-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use kaniko with docker config.json password #129
Use kaniko with docker config.json password #129
Conversation
deploy/Dockerfile
Outdated
ADD files/docker-credential-gcr /usr/local/bin/ | ||
ADD files/config.json /root/.docker/ | ||
RUN ["docker-credential-gcr", "config", "--token-source=env"] | ||
ADD files/docker-credential-pass /usr/local/bin/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! We're actually only adding the gcr helper from a file here because it's still a special build we had to make to get it to run in this container. We're going to move it to a real release build soon. Would you mind using the ADD https:// format to add it without needing to check it in here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
turns out that docker-credential-pass
is not needed at all for config.json
credentials, so it's just a matter of documentation
It's not really needed to use config.json credentials
Works with the standard kaniko docker image
I have an example running on Kubernetes with Jenkins using standard It would be something like
|
Hey! Wondering what the status is here, having kaniko push to a plain old docker registry is something I'd like to be able to do! |
Mee too!!! I really want to push my image to private docker registry. But, in my try, public I confirmed my private repository works fine and my k8s cluster can pull my private image by $ kubectl create secret docker-registry myregistry-creds \
--docker-username=___YOUR_USERNAME___ \
--docker-password=___YOUR_PASSWORD___ \
--docker-email=___YOUR_EMAIL___ \
--docker-server=myregistry
$ kubectl get secret myregistry-creds -ojsonpath="{.data['\.dockerconfigjson']}" | base64 -D | jq .
{
"auths": {
"myregistry": {
"username": "___YOUR_USERNAME___",
"password": "___YOUR_PASSWORD___",
"email": "___YOUR_EMAIL___",
"auth": "____base64_encoded_string_of_username:password____"
}
}
}
$ cat << EOT > manifest.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: kaniko-context
data:
Dockerfile: |
FROM ubuntu:latest
RUN echo hello
---
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
args: ["--dockerfile=/context/Dockerfile",
"--context=/context",
"--destination=myregistry/my-user/test-kaniko:latest"]
volumeMounts:
- name: context
mountPath: /context
- name: myregistry-creds
mountPath: /root/
restartPolicy: Never
volumes:
- name: myregistry-cred
projected:
sources:
- secret:
name: myregistry-cred
items:
- key: .dockerconfigjson
path: .docker/config.json
- name: context
configMap:
name: kaniko-context
EOT
$ kubectl create -f manifest.yaml
$ kubecl logs kaniko
time="2018-07-03T10:05:04Z" level=info msg="Not adding /var/lib/dpkg because it was added by a prior layer"
time="2018-07-03T10:05:04Z" level=info msg="Not adding /var/lib/dpkg/diversions because it was added by a prior layer"
time="2018-07-03T10:05:04Z" level=info msg="Not adding /var/run because it is whitelisted"
time="2018-07-03T10:05:04Z" level=info msg="Taking snapshot of full filesystem..."
time="2018-07-03T10:05:05Z" level=info msg="cmd: /bin/sh"
time="2018-07-03T10:05:05Z" level=info msg="args: [-c echo hello]"
hello
time="2018-07-03T10:05:05Z" level=info msg="Taking snapshot of full filesystem..."
time="2018-07-03T10:05:06Z" level=info msg="No files were changed, appending empty layer to config."
time="2018-07-03T10:05:06Z" level=error msg="UNAUTHORIZED: \"authentication required\"" |
Kaniko does support docker credentials, see documentation in this PR on how to use it, and example with Jenkins at https://github.com/jenkinsci/kubernetes-plugin/blob/master/examples/kaniko.groovy |
@carlossg Thank you for the info. After I looked the Then, I can't understand why my example above doesn't work... Would you mind guding me how to fix my example??? 🙇 |
@carlossg Figured it out. As you mentioned, kaniko supports loading For example, FROM ubuntu:latest # this layer comes from 'index.docker.io'
RUN echo hello When trying to push an image built from the above Thus, I created an issue google/go-containerregistry#219 so that kaniko supports any private registries. |
What makes you think that? We target schema 2 images for the registry API, so in theory it should work for any (modern) compliant registry. 😅 |
my apologies 🙇 I rushed... Private registry implementation which I used would probably be a reason of the problem. |
This is an old PR but I wanted to mention that I had to find it and https://docs.gitlab.com/ce/ci/docker/using_kaniko.html#building-a-docker-image-with-kaniko to figure out how to get Kaniko to successfully auth against our private registry. Issue #109 was closed by #167, but that only added instructions for Amazon ECR, so I feel this PR is still appreciated. :-) |
README.md
Outdated
} | ||
``` | ||
|
||
Run kaniko with the `config.json` inside `/root/.docker/config.json` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should now be /kaniko/.docker/config.json
because of e3f4dc4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this comment @andrewrynhard . I had the same issue and pointing it to /kaniko/.docker/config.json solved NOT AUTHENTICATED issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks!! done!!
Allow standard docker
config.json
authentication using username and password, ie. forhub.docker.com
.Opening for reference and to start the discussion on how to add more Docker credential helpers
Configuration
Get your docker registry user and password encoded in base64
Create a
config.json
file with your docker registry url and the previous generated base64 stringRun kaniko