How to setup kaniko pull registry? (using private pull and push registry)

[Dan Mendes]

Dears this has probably been discussed before but i could not find good results.

I am currently able to push to a private registry without issue, however we also have private pull registry with images that are not on docker hub... and for this I still did not find a way to make it work, with  "No matching credentials were found, falling back on anonymous" messages all over the place. 

So perhaps i am missing something very basic but how can I setup Kaniko to pull images from my private registry? 

/kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG

is there something like --source so it uses a mirror or private registry all the time?

[Jim Walters]

I have the same question. I'm sourcing container images from my private Aritfactory server and can't get the base image to pull from there (needs credentials).

[Tommy Reilly]

Hi Dan, Jim,

I’m facing this same challenge. Looks like you didn’t get any replies. Did you work something out to get round this limitation or just give it up?

Thanks in advance if you have any feedback.

Tommy

[Jim Walters]

Here are the set of yamls I believe work. (Note the use of the service account):

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: github-access
  - name: basic-user-pass

apiVersion: v1
data:
  password: <base64 password>
  username: <base64 username>
kind: Secret
metadata:
  name: basic-user-pass
  annotations:
    tekton.dev/docker-0: https://<private registry URL>
type: kubernetes.io/basic-auth

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: docker-image-resource
spec:
  type: image
  params:
    - name: url
      value: <private registry URL>:/bandr/tekton-example:1.0.5

apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: git-resource
spec:
  type: git
  params:
    - name: revision
      value: master
    - name: url
      value: https://github.com/<my path>

apiVersion: v1
data:
  namespace: <base64>
  password: <github password>
  username: <github username>
kind: Secret
metadata:
  annotations:
    tekton.dev/git-0: https://github.com
  labels:
    service-account: build-bot
  name: github-access
type: kubernetes.io/basic-auth

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: build-push-docker-from-git-task
spec:
  inputs:
    resources:
      - name: workspace
        type: git
    params:
      - name: pathToDockerFile
        type: string
        description: The path to the dockerfile to build
        default: /workspace/Dockerfile
      - name: pathToContext
        type: string
        description:
          The build context used by Kaniko
          (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
        default: /workspace
  outputs:
    resources:
      - name: builtImage
        type: image
  steps:
    - name: build-and-push
      image: gcr.io/kaniko-project/executor
      env:
        - name: "DOCKER_CONFIG"
          value: "/builder/home/.docker/"
      command:
        - /kaniko/executor
      args:
        - --dockerfile=${inputs.params.pathToDockerFile}
        - --destination=${outputs.resources.builtImage.url}
        - --context=${inputs.params.pathToContext}
        - --cache=false

apiVersion: v1
kind: Secret
metadata:
  name: ssh-key
  annotations:
    tekton.dev/git-0: github.com # Described below
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: <private key>
  # This is non-standard, but its use is encouraged to make this more secure.
  known_hosts: <known host>

apiVersion: tekton.dev/v1alpha1
kind: PipelineRun
metadata:
  name: poc-pipeline-run-1
spec:
  pipelineRef:
    name: poc-pipeline
  serviceAccount: build-bot
  resources:
  - name: source-repo
    resourceRef:
      name: git-resource
  - name: app-image
    resourceRef:
      name: docker-image-resource

# This Pipeline Builds two microservice images(https://github.com/GoogleContainerTools/skaffold/tree/master/examples/microservices)
# from the Skaffold repo (https://github.com/GoogleContainerTools/skaffold) and deploys them to the repo currently running Tekton Pipelines.

# **Note** : It does this using the k8s `Deployment` in the skaffold repos's existing yaml
# files, so at the moment there is no guarantee that the image that are built and
# pushed are the ones that are deployed (that would require using the digest of
# the built image, see https://github.com/tektoncd/pipeline/issues/216).

apiVersion: tekton.dev/v1alpha1
kind: Pipeline
metadata:
  name: poc-pipeline
spec:
  resources:
  - name: source-repo
    type: git
  - name: app-image
    type: image
  tasks:
  - name: build-push-docker-from-git
    #runAfter: [skaffold-unit-tests]
    taskRef:
      name: build-push-docker-from-git-task
    params:
    - name: pathToDockerFile
      value: Dockerfile
    - name: pathToContext
      #value: /workspace/workspace/examples/microservices/leeroy-web
      value: /workspace/workspace
    resources:
      inputs:
      - name: workspace
        resource: source-repo
      outputs:
      - name: builtImage
        resource: app-image

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: github-access
  - name: basic-user-pass

On Sun, Mar 8, 2020 at 8:30 AM Jim Walters <trygg...@gmail.com> wrote:

I did get it to work in Tekton without setting up credentials on the node. That was several months ago and maybe there is an easier way now. Let me post the yamls here. Hang tight.

--
You received this message because you are subscribed to the Google Groups "kaniko-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kaniko-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kaniko-users/30094002-0335-484a-8dd5-7cf6ec54e5fe%40googlegroups.com.

[Thomas Reilly]

Thanks for this info Jim - much appreciated.

I'll try and mimic in my test environment.

Tommy