Unable to push image to GCR when using base image from private registry

[sameersbn]

Actual behavior

Unable to build and image image to gcr registry when using a base image from a private registry

Expected behavior

Should be able to pull images from a private registry to build my docker image and push the image to gcr registry.

To Reproduce

I have a Dockerfile that use a base image registry.redhat.io/rhel8/nginx-116 from registry.redhat.io which is a private registry. The dockerfile looks something like this:

FROM registry.redhat.io/rhel8/nginx-116
...
...
CMD /usr/libexec/s2i/run

I use cloud build to build and push the image to gcr.io using the kaniko executor. The cloudbuild.yaml is define like so:

steps:
- name: 'busybox'
  id: dockerconfig
  entrypoint: 'sh'
  args:
  - '-c'
  - |
    if [ $_DOCKER_CONFIG != '{}' ]; then
      cat <<EOF >/kaniko/.docker/config.json
    ${_DOCKER_CONFIG}
    EOF
    fi
  volumes:
  - name: 'docker'
    path: /kaniko/.docker

- name: 'gcr.io/kaniko-project/executor:latest'
  args:
  - --destination=gcr.io/$PROJECT_ID/console:${COMMIT_SHA}
  - --no-push=${_KANIKO_NO_PUSH}
  - ${_KANIKO_EXTRA_ARGS}
  volumes:
  - name: 'docker'
    path: /kaniko/.docker
  waitFor: ['dockerconfig']

timeout: 600s

substitutions:
  _DOCKER_CONFIG: '{}'
  _KANIKO_NO_PUSH: "false"

options:
  substitution_option: 'ALLOW_LOOSE'

The dockerconfig step populates the config.json for kaniko so that it can pull the image from the redhat registry.

Steps to reproduce the behavior:

When I try to build the image with:

gcloud builds submit --config cloudbuild.test.yaml --substitutions _DOCKER_CONFIG='{"auths":{"https://registry.redhat.io/v2/":{"auth":"Zm9vOmJhcg=="}}}'

The build fails with the following UNAUTHORIZED error

Step #1: error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "gcr.io/xxx/yyy:": creating push check transport for gcr.io failed: GET https://gcr.io/v2/token?scope=repository%3Axxx%2Fyyy%3Apush%2Cpull&service=gcr.io: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

If I build with --no-push argument, the build succeeds indicating that kaniko was able to pull the image from the redhat registry.

gcloud builds submit --config cloudbuild.test.yaml --substitutions _DOCKER_CONFIG='{"auths":{"https://registry.redhat.io/v2/":{"auth":"Zm9vOmJhcg=="}}}',_KANIKO_NO_PUSH=true

I am not able to understand why kaniko is not able to AUTHORIZE with GCR when I have a custom config.json defined for redhat authentication.

Is there a way to make this use-case work with kaniko?

Thanks for your help!

[tmshn]

duplicate of #687 ?