To ensure the integrity of all runtime container images published and downloaded for production systems, image signing support is now available for all Apigee hybrid images using Docker Hub. All hybrid runtime images are publicly available for download from the Google Docker Hub account.
Hybrid images are signed with Docker Content Trust, a feature that lets users verify the integrity and publisher of every image built and running in a Docker registry. These signatures allow client-side or runtime verification of specific image tags against publisher keys, ensuring that the image is exactly what the publisher created and pushed for publication.
Download signed container images
If you are using a Kubernetes cluster without internet access to deploy your hybrid runtime services, you will need to download the container images to a local container registry and then access the registry from your Kubernetes cluster.
To download a signed container image, you should have Docker
installed and use the docker pull
command as follows. Be sure to append the correct tag
to each image name. For example, the tag for apigee-synchronizer
is 1.3.6
,
as shown below.
Namespace: apigee-system
docker pull google/apigee-kube-rbac-proxy:v0.4.1
docker pull google/apigee-operators:1.3.6
docker pull google/apigee-installer:1.3.6
Namespace: apigee
docker pull google/apigee-authn-authz:1.3.6
docker pull google/apigee-cassandra-backup-utility:1.3.6
docker pull google/apigee-connect-agent:1.3.6
docker pull google/apigee-hybrid-cassandra-client:1.3.6
docker pull google/apigee-hybrid-cassandra:1.3.6
docker pull google/apigee-mart-server:1.3.6
docker pull google/apigee-prom-prometheus:v2.9.2
docker pull google/apigee-runtime:1.3.6
docker pull google/apigee-stackdriver-logging-agent:1.6.8
docker pull google/apigee-stackdriver-prometheus-sidecar:0.7.5
docker pull google/apigee-synchronizer:1.3.6
docker pull google/apigee-udca:1.3.6
docker pull google/apigee-watcher:1.3.6
Verify container image signer and signatures
To verify that an image has been signed, run the following command:
docker trust inspect --pretty $IMAGE_NAME:$IMAGE_TAG
The output of this command will let you know whether the tagged image is signed, the name of the signers, and a list of signers and keys. For example:
docker trust inspect --pretty google/apigee-mart-server:1.3.6
Signatures for google/apigee-mart-server:1.3.6
SIGNED TAG DIGEST SIGNERSbeta2
a607b0e7acba41544e5db8e74b039e9314fdcfdc6f1acf73094d3179fc2af322 asf-admin
List of signers and their keys for google/apigee-mart-server:1.3.6
SIGNER KEYSasf-admin 7d4abdbb7bfd
Administrative keys for google/apigee-mart-server:1.3.6
Repository Key: 80f86b047965f6dec0c056b1938a7f8cfb894ba8014fba36a18d0923173d394a
Root Key: 6f2d60f90a0d78dd6254d3d47613a4dd6eb0880f83411e6f8b122b84dbef69ca