kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard
verified publisher icon GoogleContainerTools

GitLab CI: Docker Config.json not being correctly passed for private harbor repository

Open iiqqrs opened this issue 10 months ago • 1 comments

Actual behavior Kaniko '/kaniko/.docker/config.json' not correctly passing credentials for private harbor container registry in GitLab CI/CD.

We have tested registry-map and registry-mirror flags interchangeably and the results are always the same: WARN[0000] Failed to retrieve image build from remapped registry registry1.website.com: unable to complete operation after 0 attempts, last error: GET https://registry1.website.com/v2/harbor/projects/3/repositories/library/build/manifests/latest: UNAUTHORIZED: project harbor not found: project harbor not found. Will try with the next registry, or fallback to the original registry. 

# Kaniko job to build and push container image
build-container:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:debug # Debug neded for gitlab-ci see https://docs.gitlab.com/ee/ci/docker/using_kaniko.html
    entrypoint: [""]
  variables:
    DOCKER_CONFIG_JSON: |
      {
          "auths":{
              "registry1.website.com":{
                  "auth":"{BASE64CREDSHERE}"
              }
          }
      }
  before_script:
    - echo $DOCKER_CONFIG_JSON > /kaniko/.docker/config.json
  script:
    - >
      /kaniko/executor
      --context="${CI_PROJECT_DIR}"
      --dockerfile="${CI_PROJECT_DIR}/Dockerfile"
      --destination="${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"
      --build-arg BUILD_ID="${CI_PIPELINE_ID}"
      --build-arg CI_JOB_TOKEN="${CI_JOB_TOKEN}"
      --build-arg CI="${CI}"
      --build-arg NPM_REGISTRY="${NPM_REGISTRY}"
      --cache=true
      --skip-default-registry-fallback
      --registry-map "index.docker.io=registry1.website.com/harbor/projects/3/repositories"

The credentials have been validated to log into the registry1.website.com docker registry locally - validating the credentials are fine: H:\>docker login registry1.website.com Username: USER_NAME Password: Login Succeeded

The Dockerfile begins with: FROM registry1.website.com/project/opensource/apache/tomcat9-openjdk17:latest

Expected behavior I expect the '/kaniko/.docker/config.json' file to pass the appropriate credentials to kaniko to use when pulling from a private harbor registry.

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
  • - [ ]
Please check if the build works in docker but not in kaniko
  • - [ ]
Please check if this error is seen when you use --cache flag
  • - [X]
Please check if your dockerfile is a multistage dockerfile
  • - [X]

iiqqrs avatar Feb 20 '25 19:02 iiqqrs

@iiqqrs This works for me. You can try

 - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json

I use this for gitlab regsitry, replace the variables with your values.

kha7iq avatar Apr 14 '25 06:04 kha7iq