ECR fix for 1.8.1 kaniko version

2026-06-04 18:23:50 +08:00 · 2022-04-16 16:52:42 +05:30
parent 56b0e6a779
commit 6633889f8a
14 changed files with 110 additions and 7 deletions
@@ -2,6 +2,8 @@

 Drone kaniko plugin uses [kaniko](https://github.com/GoogleContainerTools/kaniko) to build and publish Docker images to a container registry.

+Plugin images are published with 1.6.0 as well as 1.8.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.8.1` uses 1.8.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gcr images as well.
+
 ## Build

 Build the binaries with the following commands:
@@ -18,6 +18,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
 	"github.com/aws/smithy-go"
+	"github.com/hashicorp/go-version"
 	"github.com/joho/godotenv"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -33,12 +34,14 @@ const (
 	secretKeyEnv     string = "AWS_SECRET_ACCESS_KEY"
 	dockerConfigPath string = "/kaniko/.docker/config.json"
 	ecrPublicDomain  string = "public.ecr.aws"
+	kanikoVersionEnv string = "KANIKO_VERSION"

-	defaultDigestFile string = "/kaniko/digest-file"
+	oneDotEightVersion string = "1.8.0"
+	defaultDigestFile  string = "/kaniko/digest-file"
 )

 var (
-	version = "unknown"
+	pluginVersion = "unknown"
 )

 func main() {
@@ -53,7 +56,7 @@ func main() {
 	app.Name = "kaniko docker plugin"
 	app.Usage = "kaniko docker plugin"
 	app.Action = run
-	app.Version = version
+	app.Version = pluginVersion
 	app.Flags = []cli.Flag{
 		cli.StringFlag{
 			Name:   "dockerfile",
@@ -359,8 +362,16 @@ func createDockerConfig(dockerUsername, dockerPassword, accessKey, secretKey,
 			}
 		}

-		dockerConfig.SetCredHelper(ecrPublicDomain, "ecr-login")
-		dockerConfig.SetCredHelper(registry, "ecr-login")
+		// kaniko-executor >=1.8.0 internalizes the amazon-ecr-credential-helper
+		// If the AWS_ROLE_ARN and/or AWS_WEB_IDENTITY_TOKEN_FILE environment variables are set by an instance
+		// or federation service, no access key and secret are needed.
+		// If an access key and secret are set, they override Role Identity for all ecr registries.
+		// see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence
+		// for detailed precedence
+		if isKanikoVersionBelowOneDotEight(os.Getenv(kanikoVersionEnv)) {
+			dockerConfig.SetCredHelper(ecrPublicDomain, "ecr-login")
+			dockerConfig.SetCredHelper(registry, "ecr-login")
+		}
 	}

 	return dockerConfig, nil
@@ -493,3 +504,16 @@ func getAuthInfo(svc *ecrv1.ECR) (username, password, registry string, err error
 func isRegistryPublic(registry string) bool {
 	return strings.HasPrefix(registry, ecrPublicDomain)
 }
+
+func isKanikoVersionBelowOneDotEight(v string) bool {
+	currVer, err := version.NewVersion(v)
+	if err != nil {
+		return true
+	}
+	oneEightVer, err := version.NewVersion(oneDotEightVersion)
+	if err != nil {
+		return true
+	}
+
+	return currVer.LessThan(oneEightVer)
+}
@@ -1,6 +1,7 @@
 package main

 import (
+	"os"
 	"reflect"
 	"testing"

