Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use kaniko with docker config.json password #129

Merged
merged 6 commits into from
Oct 4, 2019

Conversation

carlossg
Copy link
Contributor

Allow standard docker config.json authentication using username and password, ie. for hub.docker.com.

Opening for reference and to start the discussion on how to add more Docker credential helpers

Configuration

Get your docker registry user and password encoded in base64

echo USER:PASSWORD | base64

Create a config.json file with your docker registry url and the previous generated base64 string

{
	"auths": {
		"https://index.docker.io/v1/": {
			"auth": "xxxxxxxxxxxxxxx"
		}
	}
}

Run kaniko

docker run -ti --rm -v `pwd`:/workspace -v config.json:/root/.docker/config.json:ro csanchez/kaniko --dockerfile=Dockerfile --destination=yourimagename

ADD files/docker-credential-gcr /usr/local/bin/
ADD files/config.json /root/.docker/
RUN ["docker-credential-gcr", "config", "--token-source=env"]
ADD files/docker-credential-pass /usr/local/bin/
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! We're actually only adding the gcr helper from a file here because it's still a special build we had to make to get it to run in this container. We're going to move it to a real release build soon. Would you mind using the ADD https:// format to add it without needing to check it in here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

turns out that docker-credential-pass is not needed at all for config.json credentials, so it's just a matter of documentation

It's not really needed to use config.json credentials
Works with the standard kaniko docker image
@carlossg
Copy link
Contributor Author

Fixes #109 #124

@carlossg
Copy link
Contributor Author

carlossg commented Apr 25, 2018

I have an example running on Kubernetes with Jenkins using standard docker-registry credentials at jenkinsci/kubernetes-plugin#312

It would be something like

kind: Pod
 metadata:
   name: kaniko
 spec:
   containers:
   - name: kaniko
     image: gcr.io/kaniko-project/executor:latest
     args: ["--dockerfile=<path to Dockerfile>",
            "--destination=<https://myregistry:50000/$PROJECT/$IMAGE:$TAG>"]
     imagePullPolicy: Always
     volumeMounts:
       - name: jenkins-docker-cfg
         mountPath: /root
   volumes:
     - name: jenkins-docker-cfg
       secret:
         secretName: regcred

@seeekr
Copy link

seeekr commented Jun 30, 2018

Hey! Wondering what the status is here, having kaniko push to a plain old docker registry is something I'd like to be able to do!

@everpeace
Copy link
Contributor

everpeace commented Jul 3, 2018

Mee too!!! I really want to push my image to private docker registry.

But, in my try, public gcr.io/kaniko-project/executor:latest doesn't support config.json created by kubectl create secret docker-registry command???

I confirmed my private repository works fine and my k8s cluster can pull my private image by imagePullSecrets.

$ kubectl create secret docker-registry myregistry-creds \
  --docker-username=___YOUR_USERNAME___ \
  --docker-password=___YOUR_PASSWORD___  \
  --docker-email=___YOUR_EMAIL___ \
  --docker-server=myregistry
 
$ kubectl get secret myregistry-creds -ojsonpath="{.data['\.dockerconfigjson']}" | base64 -D | jq .
{
  "auths": {
    "myregistry": {
      "username": "___YOUR_USERNAME___",
      "password": "___YOUR_PASSWORD___",
      "email": "___YOUR_EMAIL___",
      "auth": "____base64_encoded_string_of_username:password____"
    }
  }
}

$ cat << EOT  > manifest.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: kaniko-context
data:
  Dockerfile: |
    FROM ubuntu:latest
    RUN echo hello
---
apiVersion: v1
kind: Pod
metadata:
  name: kaniko
spec:
  containers:
  - name: kaniko
    image: gcr.io/kaniko-project/executor:latest
    args: ["--dockerfile=/context/Dockerfile",
           "--context=/context",
           "--destination=myregistry/my-user/test-kaniko:latest"]
    volumeMounts:
      - name: context
        mountPath: /context
      - name:  myregistry-creds
        mountPath: /root/
  restartPolicy: Never
  volumes:
    - name: myregistry-cred
      projected:
        sources:
        - secret:
            name: myregistry-cred
            items:
            - key: .dockerconfigjson
              path: .docker/config.json
    - name: context
      configMap:
        name: kaniko-context
EOT

