Docker Digest

kind: dockerdigest

source	condition	target	scm
✔	✗	✗	✗

source

condition

target

scm

✔

✗

Description

source

The Docker Digest "source" retrieves the Docker image digest for a specific Docker image tag.

Parameters

Name	Type	Description
architecture	string	architecture specifies the container image architecture such as `amd64` `compatible: * source * condition default: amd64`
digest	string	digest specifies the container image digest such as `sha256:ce782db15ab5491c6c6178da8431b3db66988ccd11512034946a9667846952a6` `compatible: * condition default: When used from a condition, the default value is set to the linked source output.`
hidetag	boolean	hideTag specifies if the tag should be hidden from the digest `compatible: * source default: false`
image	string	image specifies the container image such as `updatecli/updatecli` `compatible: * source * condition`
password	string	password specifies the container registry password to use for authentication. Not compatible with token compatible: * source * condition * target default: by default credentials are fetch from the local environment such as `~/.docker/config.json`. remark: Not compatible with token
tag	string	tag specifies the container image tag such as `latest` `compatible: * source * condition`
token	string	token specifies the container registry token to use for authentication. compatible: * source * condition * target default: by default credentials are fetch from the local environment such as `~/.docker/config.json`. remark: Not compatible with username/password
username	string	username specifies the container registry username to use for authentication. compatible: * source * condition * target default: by default credentials are fetch from the local environment such as `~/.docker/config.json`. remark: Not compatible with token

Remark:

It’s considered a very bad practice to store credentials in an unencrypted file. Consider using an environment variable to store the token.

Authentication

Depending on the Docker Registry, authentication may be required. The way to retrieve the token depends on the registry.

GHCR

Github uses personal access token. How to retrieve one, is explained here

DockerHub

To retrieve a token, it’s easier to run docker login and then retrieve the token stored in '~/.docker/config.json'

~/.docker/config.json

        "auths": {
                "https://index.docker.io/v1/": {
                        "auth": "token"
                }
        },

Example

Please note that in this example we are using a go template updatecli.tpl with values from values.yaml The main motivation is to use {{ requiredEnv ENV_VARIABLE }} to read the github token from a environment variable.

updatecli.tpl

sources:
  lastDockerDigest:
    kind: dockerdigest
    spec:
      image: "jenkins/jenkins"
      tag: "lts-jdk11"
targets:
  imageTag:
    name: "jenkins/jenkins:lts-jdk11 docker digest"
    kind: yaml
    spec:
      file: "config/default/jenkins-release.yaml"
      key: "jenkins.master.imageTag"
    scm:
      github:
        user: "{{ .github.user }}"
        email: "{{ .github.email }}"
        owner: "jenkins-infra"
        repository: "charts"
        token: "{{ requiredEnv .github.token }}"
        username: "{{ .github.username }}"
        branch: "master"

values.yaml

github:
  user: "updatebot"
  email: "updatebot@olblak.com"
  username: "jenkins-infra-bot"
  token: "UPDATECLI_GITHUB_TOKEN"
  branch: "master"
  owner: "olblak"
  repository: "charts"

What it says:

Source Retrieve the Docker image digest for the image jenkins/jenkins with the tag lts-jdk11 from DockerHub

Conditions No condition specified

Targets Update the yaml key jenkins.master.imageTag in the file config/default/jenkins-release.yaml located on the Github repository olblak/charts

Last modified on November 20, 2022

Edit this page on GitHub