Skip to content
This repository has been archived by the owner on Sep 6, 2019. It is now read-only.

Credential helper support in kaniko build #32

Open
mchmarny opened this issue Jul 10, 2018 · 14 comments
Open

Credential helper support in kaniko build #32

mchmarny opened this issue Jul 10, 2018 · 14 comments
Assignees
@imjasonh
Labels
bug Something isn't working

Comments

@mchmarny
Copy link
Member

No description provided.

@mchmarny mchmarny added the bug Something isn't working label Jul 10, 2018
@imjasonh
Copy link
Member

Kaniko should use k8schain to automatically pick up k8s credentials. It currently only uses authn.DefaultKeychain to authorize pushes (and base image pulls).

/cc @dlorenc @mattmoor

@dlorenc
Copy link
Contributor

dlorenc commented Jul 10, 2018

is k8schain going to move somewhere permanent?

@mattmoor
Copy link
Member

I think we should move it under authn as a subpackage. It'll mean vendoring more into ggcr, but it will also be prunable by consumers of the library (unless they use k8schain).

The main modification I want is to support a no-K8s-client version (just the contextual auth == universal cred helper). Right now it is meant to be linked by a K8s controller that can do super-userish things like grab secrets, and we don't want to require that in all contexts (e.g. kaniko).

@mattmoor
Copy link
Member

@dlorenc @imjasonh google/go-containerregistry#226

@mattmoor
Copy link
Member

I think we still need the capacity to compose authn.Keychains, so that k8schain can be a fallback when authn.DefaultKeychain falls back on anonymous. I'll think on this and hopefully get a (separate) PR together.

@mattmoor
Copy link
Member

This will be fixed by: GoogleContainerTools/kaniko#243

@jchesterpivotal
Copy link

... just ran smack into this one :|

@imjasonh
Copy link
Member

@jchesterpivotal I'm confused, I would expect this to be fixed by GoogleContainerTools/kaniko#243 which has been merged and released AFAIK.

What's the error you're seeing?

@mattmoor
Copy link
Member

I think kaniko needs to release?

@imjasonh
Copy link
Member

https://gcr.io/kaniko-project/executor claims the image was released 2 hours ago, and has many builds since that PR was merged.

/cc @priyawadhwa

@mattmoor
Copy link
Member

https://github.com/GoogleContainerTools/kaniko/tree/v0.1.0 ?

@priyawadhwa
Copy link

It looks like gcr.io/kaniko-project/executor:latest isn't the same as when I build it locally @ HEAD

We use build triggers to deploy the image, and I think something went wrong there because the commit tagged version of the image gcr.io/kaniko-project/executor:8f71b7fb260cd08f1acd9b7854df9a82a444382c is correct, but gcr.io/kaniko-project/executor:latest, which is built via

docker tag gcr.io/kaniko-project/executor:8f71b7fb260cd08f1acd9b7854df9a82a444382c gcr.io/kaniko-project/executor:latest

is different.

I reran the trigger and they seem to be the same now, so hopefully that should fix this issue. Unfortunately I'm not sure why it happened :(

@jchesterpivotal
Copy link

Still seeing this behaviour. I may be looking at a different bug on Kaniko though.

@priyawadhwa
Copy link

@jchesterpivotal , could you comment on that issue with more some more information? The error you're seeing and the Dockerfile you're trying to build would be really helpful.

@priyawadhwa priyawadhwa mentioned this issue Aug 28, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@imjasonh imjasonh

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mchmarny @imjasonh @dlorenc @mattmoor @jchesterpivotal @priyawadhwa