Kaniko supporting multiple auths #687
Comments
|
Depending on where you are performing the executor, normally, you will need to mount the docker auth |
|
It is mounted I even inject the same config file I use locally The problem seems to be that it does not recognize more than one registry at a time... so if you have a pull and a push registry that are different say you want to pull from docker hub (as a logged in user, anonymous works) and push to your private registry it will not work... at least this has been my experience using Kaniko with a gitlab docker runner. I worked around by pulling from a mirror repository that contained docker hub and my own private registries, so I don't have a blocking issue, its the behavior from kaniko that does not seem correct to me. It should be able to take all the configuration passed, meaning all auth tokens for the respective registries. |
|
I have the same kind of problem, I try to publish my container to the gitlab registry and gcr, individually it work, but not with both of them. Build Docker image:
stage: build
# Using debug image for gitlab-ci purpose https://docs.gitlab.com/ee/ci/docker/using_kaniko.html
image:
name: gcr.io/kaniko-project/executor:debug-v0.10.0
entrypoint: [""]
script:
- export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/my_gcr_creds.json"
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
- /kaniko/executor --context $(pwd) --dockerfile ./Dockerfile --destination $GCR_REPO --destination $GITLAB_DOCKER_REPO |
donmccasland
added
area/registry
|
any update on this issue, I need to pull from private registry and need to push to aws |
|
any status on this feature request? |
|
@AASanchezA I'd expect you could mount or otherwise write the |
|
@edvald at the end i solved running two separate jobs on my gitlab-ci.yml one for registry that i need to push the container image, this is working quit well but the image is been build two times |
|
If the goal if to be able to publish to GCR and to something else, this is absolutely feasible by providing two auth entries in What you can't do is to publish to multiple GCR projects having different credentials because the authentication key is the hostname. You would have more than one entry under |
|
@gawi how does the config.json looks like in this case? What would be the content of the auth field for gcr: |
|
@Shanuson Assuming you use the JSON key file method to authenticate to GCR: And the repositories can then be:
Each of them can have a different account key. Obviously, this is a hack, it doesn't scale and you are at the mercy of the CNAME entries on the Google side. This is a last resort solution. |
|
As far as I can tell this works. I have two registries I would like to push the same image to both In config.json This prevents the dual build. I did not test with tokens or other types of registries in this case both CIA and CIB are Nexus registries. |
|
If you want to push to GCR using a JSON key file and also to other registries, you must define Example with https://docs.gitlab.com/ee/ci/docker/using_kaniko.html and also GCR: build:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
variables:
GOOGLE_APPLICATION_CREDENTIALS: /path/to/key.json
script:
- |
cat <<EOF > /kaniko/.docker/config.json
{
"auths": {
"$CI_REGISTRY": {
"username": "$CI_REGISTRY_USER",
"password": "$CI_REGISTRY_PASSWORD"
}
},
"credHelpers": {
"eu.gcr.io": "gcr"
}
}
EOF
- >
/kaniko/executor
--context $CI_PROJECT_DIR
--dockerfile $CI_PROJECT_DIR/Dockerfile
--destination $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
--destination eu.gcr.io/gcp-project/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME:$CI_COMMIT_SHORT_SHA |
|
Yeah @seboudry's solution looks right; the kaniko docker image has Maybe this should work too: cat <<EOF > /kaniko/.docker/config.json
{
"auths": {
"$CI_REGISTRY": {
"auth": "$BASE64_ENCODED_USERNAME_AND_PASSWORD"
}
}
}
EOF
docker-credential-gcr configure-dockerNote that the above example is for GitLab CI. If you use Google Cloud Build, the config file should be something like: steps:
- name: gcr.io/kaniko-project/executor:debug
entrypoint: sh
args:
- -cx
- |
cat <<EOF > /kaniko/.docker/config.json
{
"auths": {
"$CI_REGISTRY": {
"auth": "$BASE64_ENCODED_USERNAME_AND_PASSWORD"
}
}
}
EOF
docker-credential-gcr configure-docker
volumes:
- name: kaniko-docker-config
path: /kaniko/.docker
- name: gcr.io/kaniko-project/executor:latest
args: [ ... ] # as usual
volumes:
- name: kaniko-docker-config
path: /kaniko/.docker |
|
Hi, Sorry if that's not the right place to post but does anyone have successfully authenticated Kaniko to GCR with the JSON key? Before I was using Docker CLI... then But with Kaniko, impossible to succeed for now. I followed https://github.com/GoogleContainerTools/kaniko#pushing-to-google-gcr and my service account is mounted in my CI/CD, and even by doing: I'm always facing an "Access denied" whereas with I guess I missed something but I don't understand what. I still have the solution of creating the Thank you, |
|
It was a mistake from me... Exporting the environment variable in a different step was not persisted to the Kaniko build step. The solution was to directly populate Sorry for disturbing, |
|
Has there been any update on this issue? With the recent change to the Docker Pull Limit I am needing to be able to pull the base image from Docker Hub as an authenticated user so that I can build my Docker Image which is then pushed up to our own private registry in ECR. |
|
Hello, I just encountered the problem here, with the need to pull in image from repository A and then push the built image to repository B, both registries having the same hostname. I have a config.json like this : {
"auths": {
"example.com/registryA": { // Pull
"username": "userA",
"password": "passA"
},
"example.com/registryB": { // Push
"username": "userB",
"password": "passB"
}
}
}Using CNAMEs as a workaround is not possible. |
|
Hi @Wykiki, no... the config json is simply to provide the credentials. |
|
Since I stumbled across this issue and I think it is a little bit related I will share what worked for me: echo -n <USERNAME>:<PASSWORD> | base64And the format of the {
"auths": {
"example.com/registryA": {
"auth":"<BASE64_RESULT>"
},
"example.com/registryB": {
...
