run docker_credentials_gcr in warmer

cmd/warmer/cmd/root.go

@@ -19,11 +19,13 @@ package cmd
 import (
 	"fmt"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/GoogleContainerTools/kaniko/pkg/cache"
 	"github.com/GoogleContainerTools/kaniko/pkg/config"
 	"github.com/GoogleContainerTools/kaniko/pkg/logging"
+	"github.com/GoogleContainerTools/kaniko/pkg/util"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
@@ -63,9 +65,25 @@ var RootCmd = &cobra.Command{
 				exit(errors.Wrap(err, "Failed to create cache directory"))
 			}
 		}
+		isGCR := false
+		for _, image := range opts.Images {
+			if strings.Contains(image, "gcr.io") || strings.Contains(image, ".pkg.dev") {
+				isGCR = true
+				break
+			}
+		}
+		// Historically kaniko was pre-configured by default with gcr credential helper,
+		// in here we keep the backwards compatibility by enabling the GCR helper only
+		// when gcr.io (or pkg.dev) is in one of the destinations.
+		if isGCR{
+			util.ConfigureGCR("")
+		}
+
 		if err := cache.WarmCache(opts); err != nil {
 			exit(errors.Wrap(err, "Failed warming cache"))
 		}
+
+
 	},
 }
 

deploy/Dockerfile

@@ -76,6 +76,5 @@ ENV SSL_CERT_DIR=/kaniko/ssl/certs
 ENV DOCKER_CONFIG /kaniko/.docker/
 ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json
 WORKDIR /workspace
-RUN ["/kaniko/docker-credential-gcr", "config", "--token-source=env"]
 
 ENTRYPOINT ["/kaniko/executor"]

deploy/Dockerfile_debug

@@ -53,7 +53,7 @@ RUN GOARCH=$(cat /goarch) && (mkdir -p /go/src/github.com/chrismellard || true)
 RUN mkdir -p /kaniko/.docker
 
 COPY . .
-RUN make GOARCH=$(cat /goarch) && make GOARCH=$(cat /goarch) out/warmer
+#RUN make GOARCH=$(cat /goarch) && make GOARCH=$(cat /goarch) out/warmer
 
 # Generate latest ca-certificates
 
@@ -65,13 +65,12 @@ RUN \
   cat /etc/ssl/certs/* > /ca-certificates.crt
 
 FROM scratch
-COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/* /kaniko/
-COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/warmer
+#COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/* /kaniko/
+#COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/warmer
 COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
 COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/local/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
 COPY --from=0 /go/src/github.com/chrismellard/docker-credential-acr-env/build/docker-credential-acr-env /kaniko/docker-credential-acr
 COPY --from=busybox:1.32.0 /bin /busybox
-
 # Declare /busybox as a volume to get it automatically in the path to ignore
 VOLUME /busybox
 
@@ -85,7 +84,6 @@ ENV SSL_CERT_DIR=/kaniko/ssl/certs
 ENV DOCKER_CONFIG /kaniko/.docker/
 ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json
 WORKDIR /workspace
-RUN ["/kaniko/docker-credential-gcr", "config", "--token-source=env"]
 RUN ["/busybox/mkdir", "-p", "/bin"]
 RUN ["/busybox/ln", "-s", "/busybox/sh", "/bin/sh"]
 ENTRYPOINT ["/kaniko/executor"]

deploy/Dockerfile_warmer

@@ -76,5 +76,4 @@ ENV SSL_CERT_DIR=/kaniko/ssl/certs
 ENV DOCKER_CONFIG /kaniko/.docker/
 ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json
 WORKDIR /workspace
-RUN ["/kaniko/docker-credential-gcr", "config", "--token-source=env"]
 ENTRYPOINT ["/kaniko/warmer"]

pkg/executor/push.go

@@ -17,7 +17,6 @@ limitations under the License.
 package executor
 
 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -61,28 +60,6 @@ const (
 	UpstreamClientUaKey = "UPSTREAM_CLIENT_TYPE"
 )
 
-// DockerConfLocation returns the file system location of the Docker
-// configuration file under the directory set in the DOCKER_CONFIG environment
-// variable.  If that variable is not set, it returns the OS-equivalent of
-// "/kaniko/.docker/config.json".
-func DockerConfLocation() string {
-	configFile := "config.json"
-	if dockerConfig := os.Getenv("DOCKER_CONFIG"); dockerConfig != "" {
-		file, err := os.Stat(dockerConfig)
-		if err == nil {
-			if file.IsDir() {
-				return filepath.Join(dockerConfig, configFile)
-			}
-		} else {
-			if os.IsNotExist(err) {
-				return string(os.PathSeparator) + filepath.Join("kaniko", ".docker", configFile)
-			}
-		}
-		return filepath.Clean(dockerConfig)
-	}
-	return string(os.PathSeparator) + filepath.Join("kaniko", ".docker", configFile)
-}
-
 func (w *withUserAgent) RoundTrip(r *http.Request) (*http.Response, error) {
 	ua := []string{fmt.Sprintf("kaniko/%s", version.Version())}
 	if upstream := os.Getenv(UpstreamClientUaKey); upstream != "" {
@@ -110,8 +87,6 @@ func CheckPushPermissions(opts *config.KanikoOptions) error {
 	}
 
 	checked := map[string]bool{}
-	_, err := fs.Stat(DockerConfLocation())
-	dockerConfNotExists := os.IsNotExist(err)
 	for _, destination := range targets {
 		destRef, err := name.NewTag(destination, name.WeakValidation)
 		if err != nil {
@@ -126,18 +101,8 @@ func CheckPushPermissions(opts *config.KanikoOptions) error {
 		// in here we keep the backwards compatibility by enabling the GCR helper only
 		// when gcr.io (or pkg.dev) is in one of the destinations.
 		if registryName == "gcr.io" || strings.HasSuffix(registryName, ".gcr.io") || strings.HasSuffix(registryName, ".pkg.dev") {
-			// Checking for existence of docker.config as it's normally required for
-			// authenticated registries and prevent overwriting user provided docker conf
-			if dockerConfNotExists {
-				flags := fmt.Sprintf("--registries=%s", registryName)
-				cmd := execCommand("docker-credential-gcr", "configure-docker", flags)
-				var out bytes.Buffer
-				cmd.Stderr = &out
-				if err := cmd.Run(); err != nil {
-					return errors.Wrap(err, fmt.Sprintf("error while configuring docker-credential-gcr helper: %s : %s", cmd.String(), out.String()))
-				}
-			} else {
-				logrus.Warnf("\nSkip running docker-credential-gcr as user provided docker configuration exists at %s", DockerConfLocation())
+			if err := util.ConfigureGCR(fmt.Sprintf("--registries=%s", registryName)); err != nil {
+				return err
 			}
 		}
 		if opts.Insecure || opts.InsecureRegistries.Contains(registryName) {

pkg/executor/push_test.go

@@ -27,6 +27,7 @@ import (
 	"testing"
 
 	"github.com/GoogleContainerTools/kaniko/pkg/config"
+	"github.com/GoogleContainerTools/kaniko/pkg/util"
 	"github.com/GoogleContainerTools/kaniko/testutil"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
@@ -431,8 +432,8 @@ func TestCheckPushPermissions(t *testing.T) {
 				Destinations: test.Destination,
 			}
 			if test.ExistingConfig {
-				afero.WriteFile(fs, DockerConfLocation(), []byte(""), os.FileMode(0644))
-				defer fs.Remove(DockerConfLocation())
+				afero.WriteFile(fs, util.DockerConfLocation(), []byte(""), os.FileMode(0644))
+				defer fs.Remove(util.DockerConfLocation())
 			}
 			CheckPushPermissions(&opts)
 			for i, shdCall := range test.ShouldCallExecCommand {

pkg/util/gcr_util.go

@@ -0,0 +1,70 @@
+/*
+Copyright 2021 Google LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/afero"
+)
+
+// DockerConfLocation returns the file system location of the Docker
+// configuration file under the directory set in the DOCKER_CONFIG environment
+// variable.  If that variable is not set, it returns the OS-equivalent of
+// "/kaniko/.docker/config.json".
+func DockerConfLocation() string {
+	configFile := "config.json"
+	if dockerConfig := os.Getenv("DOCKER_CONFIG"); dockerConfig != "" {
+		file, err := os.Stat(dockerConfig)
+		if err == nil {
+			if file.IsDir() {
+				return filepath.Join(dockerConfig, configFile)
+			}
+		} else {
+			if os.IsNotExist(err) {
+				return string(os.PathSeparator) + filepath.Join("kaniko", ".docker", configFile)
+			}
+		}
+		return filepath.Clean(dockerConfig)
+	}
+	return string(os.PathSeparator) + filepath.Join("kaniko", ".docker", configFile)
+}
+
+
+func ConfigureGCR(flags string) error {
+	// Checking for existence of docker.config as it's normally required for
+	// authenticated registries and prevent overwriting user provided docker conf
+	_, err := afero.NewOsFs().Stat(DockerConfLocation())
+	dockerConfNotExists := os.IsNotExist(err)
+	if dockerConfNotExists {
+		cmd := exec.Command("docker-credential-gcr", "configure-docker", flags)
+		var out bytes.Buffer
+		cmd.Stderr = &out
+		if err := cmd.Run(); err != nil {
+			return errors.Wrap(err, fmt.Sprintf("error while configuring docker-credential-gcr helper: %s : %s", cmd.String(), out.String()))
+		}
+	} else {
+		logrus.Warnf("\nSkip running docker-credential-gcr as user provided docker configuration exists at %s", DockerConfLocation())
+	}
+	return nil
+}