ECR authentication fails in gcr.io/kaniko-project/executor:debug since version 1.19.1

[ChristopherKlinge]

Actual behavior
As of release 1.19.1 kaniko is no longer able to connect to ECR.

Expected behavior
Authentication for ECR should work as it did in earlier releases.

To Reproduce
Steps to reproduce the behavior:

1. Use the image gcr.io/kaniko-project/executor:v1.19.1-debug
2. Use the following code to execute kaniko in the pipeline:

cd dockerimages/src/main/docker/$CONTAINER_NAME
mkdir -p /kaniko/.docker
echo "{\"credHelpers\":{\"$DOCKER_REGISTRY\":\"ecr-login\"}}" > /kaniko/.docker/config.json
/kaniko/executor $KANIKO_MIRROR_ARGS \
  --context $CONTEXT \
  --destination "$DOCKER_REGISTRY/${IMAGE_NAME}/${STAGE_NAME}/$CONTAINER_NAME:$CI_COMMIT_SHORT_SHA" \
  --destination "$DOCKER_REGISTRY/${IMAGE_NAME}/${STAGE_NAME}/$CONTAINER_NAME:$SemVer-$CI_COMMIT_SHORT_SHA" \
  --build-arg REGISTRY="$DOCKER_REGISTRY/${IMAGE_NAME}/${STAGE_NAME}/" \
  --build-arg HASH="$CI_COMMIT_SHORT_SHA" \
  $KANIKO_USER_OPTS

Additional Information

• Dockerfile
  Execution fails prior to reaching the actual docker build step.
• Build Context
  Execution fails prior to reaching the actual docker build step.
• Kaniko Image (fully qualified with digest)
  gcr.io/kaniko-project/executor:debug
  gcr.io/kaniko-project/executor@sha256:f60ace157b4ce9dd2275981838351da93ed7e0c1eca0efbd82512ee57e95cb59
• GitLab CI Log

  Running with gitlab-runner 16.4.2 (e77af703)
    on XXXXXXXX, system ID: XXXXXXXX
  Resolving secrets 00:00
  Preparing the "docker+machine" executor 00:06
  Using Docker executor with image gcr.io/kaniko-project/executor:debug ...
  Pulling docker image gcr.io/kaniko-project/executor:debug ...
  Using docker image sha256:070be4aeed707aa03c2670dde249126c51f38fb0741e48ac00d48e4da0990e64 for gcr.io/kaniko-project/executor:debug with digest gcr.io/kaniko-project/executor@sha256:f60ace157b4ce9dd2275981838351da93ed7e0c1eca0efbd82512ee57e95cb59 ...
  Preparing environment 00:01
  Running on XXXXXXXX via XXXXXXXX...
  Getting source from Git repository 00:12
  Fetching changes with git depth set to 20...
  Initialized empty Git repository in /builds/XXXXXXXX/XXXXXXXX/.git/
  Created fresh repository.
  Checking out XXXXXXXX as detached HEAD (ref is XXXXXXXX)...
  Skipping Git submodules setup
  Executing "step_script" stage of the job script 00:01
  Using docker image sha256:070be4aeed707aa03c2670dde249126c51f38fb0741e48ac00d48e4da0990e64 for gcr.io/kaniko-project/executor:debug with digest gcr.io/kaniko-project/executor@sha256:f60ace157b4ce9dd2275981838351da93ed7e0c1eca0efbd82512ee57e95cb59 ...
  $ cd dockerimages/src/main/docker/$CONTAINER_NAME # collapsed multi-line command
  error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "[MASKED].dkr.ecr.eu-central-1.amazonaws.com/XXXXXXXX/dev/XXXXXXXX:XXXXXXXX": POST     https://[MASKED].dkr.ecr.eu-central-1.amazonaws.com/v2/XXXXXXXX/dev/XXXXXXXX/blobs/uploads/: unexpected status code 401 Unauthorized: Not Authorized
  

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile

[aaron-prindle]

Thanks for flagging this, kaniko has rolled back latest, debug and slim tags to v1.18.0. Closing this issue as dupe, there is another tracking bug here - #2882