Add ability to use public GCR repos without being authenticated #1140
Conversation
Previously there was a need to import public GCR images into the local docker registry and replace the base images to use the local docker registry. This is no longer needed since Kaniko now works with public GCR images also for unauthenticated users.
samos123
changed the title
Kaniko by default used to configure the GCR credential helper however this caused Kaniko to fail when trying to use a base image from a public GCR image. This patch makes it possible to use public GCR images as base image when using docker even when you're not authenticated to GCR. Co-authored-by: Nate Williams <nate.williams@files.com>
samos123
force-pushed
the
fix-1122-public-gcr
branch
from
c452326
to
6626869
Compare
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
googlebot
added
cla: no
|
@filesnate I added you as co-author since you made the original PR and I just improved on it. If that's fine with you, please add a comment here with following message: "@googlebot I consent." Also thank you for the thorough reviews and testing to make sure it works for your use case as well. |
|
@googlebot I consent. |
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
googlebot
added
cla: yes
Thank YOU for doing the heavy lifting in the go code that I way less familiar with! |
| // Historically kaniko was pre-configured by default with gcr credential helper, | ||
| // in here we keep the backwards compatibility by enabling the GCR helper only | ||
| // when gcr.io is in one of the destinations. | ||
| if strings.Contains(destRef.RegistryStr(), "gcr.io") { |
There was a problem hiding this comment.
Can you please test to push to a public GCR repo one needs to be authenticated? My gut is mostly yes in which case this is good. If not, then we might need to add this is documentation.
It would be great if you can add tests for this function.
- You can declare 2 variables
// for testing
var (
execute = execCommad
checkRemotePushPermissions = remote.CheckPushPermission
stat = os.Stat
)
In your tests, you could create mock for these and make sure,
- when mockOsStat return
os.ErrNotExist,executeis called - when mockOsStat return nil and some random fileinfo,
executeis not called.
There was a problem hiding this comment.
I added the testing. I noticed we were already using afero in push.go and push_test.go so there wasn't a need to mock os.Stat. Thank you so much for detailed recommendations on how to test, really helpful.
There is no way to make a GCR repo pushable by the public. You can only push if you're explicitly given permission to push to a GCR repo. For reference: https://cloud.google.com/container-registry/docs/access-control or did you mean something else?
|
|
|
I just realized this will remove file
|
|
|
Apply lazy configuration of docker credential helper for GCR at run-time only when GCR is used as the destination.
Fixes #1122
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Reviewer Notes
Release Notes
Add ability to use public GCR images without being authenticated to GCR