[JENKINS-67572] Allow docker digest in image names

[viceice]

Allow docker digests in image names, as since c069b79 it's no longer allowed in docker-workflow-plugin to pin docker images.

• fixes https://issues.jenkins.io/browse/JENKINS-67572

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[PandarinDev]

Great job, looking forward to this getting merged! Currently our workflows are failing because of this regression and we cannot really downgrade our plugins so hoping that this will be released ASAP.

[j3t]

As a workaround, you can disable the validation see https://github.com/jenkinsci/docker-commons-plugin/blob/master/src/main/java/org/jenkinsci/plugins/docker/commons/credentials/ImageNameValidator.java#L48

[viceice]

@j3t I know, but that fully disables all checks again and we are vulnerable again. So i hope this gets merge and released soon.

@rsandell @oleg-nenashev Any changes to get this done sooner than later?

[jsnod]

As a workaround, you can disable the validation see https://github.com/jenkinsci/docker-commons-plugin/blob/master/src/main/java/org/jenkinsci/plugins/docker/commons/credentials/ImageNameValidator.java#L48

@j3t We are starting Jenkins with -Dorg.jenkinsci.plugins.docker.commons.credentials.ImageNameValidator.SKIP=true but we are still failing on validation, is there some other way to enable this SKIP workaround?

[viceice]

I think you are probably also hit by

• fix: use correct syntax for environment variable docker-workflow-plugin#244

[viceice]

OK, fixed tests and now validating against oci spec. So please review again. 🤗

[viceice]

♥️

[viceice]

Thanks, updated jenkins and removed workaround and everything works 🎉

[ccayg-sainsburys]

Is this possibly fixing some cases but not all or has something here / nearby changed that means my configuration no longer works?

I'm seeing: ERROR: Name must follow the pattern '^[a-zA-Z0-9]+((\.|_|__|-+)[a-zA-Z0-9]+)*$'
following DOCKER_IMAGE = docker.build('${ECR_REGISTRY}/${ECR_REPO}:${COMMIT_HASH}')

Where the registry variable is pulled from credentials while the repo and hash are defined within the pipeline itself.
This should equate to what I believe is a normal ECR reference per https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html of the form 123456789012.dkr.ecr.eu-west-1.amazonaws.com/service-foo:0a1b23c

with v1.19 of this plugin and v1.28 of docker-workflow on linux

actually I guess that's JENKINS-67633

[TBBle]

@ccayg-sainsburys Yeah, this is almost certainly JENKINS-67633. I've left a comment there so it's more-visible to users with that issue.

[ccayg-sainsburys]

@ccayg-sainsburys Yeah, this is almost certainly JENKINS-67633. I've left a comment there so it's more-visible to users with that issue.

Thanks - and the suggested fix there does work but because one of the values comes from credentials it triggers:

10:33:27  Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure.
10:33:27  		 Affected argument(s) used the following variable(s): [ECR_REGISTRY]
10:33:27  		 See https://jenkins.io/redirect/groovy-string-interpolation for details.

I might just replace with shell commands at this point to be honest.

[TBBle]

For data from credentials, don't use withEnv, use the specialised credential-handling step withCredentials to expose the value as an env-var. That should fix that warning.