$ kubectl create -f manifest.yaml

$ kubecl logs kaniko
time="2018-07-03T10:05:04Z" level=info msg="Not adding /var/lib/dpkg because it was added by a prior layer"
time="2018-07-03T10:05:04Z" level=info msg="Not adding /var/lib/dpkg/diversions because it was added by a prior layer"
time="2018-07-03T10:05:04Z" level=info msg="Not adding /var/run because it is whitelisted"
time="2018-07-03T10:05:04Z" level=info msg="Taking snapshot of full filesystem..."
time="2018-07-03T10:05:05Z" level=info msg="cmd: /bin/sh"
time="2018-07-03T10:05:05Z" level=info msg="args: [-c echo hello]"
hello
time="2018-07-03T10:05:05Z" level=info msg="Taking snapshot of full filesystem..."
time="2018-07-03T10:05:06Z" level=info msg="No files were changed, appending empty layer to config."
time="2018-07-03T10:05:06Z" level=error msg="UNAUTHORIZED: \"authentication required\""

@carlossg
Copy link
Contributor Author

carlossg commented Jul 3, 2018

Kaniko does support docker credentials, see documentation in this PR on how to use it, and example with Jenkins at https://github.com/jenkinsci/kubernetes-plugin/blob/master/examples/kaniko.groovy

@everpeace
Copy link
Contributor

@carlossg Thank you for the info. After I looked the kaniko.groovy, I understood that mounting image pull secret which is created by kubectl create secret docker-registry command is the key. Am I right??

Then, I can't understand why my example above doesn't work...

Would you mind guding me how to fix my example??? 🙇

@everpeace
Copy link
Contributor

everpeace commented Jul 4, 2018

@carlossg Figured it out. As you mentioned, kaniko supports loading config.json via go-containerregistry. However, go-containerregistry can't push a container image including layers which come from the different registry. Currently, it probably works only for GCR, ECR or DockerHub unfortunately.

For example,

FROM ubuntu:latest  # this layer comes from 'index.docker.io'
RUN echo hello

When trying to push an image built from the above Dockerfile to your private registry (say myregistry), then go-containerregistry fails because it tries to use Cross Repository Blob Mount API even though the private registry doesn't have libarary/ubuntu repository. Moreover, I think it's dangerous because the FROM layer doesn't come from the private registry.

Thus, I created an issue google/go-containerregistry#219 so that kaniko supports any private registries.

@jonjohnsonjr
Copy link
Contributor

However, go-containerregistry can't push a container image including layers which come from the different registry. Currently, it probably works only for GCR, ECR or DockerHub unfortunately.

What makes you think that? We target schema 2 images for the registry API, so in theory it should work for any (modern) compliant registry. 😅

@everpeace
Copy link
Contributor

everpeace commented Jul 5, 2018

What makes you think that?

my apologies 🙇 I rushed... Private registry implementation which I used would probably be a reason of the problem.

@andreykaipov
Copy link

This is an old PR but I wanted to mention that I had to find it and https://docs.gitlab.com/ce/ci/docker/using_kaniko.html#building-a-docker-image-with-kaniko to figure out how to get Kaniko to successfully auth against our private registry.

Issue #109 was closed by #167, but that only added instructions for Amazon ECR, so I feel this PR is still appreciated. :-)

README.md Outdated
}
```

Run kaniko with the `config.json` inside `/root/.docker/config.json`

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should now be /kaniko/.docker/config.json because of e3f4dc4

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this comment @andrewrynhard . I had the same issue and pointing it to /kaniko/.docker/config.json solved NOT AUTHENTICATED issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!! done!!

@tejal29 tejal29 merged commit de093f9 into GoogleContainerTools:master Oct 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.