Use kaniko with docker config.json password #129
Conversation
deploy/Dockerfile
Outdated
| ADD files/docker-credential-gcr /usr/local/bin/ | ||
| ADD files/config.json /root/.docker/ | ||
| RUN ["docker-credential-gcr", "config", "--token-source=env"] | ||
| ADD files/docker-credential-pass /usr/local/bin/ |
There was a problem hiding this comment.
Nice! We're actually only adding the gcr helper from a file here because it's still a special build we had to make to get it to run in this container. We're going to move it to a real release build soon. Would you mind using the ADD https:// format to add it without needing to check it in here?
There was a problem hiding this comment.
turns out that docker-credential-pass is not needed at all for config.json credentials, so it's just a matter of documentation
It's not really needed to use config.json credentials
Works with the standard kaniko docker image
|
I have an example running on Kubernetes with Jenkins using standard It would be something like |
|
Hey! Wondering what the status is here, having kaniko push to a plain old docker registry is something I'd like to be able to do! |
|
Mee too!!! I really want to push my image to private docker registry. But, in my try, public I confirmed my private repository works fine and my k8s cluster can pull my private image by $ kubectl create secret docker-registry myregistry-creds \
--docker-username=___YOUR_USERNAME___ \
--docker-password=___YOUR_PASSWORD___ \
--docker-email=___YOUR_EMAIL___ \
--docker-server=myregistry
$ kubectl get secret myregistry-creds -ojsonpath="{.data['\.dockerconfigjson']}" | base64 -D | jq .
{
"auths": {
"myregistry": {
"username": "___YOUR_USERNAME___",
"password": "___YOUR_PASSWORD___",
"email": "___YOUR_EMAIL___",
"auth": "____base64_encoded_string_of_username:password____"
}
}
}
$ cat << EOT > manifest.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: kaniko-context
data:
Dockerfile: |
FROM ubuntu:latest
RUN echo hello
---
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
args: ["--dockerfile=/context/Dockerfile",
"--context=/context",
"--destination=myregistry/my-user/test-kaniko:latest"]
volumeMounts:
- name: context
mountPath: /context
- name: myregistry-creds
mountPath: /root/
restartPolicy: Never
volumes:
- name: myregistry-cred
projected:
sources:
- secret:
name: myregistry-cred
items:
- key: .dockerconfigjson
path: .docker/config.json
- name: context
configMap:
name: kaniko-context
EOT
$ kubectl create -f manifest.yaml
$ kubecl logs kaniko
time="2018-07-03T10:05:04Z" level=info msg="Not adding /var/lib/dpkg because it was added by a prior layer"
time="2018-07-03T10:05:04Z" level=info msg="Not adding /var/lib/dpkg/diversions because it was added by a prior layer"
time="2018-07-03T10:05:04Z" level=info msg="Not adding /var/run because it is whitelisted"
time="2018-07-03T10:05:04Z" level=info msg="Taking snapshot of full filesystem..."
time="2018-07-03T10:05:05Z" level=info msg="cmd: /bin/sh"
time="2018-07-03T10:05:05Z" level=info msg="args: [-c echo hello]"
hello
time="2018-07-03T10:05:05Z" level=info msg="Taking snapshot of full filesystem..."
time="2018-07-03T10:05:06Z" level=info msg="No files were changed, appending empty layer to config."
time="2018-07-03T10:05:06Z" level=error msg="UNAUTHORIZED: \"authentication required\"" |
|
Kaniko does support docker credentials, see documentation in this PR on how to use it, and example with Jenkins at https://github.com/jenkinsci/kubernetes-plugin/blob/master/examples/kaniko.groovy |
|
@carlossg Thank you for the info. After I looked the Then, I can't understand why my example above doesn't work... Would you mind guding me how to fix my example??? 🙇 |
|
@carlossg Figured it out. As you mentioned, kaniko supports loading For example, FROM ubuntu:latest # this layer comes from 'index.docker.io'
RUN echo helloWhen trying to push an image built from the above Thus, I created an issue google/go-containerregistry#219 so that kaniko supports any private registries. |
What makes you think that? We target schema 2 images for the registry API, so in theory it should work for any (modern) compliant registry. 😅 |
my apologies 🙇 I rushed... Private registry implementation which I used would probably be a reason of the problem. |
|
This is an old PR but I wanted to mention that I had to find it and https://docs.gitlab.com/ce/ci/docker/using_kaniko.html#building-a-docker-image-with-kaniko to figure out how to get Kaniko to successfully auth against our private registry. Issue #109 was closed by #167, but that only added instructions for Amazon ECR, so I feel this PR is still appreciated. :-) |
README.md
Outdated
| } | ||
| ``` | ||
|
|
||
| Run kaniko with the `config.json` inside `/root/.docker/config.json` |
There was a problem hiding this comment.
This should now be /kaniko/.docker/config.json because of e3f4dc4
There was a problem hiding this comment.
Thanks for this comment @andrewrynhard . I had the same issue and pointing it to /kaniko/.docker/config.json solved NOT AUTHENTICATED issue.
Allow standard docker
config.jsonauthentication using username and password, ie. forhub.docker.com.Opening for reference and to start the discussion on how to add more Docker credential helpers
Configuration
Get your docker registry user and password encoded in base64
Create a
config.jsonfile with your docker registry url and the previous generated base64 stringRun kaniko