Docker Digest

kind: dockerdigest

sourceconditiontargetscm

Description

source

The Docker Digest "source" retrieves the Docker image digest for a specific Docker image tag.

Parameters

NameTypeDescriptionRequired
architecturestring

architecture specifies the container image architecture such as amd64

	compatible:
		* source
		* condition

	default:
		amd64
digeststring

digest specifies the container image digest such as sha256:ce782db15ab5491c6c6178da8431b3db66988ccd11512034946a9667846952a6

	compatible:
		* condition

	default:
		When used from a condition, the default value is set to the linked source output.
hidetagboolean

hideTag specifies if the tag should be hidden from the digest

	compatible:
		* source

	default:
		false
imagestring

image specifies the container image such as updatecli/updatecli

	compatible:
		* source
		* condition
passwordstring

password specifies the container registry password to use for authentication. Not compatible with token

	compatible:
		* source
		* condition
		* target

	default:
		by default credentials are fetch from the local environment such as `~/.docker/config.json`.

	remark:
		Not compatible with token
tagstring

tag specifies the container image tag such as latest

	compatible:
		* source
		* condition
tokenstring

token specifies the container registry token to use for authentication.

	compatible:
		* source
		* condition
		* target

	default:
		by default credentials are fetch from the local environment such as `~/.docker/config.json`.

	remark:
		Not compatible with username/password
usernamestring

username specifies the container registry username to use for authentication.

	compatible:
		* source
		* condition
		* target

	default:
		by default credentials are fetch from the local environment such as `~/.docker/config.json`.

	remark:
		Not compatible with token

Remark:

It’s considered a very bad practice to store credentials in an unencrypted file. Consider using an environment variable to store the token.

Authentication

Depending on the Docker Registry, authentication may be required. The way to retrieve the token depends on the registry.

GHCR

Github uses personal access token. How to retrieve one, is explained here

DockerHub

To retrieve a token, it’s easier to run docker login and then retrieve the token stored in '~/.docker/config.json'

~/.docker/config.json
        "auths": {
                "https://index.docker.io/v1/": {
                        "auth": "token"
                }
        },

Example

Please note that in this example we are using a go template updatecli.tpl with values from values.yaml The main motivation is to use {{ requiredEnv ENV_VARIABLE }} to read the github token from a environment variable.

updatecli.tpl

sources:
  lastDockerDigest:
    kind: dockerdigest
    spec:
      image: "jenkins/jenkins"
      tag: "lts-jdk11"
targets:
  imageTag:
    name: "jenkins/jenkins:lts-jdk11 docker digest"
    kind: yaml
    spec:
      file: "config/default/jenkins-release.yaml"
      key: "jenkins.master.imageTag"
    scm:
      github:
        user: "{{ .github.user }}"
        email: "{{ .github.email }}"
        owner: "jenkins-infra"
        repository: "charts"
        token: "{{ requiredEnv .github.token }}"
        username: "{{ .github.username }}"
        branch: "master"
values.yaml
github:
  user: "updatebot"
  email: "updatebot@olblak.com"
  username: "jenkins-infra-bot"
  token: "UPDATECLI_GITHUB_TOKEN"
  branch: "master"
  owner: "olblak"
  repository: "charts"

What it says:

Source Retrieve the Docker image digest for the image jenkins/jenkins with the tag lts-jdk11 from DockerHub

Conditions No condition specified

Targets Update the yaml key jenkins.master.imageTag in the file config/default/jenkins-release.yaml located on the Github repository olblak/charts

Top