skaffold icon indicating copy to clipboard operation
skaffold copied to clipboard

Published 20 hours ago verified publisher icon GoogleContainerTools

kaniko in-cluster build: pulling kaniko images from private registry w/ image pull secret

Open dherges opened this issue 9 months ago • 1 comments

Expected behavior

Pull the kaniko image and imitImage from a private registry with pull secret credentials

The private registry requires an imagePullSecret for the kaniko pod spec

The dockerConfig.secretName and pullSecretName are only mounted inside the kaniko pod, if i understand correctly. The use case described by me would require a pull secret for the kaniko images itself.

For my personal use case, it would solve the issue if the cluster.pullSecretName was also added to the kaniko PodSpec:

	// Add secret for pull secret
	if b.ClusterDetails.PullSecretName != "" {
		addSecretVolume(pod, kaniko.DefaultSecretName, b.ClusterDetails.PullSecretMountPath, b.ClusterDetails.PullSecretName)

		pod.Spec.ImagePullSecrets = []v1.LocalObjectReference{{
			Name: b.ClusterDetails.PullSecretName,
		}}
	}

Could that be added as a general option?`What do you think?

Actual behavior

Failed to pull image "private.registry.com/k8s-skaffold/skaffold-helpers/busybox": rpc error: code = Unknown desc = failed to pull and unpack image "private.registry.com/k8s-skaffold/skaffold-helpers/busybox": failed to resolve reference "private.registry.com/k8s-skaffold/skaffold-helpers/busybox": failed to authorize: failed to fetch anonymous token: unexpected status: 401

Information

  • Skaffold version: v2.8.0
  • Operating system: Windows 7
  • Installed via: skaffold.dev standalone executable
  • Contents of skaffold.yaml:
build:
  artifacts:
    - image: private.registry.com/myapp
      kaniko: 
        initImage: private.registry.com/k8s-skaffold/skaffold-helpers/busybox
        image: private.registry.com/kaniko-project/executor
  cluster:
    dockerConfig:
      secretName: private-registry-push
    pullSecretName: private-registry-pull

Steps to reproduce the behavior

  1. a private container registry at private.registry.com that requires token authentication for pulling images
  2. skaffold build 
time="2023-11-10T10:35:02+01:00" level=info msg="Waiting for kaniko-m8x5s to be initialized" subtask=private.registry.com/myapp task=Build copying sources: waiting for pod to initialize: context deadline exceeded

dherges avatar Nov 10 '23 10:11 dherges

I let ChatGPT try very hard, here's what it had to say... chat.txt

dherges avatar Nov 10 '23 10:11 dherges