},
...
}
} |
|
Kaniko version : v1.6.0 It looks like Kaniko considers only first entry in config.json. I can successfully pull base image from authenticated registry, and push back the result image & cache layers. Simply reordering items in config.json breaks the build. |
|
I'm also having this problem. I am discontinuing using kaniko and fell back to regular, limited docker builder hosts using Docker-in-Docker, or remote via SSH when isolation is required, since this is such a blocker when it comes to Kaniko. I guess this is what you trade off when kaniko basically has to re-invent the whole auth wheel. :( |
|
I ran into the same problem. I want to push the same version of the image from CI/CD pipeline to Docker Hub and ECR. |
|
Hi, this impacts me too. I've tried reading through the code, but I can't work out where the code is that only reads the first item in |
|
Hi, in case anyone run into the following case:
if AWS ECR involved, using instance role permission, and no need to add anything to kaniko used: v1.7.0 |
FWIW, For configuring and using different auth for different registries, Kaniko should already support that, and if it doesn't, that's definitely a bug. But for different repos within the same registry, I'm afraid there's not a lot we can do unless we diverge from Docker's behavior. |
|
@imjasonh Thanks for the info, very useful. I can confirm that we are able to use different auth with different registries: That gives us more of the flexibility we were looking for. |
|
It sounds like this issue is resolved, please respond or file a new issue if this isn't the case. |
|
I don't believe it's resolved. @jonathanmedd's statement just means that 1 of the 2 use cases mentioned below work:
I guess the question is, does Kaniko want to provide the latter...? |
Just FTR, this does not "not work" in all possible scenarios. kaniko works nicely for us with setups where for example AWS ECR access is constrained by IAM roles for different kaniko nodes or even by available AWS credential per kaniko CI job if you use AWS SDK profiles (supported by the ecr-login credential helper). The capabilities of AWS IAM strip away the need to deal with subpaths/repositories in the "Docker" configuration. Of course it'd be nice to have this work in the general case, through from an engineering perspective, you could always provide a registry proxy to map different domain names to URI paths. Ive seen this in practice as well (https://registry.whateverproxy.internal => https://bigserver.com/registry/) Might even be preferable in more locked down environments. |
In this case, I don't think Kaniko should extend to support this, since |
|
Yes, unfortunately docker appears to have this limitation: However I can do this with |
Interesting! Can you tell whether/how these separate auths are configured in Podman's auth config, in If there's precedent for Podman supporting this, then it might be easier to justify changing that behavior for Kaniko, and possibly even other go-containerregistry consumers. edit: |
Yes, because my API keys are scoped to each repository (so I must be logged into both). |
|
@imjasonh apologies - it took me a while to find them - I'm on Ubuntu on WSL2 and |
|
@imjasonh should this issue be reopened? |
|
Yep. I've reopened google/go-containerregistry#1280 to discuss supporting this in go-containerregistry, which we'd then update here, and in other tools that use that library. |
|
The following configuration works for us Gitlab and ECR registry auth
I use Gitlab and AWS ECR as docker registries and transitioning to use AWS ECR in the future.
|
|
I've built and pushed images using that code at If you get a chance please try them out and let me know if those do/don't work for you 👍 |
|
@imjasonh I'm afraid it didn't work: (I'm running this via Tekton on OpenShift, using: |
|
I've also tried Ran this command: (And yes, I have checked the credentials outside of Kaniko and they allow me to push/pull as required - sorry!) |
|
Was someone able to use #1939? {
"auths": {
"registry.internal/namespaceA": {
"username": "test",
"password": "<redacted>"
},
"registry.internal/namespaceB": {
"username": "test",
"password": "<redacted>"
}
}
}@imjasonh I see that you MR states Update: kaniko will sometimes start pushing to the namespaceA repo and sometimes to the namespaceB repo. |
|
I'm not sure why those boxes were ticked, I don't believe I did that. Or if I did, it was a mistake. There are indeed no tests for this. I'll reopen this since it seems the fix in go-containerregistry doesn't address the issue here. If anybody has more time to look into this that would be helpful, it may take me some time to get back to it. |
|
A little tip for people with the same need as I have (be able to read/write multiple GCloud Registries) it is possible to use an unique service account with permissions on multiple projects. So for example, for only one service account :
{
"auths": {
"https://eu.gcr.io": {
"username": "_json_key",
"password": "<service account json key>"
}
}
}No need to use multiple auth as you use one single domain. |
I've also faces same error when using different using two different container registry in azure. I am using the config.json file as below but fires error For verbose messaging see aws.Config.CredentialsChainVerboseErrors { |
This helped me solve the issue with pulling images from ECR and pushing to Harbor docker registry at the same time. Thanks for the hint! |
and others
Actual behavior
Currently using A private pull and a private push registry. So user needs to be logged in to both private registries.
Currently when building i get
"No matching credentials were found, falling back on anonymous"
Expected behavior
What is the proper usage for pulling images from docker hub.
To Reproduce
Steps to reproduce the behavior:
does the kaniko debug image perform a docker login under the hood... how should I pass it the information?
The text was updated successfully, but these errors were encountered: