound to the `build` stage, and uses the following variables:

-| Name                  | description                            | default value                           |
+| Name                  | Description                            | Default value                           |
 | --------------------- | -------------------------------------- | --------------------------------------- |
-| `DOCKER_LINT_IMAGE`    | The dockerlint image                   | `projectatomic/dockerfile-lint:latest`  |
+| `DOCKER_LINT_IMAGE`   | The dockerlint image                   | `projectatomic/dockerfile-lint:latest`  |
 | `DOCKER_LINT_ARGS`    | Additional `dockerfile_lint` arguments | _(none)_                                |

 In case you have to disable some rules, copy and edit the [rules](https://github.com/projectatomic/dockerfile_lint#extending-and-customizing-rule-files) into `mycustomdockerlint.yml` and set `DOCKER_LINT_ARGS: '-r mycustomdockerlint.yml'`
@@ -177,7 +177,7 @@ This job performs a [Lint](https://github.com/hadolint/hadolint) on your `Docker

 It is bound to the `build` stage, and uses the following variables:

-| Name                       | description                            | default value                           |
+| Name                       | Description                            | Default value                           |
 | -------------------------- | -------------------------------------- | --------------------------------------- |
 | `DOCKER_HADOLINT_IMAGE`    | The Hadolint image                     | `hadolint/hadolint:latest-alpine`              |
 | `DOCKER_HADOLINT_ARGS`     | Additional `hadolint` arguments        | ``                        |
@@ -200,17 +200,23 @@ This job builds the image and publishes it to the _snapshot_ repository.

 It is bound to the `package-build` stage, and uses the following variables:

-| Name                            | description                                                                                                   | default value                  |
+| Name                            | Description                                                                                                   | Default value                  |
 | ------------------------------- | ------------------------------------------------------------------------------------------------------------- | ------------------------------ |
 | `DOCKER_BUILD_ARGS`             | Additional `docker build`/`kaniko` arguments                                                                  | _(none)_                       |
 | `DOCKER_REGISTRY_MIRROR`        | URL of a Docker registry mirror to use during the image build (instead of default `https://index.docker.io`)  | _(none)_                       |
-| `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label                                                     | OCI Image Format Specification |
+| `DOCKER_METADATA`               | Additional `docker build`/`kaniko` arguments to set label                                                     | OCI Image Format Specification |

-This job produces an _output variable_ that is propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
+This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):

-* `docker_image`: set to `$DOCKER_SNAPSHOT_IMAGE`
+| Name                  | Description                                            | Example                                 |
+| --------------------- | ------------------------------------------------------ | --------------------------------------- |
+| `docker_image`        | snapshot image name **with tag**                       | `registry.gitlab.com/acme/website/snaposhot:main` |
+| `docker_image_digest` | snapshot image name **with digest** (no tag)           | `registry.gitlab.com/acme/website/snaposhot@sha256:b7914a91...` |
+| `docker_repository`   | snapshot image **bare repository** (no tag nor digest) | `registry.gitlab.com/acme/website/snaposhot`      |
+| `docker_tag`          | snapshot image tag                                     | `main`                                  |
+| `docker_digest`       | snapshot image digest                                  | `sha256:b7914a91...`                    |

-It may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch of tag).
+They may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch or tag).

 If you want to use GitLab CI variables or any other variable in your Dockerfile, you can add them to `DOCKER_BUILD_ARGS` like so:

@@ -261,7 +267,7 @@ This job performs a [Health Check](https://docs.docker.com/engine/reference/buil

 It is bound to the `package-test` stage, and uses the following variables:

-| Name                                   | description                                                          | default value     |
+| Name                                   | Description                                                          | Default value     |
 | -------------------------------------- | -------------------------------------------------------------------- | ----------------- |
 | `DOCKER_HEALTHCHECK_DISABLED`          | Set to `true` to disable health check                                          | _(none: enabled by default)_ |
 | `DOCKER_HEALTHCHECK_TIMEOUT`           | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
@@ -288,7 +294,7 @@ variables:

 It is bound to the `package-test` stage, and uses the following variables:

-| Name                   | description                            | default value     |
+| Name                   | Description                            | Default value     |
 | ---------------------- | -------------------------------------- | ----------------- |
 | `DOCKER_TRIVY_IMAGE`   | The docker image used to scan images with Trivy | `aquasec/trivy:latest` |
 | `DOCKER_TRIVY_ADDR`    | The Trivy server address               | _(none: disabled by default)_  |
@@ -300,18 +306,24 @@ It is bound to the `package-test` stage, and uses the following variables:

 This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).

-| Name                  | description                                                                 | default value     |
+| Name                  | Description                                                                 | Default value     |
 | --------------------- | --------------------------------------------------------------------------- | ----------------- |
 | `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest` |
 | `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_          |
 | `AUTODEPLOY_TO_PROD`  | Set to enable automatic publish (and deploy) on `master` branch             | _none_ (enabled)  |
 | `PUBLISH_ON_PROD`     | Determines whether this job is enabled on `master` branch                   | `true`_ (enabled)  |

-This job produces an _output variable_ that is propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
+This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):

-* `docker_image`: set to `$DOCKER_RELEASE_IMAGE`
+| Name                  | Description                                           | Example                                 |
+| --------------------- | ----------------------------------------------------- | --------------------------------------- |
+| `docker_image`        | release image name **with tag**                       | `registry.gitlab.com/acme/website:main` |
+| `docker_image_digest` | release image name **with digest** (no tag)           | `registry.gitlab.com/acme/website@sha256:b7914a91...` |
+| `docker_repository`   | release image **bare repository** (no tag nor digest) | `registry.gitlab.com/acme/website`      |
+| `docker_tag`          | release image tag                                     | `main`                                  |
+| `docker_digest`       | release image digest                                  | `sha256:b7914a91...`                    |

-It may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch of tag).
+They may be freely used in downstream jobs (for instance to deploy the upstream built Docker image, whatever the branch or tag).

