I cannot get any trusted images deployed to my UCP cluster when I require content trust. I have set Content Trust in UCP to allow any valid UCP user.
On the DTR server I have created a new repository, under the username “james”. There is a user account called “james” on the UCP cluster that I am also using.
I have installed the notary client and configured it with the UCP bundle. I have then run:
notary init -p ddc-05.ddclab.quru.com/quru/helloworld
(quru is an Organization on the DTR server, and james is a member of the quru organization)
And set up passwords for the relevant keys. Where I was asked to log in, I provided the “james” user account details for DTR, which were accepted.
I then perform a “docker login ddc-05.ddclab.quru.com” with the user account “james”.
Then: export DOCKER_CONTENT_TRUST=1
And finally: docker push ddc-05.ddclab.quru.com/quru/helloworld:1.0.2
The image is successfully signed, and appears in DTR as signed. I can manually deploy the image to any of my docker worker nodes using:
docker pull ddc-05.ddclab.quru.com/quru/helloworld:1.0.2
This works fine.
However if I try and use this image in a simple docker-compose from the UCP interface, I am met with the error:
Error creating container: required at least one valid signer, none found
What does UCP consider as a valid signer, and what am I doing wrong here? This is frustratingly close to working!