Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting --kaniko-dir (or KANIKO_DIR) clobbers DOCKER_CONFIG if it is explicitly set. #3141

Open
hrivera-ntap opened this issue Apr 26, 2024 · 2 comments
Open

Setting --kaniko-dir (or KANIKO_DIR) clobbers DOCKER_CONFIG if it is explicitly set. #3141

hrivera-ntap opened this issue Apr 26, 2024 · 2 comments

Comments

@hrivera-ntap
Copy link

Actual behavior
When --kaniko-dir (or KANIKO_DIR) is set to a non standard location, this code: https://github.com/GoogleContainerTools/kaniko/blob/main/cmd/executor/cmd/root.go#L312 overwrites the DOCKER_CONFIG environment variable to point to a different and unintended location.

Expected behavior
Setting DOCKER_CONFIG with either --kaniko-dir or KANIKO_DIR should utilize the docker config credential file provided by the user.

To Reproduce
Steps to reproduce the behavior:

  1. Override DOCKER_CONFIG in the environment
  2. Run a kaniko executor job with --kaniko-dir set (and observe that the DOCKER_CONFIG you provided is not used)

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile
@hrivera-ntap
Copy link
Author

The workaround for this is to manually copy the docker config into the directory that kaniko wants it to be.

@hrivera-ntap
Copy link
Author

hrivera-ntap commented Apr 27, 2024
edited

I suspect that these incompatibilities are the result of kaniko storing configuration data (registry auth files, tls certs, etc...) in the same place that it uses to generate the data files ("operating folder") for the container image that is to be built.

Ideally these two folders would be separated so that one could change the "operating folder" to be a separate location, one that is not backed by memory for instance. Using kaniko in a kubernetes environment typically requires mounting read/only configmaps for supplying the credentials and additional certificates required for authenticated with private registries. In this case, passing in --kaniko-dir causes kaniko to break because it attempts to copy & rm -rf the configmap backed files to the directory defined by --kaniko-dir. There are ways to directly mount the configmaps into the desired --kaniko-dir destination ahead of time.

I also found that you have to explicitly set SSL_CERT_FILE=${kanikoDir}/ssl/certs/ca-certificates.crt, if you override the kaniko directory. Otherwise you'll hit cert verification issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hrivera-ntap