 ## Examples

@@ -352,7 +364,7 @@ include:
    file: '/templates/gitlab-ci-docker.yml'

 variables:
-  DOCKER_DIND_BUILD: "True"
+  DOCKER_DIND_BUILD: "true"

 .docker-base:
  parallel:
@@ -377,7 +389,7 @@ This variant allows delegating your secrets management to a [Vault](https://www.

 In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:

-| Name              | description                            | default value     |
+| Name              | Description                            | Default value     |
 | ----------------- | -------------------------------------- | ----------------- |
 | `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
@@ -393,7 +405,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta

 With:

-| Name                             | description                            |
+| Name                             | Description                            |
 | -------------------------------- | -------------------------------------- |
 | `secret_path` (_path parameter_) | this is your secret location in the Vault server |
 | `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -277,7 +277,6 @@ stages:
    docker_snapshot_authent_token=$(echo -n "${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}:${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
    docker_snapshot_registry_host=$(echo "$DOCKER_SNAPSHOT_IMAGE" | cut -d/ -f1)

-
    docker_release_authent_token=$(echo -n "${DOCKER_REGISTRY_RELEASE_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}:${DOCKER_REGISTRY_RELEASE_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
    docker_release_registry_host=$(echo "$DOCKER_RELEASE_IMAGE" | cut -d/ -f1)

@@ -497,9 +496,16 @@ docker-kaniko-build:
  extends: .docker-kaniko-base
  stage: package-build
  script:
-    - run_build_kaniko "$DOCKER_SNAPSHOT_IMAGE" --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy"
+    - run_build_kaniko "$DOCKER_SNAPSHOT_IMAGE" --digest-file .img-digest.txt --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy"
    # push docker_image in dotenv file
+    - docker_digest=$(cat .img-digest.txt)
+    - docker_repository=${DOCKER_SNAPSHOT_IMAGE%%:*}
+    - docker_tag=${DOCKER_SNAPSHOT_IMAGE#*:}
    - echo "docker_image=$DOCKER_SNAPSHOT_IMAGE" > docker.env
+    - echo "docker_image_digest=$docker_repository@$docker_digest" >> docker.env
+    - echo "docker_repository=$docker_repository" >> docker.env
+    - echo "docker_tag=$docker_tag" >> docker.env
+    - echo "docker_digest=$docker_digest" >> docker.env
  artifacts:
    reports:
      dotenv:
@@ -522,9 +528,17 @@ docker-dind-build:
    # Display the size of each layer
    - docker history $DOCKER_SNAPSHOT_IMAGE
    # Display the total size of the image
-    - docker images $DOCKER_SNAPSHOT_IMAGE
-    # push docker_image in dotenv file
+    - docker images --digests $DOCKER_SNAPSHOT_IMAGE
+    # create dotenv file
+    - image_with_digest=$(docker inspect --format '{{index .RepoDigests 0}}' "$DOCKER_SNAPSHOT_IMAGE")
+    - docker_digest=${image_with_digest#*@}
+    - docker_repository=${DOCKER_SNAPSHOT_IMAGE%%:*}
+    - docker_tag=${DOCKER_SNAPSHOT_IMAGE#*:}
    - echo "docker_image=$DOCKER_SNAPSHOT_IMAGE" > docker.env
+    - echo "docker_image_digest=$docker_repository@$docker_digest" >> docker.env
+    - echo "docker_repository=$docker_repository" >> docker.env
+    - echo "docker_tag=$docker_tag" >> docker.env
+    - echo "docker_digest=$docker_digest" >> docker.env
  artifacts:
    reports:
      dotenv:
@@ -665,7 +679,14 @@ docker-publish:
      fi
      skopeo copy --src-authfile /skopeo/.docker/src-config.json --dest-authfile /skopeo/.docker/dest-config.json ${DOCKER_PUBLISH_ARGS} docker://$DOCKER_SNAPSHOT_IMAGE docker://$DOCKER_RELEASE_IMAGE
      log_info "Well done your image is published and can be downloaded by doing: docker pull $DOCKER_RELEASE_IMAGE"
-      echo "docker_image=$DOCKER_RELEASE_IMAGE" > docker.env
+    - docker_digest=$(skopeo inspect --format='{{ .Digest }}' "docker://$DOCKER_RELEASE_IMAGE")
+    - docker_repository=${DOCKER_RELEASE_IMAGE%%:*}
+    - docker_tag=${DOCKER_RELEASE_IMAGE#*:}
+    - echo "docker_image=$DOCKER_RELEASE_IMAGE" > docker.env
+    - echo "docker_image_digest=$docker_repository@$docker_digest" >> docker.env
+    - echo "docker_repository=$docker_repository" >> docker.env
+    - echo "docker_tag=$docker_tag" >> docker.env
+    - echo "docker_digest=$docker_digest" >> docker.env
  artifacts:
    reports:
      dotenv: