kaniko
kaniko copied to clipboard
Published
20 hours ago •
GoogleContainerTools
GoogleContainerTools
Yet Another Authentication Problem
Actual behavior Kaniko fails to authenticate to local Artifactory registry using multiple different methods to generate the docker config json.
INFO[0000] Retrieving image manifest artifactory.local.domain/path/to/image:v1.0.0
INFO[0000] Retrieving image artifactory.local.domain/path/to/image:v1.0.0 from registry artifactory.local.domain
error building image: unable to complete operation after 0 attempts, last error: GET https://artifactory.local.domain/v2/path/to/image/manifests/v1.0.0: UNAUTHORIZED: The client does not have permission for manifest; map[manifest:path/to/image/v1.0.0/manifest.json]
Expected behavior Kaniko should correctly authenticate to container registries for both pull and push, and then correctly pull and build the image.
To Reproduce Steps to reproduce the behavior:
- Set the /kaniko/.docker/config.json file auths in accordance with documentation for Artifactory ex:
export ART_AUTH=$(echo -n ${ARTIFACTORY_CI_USER}:${ARTIFACTORY_CI_USER_ID_TOKEN} | base64 | tr -d '\n')
echo "{\"auths\":{\"${ARTIFACTORY_REG}\":{\"auth\":\"${ART_AUTH}\"}}}" >> /kaniko/.docker/config.json
I also attempted it by generating the credentials using:
echo "{\"auths\":{\"${ARTIFACTORY_REG}\":{\"auth\":\"$(printf "%s:%s" "${ARTIFACTORY_CI_USER}" "${ARTIFACTORY_CI_USER_ID_TOKEN}" | base64 | tr -d '\n')\"}}}" >> /kaniko/.docker/config.json
- Attempt to build a dockerfile where the FROM image is specified in local Artifactory.
Additional Information
- Building the dockerfile locally works fine with both Podman and Docker.
- The docker config file in the kaniko container looks identical to my local podman auths.json file when generated in either fashion, and the base64 decode returns correct username/password. (Authenticated to the registry using ARTIFACTORY_CI_USER_ID_TOKEN as the password)
- Testing this outside of Gitlab CI also fails.
- Testing this outside of Gitlab CI by volume mounting in my current machine's podman auths.json file and the dockerfile also fails with the same error.
- Curling the manifest file succeeds:
curl --header "Authorization: Bearer ${ARTIFACTORY_CI_USER_ID_TOKEN}" -X GET https://artifactory.local.domain/v2/path/to/image/manifests/v3.4.11
<spew of manifest>
- The kaniko executor call from the pipeline (or local container attempts) is as follows:
/kaniko/executor --context "${CTX}" --dockerfile "${CTX}/Dockerfile" --destination "${CONTAINER_IMAGE}:${CONTAINER_TAG}" -v debug
- Dockerfile looks like:
FROM artifactory.local.domain/path/to/image:v1.0.0
COPY all-relevant-cas.crt /etc/ssl/certs/ca.crt
ENV SSL_CERT_FILE=/etc/ssl/certs/ca.crt
- I additionally also tried with the --skip-tls-verify flags (various combinations) in case there was an SSL problem, and that didn't change anything.
- This auth method works just fine for the gitlab container registry (replacing the artifactory creds with $CI_REGISTRY, $CI_REGISTRY_USER, and $CI_REGISTRY_PASSWORD, obviously).
- Tested with versions v1.11.0 and v1.19.0
Triage Notes for the Maintainers
| Description | Yes/No |
|---|---|
| Please check if this a new feature you are proposing |
|
| Please check if the build works in docker but not in kaniko |
|
Please check if this error is seen when you use --cache flag |
|
| Please check if your dockerfile is a multistage dockerfile |
|
I've also tried using the
{
"username":"usernamehere"
"password":"passwordhere"
}
format as well as a straight up copy of a dockerconfigjson from a k8s secret