skaffold
skaffold copied to clipboard
GoogleContainerTools
kaniko build can't found registry certificate
I have a self-sign cert, configed in registryCertificate
but it's look like kaniko haven't read it
_
Expected behavior
at least kaniko try to read my cert
Actual behavior
kaniko haven't read my cert
WARN[0000] Failed to load certificate ./rootCA.crt for registry.example.dev error="open ./rootCA.crt: no such file or directory"
Information
- Skaffold version: v1.39.1
- Operating system: Ubuntu 22.04 LTS
- Installed via: Follow skaffold.dev instructions
curl -Lo skaffold https://storage.googleapis.com/skaffold/releases/latest/skaffold-linux-amd64 && \
sudo install skaffold /usr/local/bin/
- Contents of skaffold.yaml:
apiVersion: skaffold/v2beta29
kind: Config
metadata:
name: Foo
build:
cluster:
namespace: kaniko # I created this namespace, with regcred
dockerConfig:
secretName: regcred
artifacts:
- image: registry.example.dev/my-image
kaniko:
registryCertificate:
registry.example.dev: ./rootCA.crt
# also tried
# registry.example.dev: rootCA.crt
ls -la
-rw-rw-r-- Dockerfile
-rw-rw-r-- rootCA.crt
-rw-rw-r-- skaffold.yaml
Steps to reproduce the behavior
- a clonable repository with the sample skaffold project
skaffold run
Generating tags...
- registry.example.dev/my-image -> registry.example.dev/my-image:3eba5e1-dirty
Checking cache...
- registry.example.dev/my-image: Not found. Building
Starting build...
Creating docker config secret [regcred]...
Building [registry.example.dev/my-image]...
Target platforms: [linux/amd64]
WARN[0000] Failed to load certificate ./rootCA.crt for registry.example.dev error="open ./rootCA.crt: no such file or directory"
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "registry.example.dev/my-image:3eba5e1-dirty": creating push check transport for registry.example.dev failed: Get "https://registry.example.dev/v2/": x509: certificate signed by unknown authority
build [registry.example.dev/my-image] failed: pod has failed
And I just try to direct create kaniko,
It can read my rootCA.crt, so I think this problem is related to skaffold
ls -la
-rw-rw-r-- Dockerfile
-rw-rw-r-- rootCA.crt
-rw-rw-r-- kaniko.yaml
-rw-rw-r-- skaffold.yaml
apiVersion: v1
kind: Pod
metadata:
name: kaniko
namespace: kaniko
spec:
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
args: [
"--dockerfile=/kaniko/buildcontext/Dockerfile",
"--context=dir:///kaniko/buildcontext",
"--destination=registry.example.dev/my-image:123456",
"--registry-certificate=registry.example.dev=/kaniko/buildcontext/rootCA.crt"
]
volumeMounts:
- name: docker-cfg
mountPath: /kaniko/.docker
- name: buildcontext
mountPath: /kaniko/buildcontext
restartPolicy: Never
volumes:
- name: buildcontext
persistentVolumeClaim:
claimName: buildcontext
- name: docker-cfg
secret:
secretName: regcred
defaultMode: 420
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: buildcontext
namespace: kaniko
spec:
storageClassName: local-storage
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: buildcontextpv
namespace: kaniko
labels:
type: local
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
storageClassName: local-storage
hostPath:
path: /full/Path/To/Folder
Thanks @xlebenny. Currently we need help fixing kaniko skaffold integration issues. This is a lower priority issue for us. Please comment to re-open.
I came across the issue with kaniko as well when I used a path relative to the build context directory for a certificate:
--registry-certificate my.registry=./my-cert.crt
But when I used absolute path all works as expected.