@@ -32,3 +33,66 @@ func TestCreateDockerConfig(t *testing.T) {
 		t.Errorf("not equal:\n  want: %#v\n   got: %#v", want, got)
 	}
 }
+
+func TestCreateDockerConfigKanikoOneDotEight(t *testing.T) {
+	os.Setenv(kanikoVersionEnv, "1.8.1")
+	defer os.Setenv(kanikoVersionEnv, "")
+	got, err := createDockerConfig(
+		"docker-username",
+		"docker-password",
+		"access-key",
+		"secret-key",
+		"ecr-registry",
+		false,
+	)
+	if err != nil {
+		t.Error("failed to create docker config")
+	}
+
+	want := docker.NewConfig()
+	want.SetAuth(docker.RegistryV1, "docker-username", "docker-password")
+
+	if !reflect.DeepEqual(want, got) {
+		t.Errorf("not equal:\n  want: %#v\n   got: %#v", want, got)
+	}
+}
+
+func TestVersionComparison(t *testing.T) {
+	tests := []struct {
+		title    string
+		version  string
+		expected bool
+	}{
+		{
+			title:    "Kaniko 1.6.0 version",
+			version:  "1.6.0",
+			expected: true,
+		},
+		{
+			title:    "Kaniko 1.8.0 version",
+			version:  "1.8.0",
+			expected: false,
+		},
+		{
+			title:    "Kaniko 1.8.1 version",
+			version:  "1.8.1",
+			expected: false,
+		},
+		{
+			title:    "Empty kaniko version",
+			version:  "",
+			expected: true,
+		},
+		{
+			title:    "Kaniko version 1.10.0",
+			version:  "1.10.0",
+			expected: false,
+		},
+	}
+	for _, test := range tests {
+		got := isKanikoVersionBelowOneDotEight(test.version)
+		if got != test.expected {
+			t.Fatalf("test name: %s, expected: %v, got: %v", test.title, test.expected, got)
+		}
+	}
+}
@@ -1,4 +1,5 @@
 FROM gcr.io/kaniko-project/executor:v1.6.0

+ENV KANIKO_VERSION=1.6.0
 ADD release/linux/amd64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]
@@ -1,4 +1,5 @@
 FROM gcr.io/kaniko-project/executor:v1.8.1

+ENV KANIKO_VERSION=1.8.1
 ADD release/linux/amd64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]
@@ -3,5 +3,6 @@ FROM gcr.io/kaniko-project/executor:arm64-v1.6.0
 ENV HOME /root
 ENV USER root

+ENV KANIKO_VERSION=1.6.0
 ADD release/linux/arm64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]
@@ -1,4 +1,5 @@
 FROM gcr.io/kaniko-project/executor:v1.6.0

+ENV KANIKO_VERSION=1.6.0
 ADD release/linux/amd64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]
@@ -1,4 +1,5 @@
 FROM gcr.io/kaniko-project/executor:v1.8.1

+ENV KANIKO_VERSION=1.8.1
 ADD release/linux/amd64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]
@@ -2,6 +2,7 @@ FROM gcr.io/kaniko-project/executor:arm64-v1.6.0

 ENV HOME /root
 ENV USER root
+ENV KANIKO_VERSION=1.6.0

 ADD release/linux/arm64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]
@@ -1,4 +1,5 @@
 FROM gcr.io/kaniko-project/executor:v1.6.0

+ENV KANIKO_VERSION=1.6.0
 ADD release/linux/amd64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]
@@ -1,4 +1,5 @@
 FROM gcr.io/kaniko-project/executor:v1.8.1

+ENV KANIKO_VERSION=1.8.1
 ADD release/linux/amd64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]
@@ -2,6 +2,7 @@ FROM gcr.io/kaniko-project/executor:arm64-v1.6.0

 ENV HOME /root
 ENV USER root
+ENV KANIKO_VERSION=1.6.0

 ADD release/linux/arm64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]
@@ -24,12 +24,13 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sso v1.3.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.6.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d // indirect
+	github.com/hashicorp/go-version v1.4.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/konsorten/go-windows-terminal-sequences v1.0.1 // indirect
 	github.com/russross/blackfriday/v2 v2.0.1 // indirect
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 // indirect
-	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
+	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
 )

 go 1.18
@@ -33,6 +33,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/hashicorp/go-version v1.4.0 h1:aAQzgqIrRKRa7w75CKpbBxYsmUoPjzVm1W59ca1L0J4=
+github.com/hashicorp/go-version v1.4.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -69,8 +71,9 @@ golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220412211240-33da011f77ad h1:ntjMns5wyP/fN65tdBD4g8J5w8n015+iIIs9rtjXkY0=
+golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=