kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard
verified publisher icon GoogleContainerTools

Setting `--kaniko-dir` (or `KANIKO_DIR`) clobbers `DOCKER_CONFIG` if it is explicitly set.

Open hrivera-ntap opened this issue 1 year ago • 2 comments

Actual behavior When --kaniko-dir (or KANIKO_DIR) is set to a non standard location, this code: https://github.com/GoogleContainerTools/kaniko/blob/main/cmd/executor/cmd/root.go#L312 overwrites the DOCKER_CONFIG environment variable to point to a different and unintended location.

Expected behavior Setting DOCKER_CONFIG with either --kaniko-dir or KANIKO_DIR should utilize the docker config credential file provided by the user.

To Reproduce Steps to reproduce the behavior:

  1. Override DOCKER_CONFIG in the environment
  2. Run a kaniko executor job with --kaniko-dir set (and observe that the DOCKER_CONFIG you provided is not used)

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
  • - [ ]
Please check if the build works in docker but not in kaniko
  • - [ ]
Please check if this error is seen when you use --cache flag
  • - [ ]
Please check if your dockerfile is a multistage dockerfile
  • - [ ]

hrivera-ntap avatar Apr 26 '24 23:04 hrivera-ntap

The workaround for this is to manually copy the docker config into the directory that kaniko wants it to be.

hrivera-ntap avatar Apr 26 '24 23:04 hrivera-ntap

I suspect that these incompatibilities are the result of kaniko storing configuration data (registry auth files, tls certs, etc...) in the same place that it uses to generate the data files ("operating folder") for the container image that is to be built.

Ideally these two folders would be separated so that one could change the "operating folder" to be a separate location, one that is not backed by memory for instance. Using kaniko in a kubernetes environment typically requires mounting read/only configmaps for supplying the credentials and additional certificates required for authenticated with private registries. In this case, passing in --kaniko-dir causes kaniko to break because it attempts to copy & rm -rf the configmap backed files to the directory defined by --kaniko-dir. There are ways to directly mount the configmaps into the desired --kaniko-dir destination ahead of time.

I also found that you have to explicitly set SSL_CERT_FILE=${kanikoDir}/ssl/certs/ca-certificates.crt, if you override the kaniko directory. Otherwise you'll hit cert verification issues.

hrivera-ntap avatar Apr 27 '24 00:04 hrivera-ntap