GoogleContainerTools
Can't access credentials from kaniko pod to authenticate bundle install private repos over https
2 months ago with below set up, kaniko was able to grab the credentials from CICD runner to run bundle install that contains private repos. It used CI gitlab self generated username and password to authenticate with bundle install
build_container:
stage: build
image:
name: [gcr.io/kaniko-project/executor:debug](http://gcr.io/kaniko-project/executor:debug)
entrypoint: [""]
script:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
- /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$COMMIT_TAG
rules:
but now this fails with error of unable to find username in the CICD logs
we found a workaround where we set git config url. and we needed to define cred variables in Dockerfile like below
ARG CI_USER
ARG CI_PASSWORD
RUN git config --global url."https://$CI_USER:[email protected]".insteadOf "https://gitlab.com/"
and I had to pass --build-args to kaniko executor
- /kaniko/executor --context $CI_PROJECT_DIR --build-arg=CI_USER=$GIT_USERNAME --build-arg=CI_PASSWORD=$GIT_PASSWORD --dockerfile $CI_PROJECT_DIR/Dockerfile.e2e --destination $GITLAB_E2E_LATEST --destination $GITLAB_E2E
this workaround works. But we don't want to keep those credentials in the image that will be pushed at the end.
Is there another way to force it to grab credentials from config.json or pass git config url in different way? did kaniko change the way it recognizes the credentials?
@ruslanovna thank you for flagging this issue. Can you confirm what issue version of Kaniko this was working with prior (I believe that v1.9.2 was the latest version ~2 mo prior to May 4th 2023 when this issue was posted) and additionally if this is currently still not working with the latest version of Kaniko ``v1.11.0`?
