third/plugin-drone-kaniko-ecr
1
0
Fork 0
mirror of https://github.com/drone/drone-kaniko.git synced 2026-06-04 18:23:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: third/plugin-drone-kaniko-ecr:v1.10.1
Branches Tags
third/plugin-drone-kaniko-ecr:main third/plugin-drone-kaniko-ecr:CI-22323 third/plugin-drone-kaniko-ecr:main-patch-1 third/plugin-drone-kaniko-ecr:ci-14073 third/plugin-drone-kaniko-ecr:CI-20230-go-version-update third/plugin-drone-kaniko-ecr:CI-20230 third/plugin-drone-kaniko-ecr:CI-19670-1 third/plugin-drone-kaniko-ecr:CI-19933 third/plugin-drone-kaniko-ecr:CI-19670 third/plugin-drone-kaniko-ecr:CI-19672 third/plugin-drone-kaniko-ecr:CI-18923 third/plugin-drone-kaniko-ecr:CI-18100 third/plugin-drone-kaniko-ecr:CI-17708 third/plugin-drone-kaniko-ecr:CI-17517 third/plugin-drone-kaniko-ecr:CI-17122 third/plugin-drone-kaniko-ecr:main-patch third/plugin-drone-kaniko-ecr:harness-ci-patch third/plugin-drone-kaniko-ecr:CI-16588 third/plugin-drone-kaniko-ecr:CI-16392 third/plugin-drone-kaniko-ecr:CI-16330 third/plugin-drone-kaniko-ecr:CI-16193-fix third/plugin-drone-kaniko-ecr:CI-16193 third/plugin-drone-kaniko-ecr:CI-15946 third/plugin-drone-kaniko-ecr:CI-15370 third/plugin-drone-kaniko-ecr:CI-14845 third/plugin-drone-kaniko-ecr:CI-14242-2 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-09-20_01-08-13 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-09-13_01-07-18 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-09-06_01-05-27 third/plugin-drone-kaniko-ecr:CI-13961 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-08-30_01-05-43 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-08-23_01-04-53 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-08-16_01-05-35 third/plugin-drone-kaniko-ecr:CI-13178_go_upgrade_minor third/plugin-drone-kaniko-ecr:CI-13178_go_upgrade third/plugin-drone-kaniko-ecr:go_upgrade_1_22_42024-07-02_08-12-32 third/plugin-drone-kaniko-ecr:kaniko-flag-fix third/plugin-drone-kaniko-ecr:go_upgrade_1_22_42024-07-01_10-25-21 third/plugin-drone-kaniko-ecr:go_upgrade_1_22_42024-07-01_10-47-35 third/plugin-drone-kaniko-ecr:CI-10849 third/plugin-drone-kaniko-ecr:CI-11358 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-03-04_08-03-22 third/plugin-drone-kaniko-ecr:newargs third/plugin-drone-kaniko-ecr:addargs third/plugin-drone-kaniko-ecr:follow_next_link third/plugin-drone-kaniko-ecr:dockerignore third/plugin-drone-kaniko-ecr:fix_panic third/plugin-drone-kaniko-ecr:ci-10525 third/plugin-drone-kaniko-ecr:ci-9254 third/plugin-drone-kaniko-ecr:aman/revert third/plugin-drone-kaniko-ecr:aman/fix-drone-ver third/plugin-drone-kaniko-ecr:new third/plugin-drone-kaniko-ecr:smjt-h-patch-1 third/plugin-drone-kaniko-ecr:support_1-9-1 third/plugin-drone-kaniko-ecr:aman/rename-config third/plugin-drone-kaniko-ecr:aman/fix-config third/plugin-drone-kaniko-ecr:aman/fix-docker-plugin third/plugin-drone-kaniko-ecr:aman-fix-acr third/plugin-drone-kaniko-ecr:aman/acrInteg third/plugin-drone-kaniko-ecr:ecr_update third/plugin-drone-kaniko-ecr:fix_assume_role third/plugin-drone-kaniko-ecr:ecr_assume_role third/plugin-drone-kaniko-ecr:kaniko_ver_upgrade third/plugin-drone-kaniko-ecr:expand_repo third/plugin-drone-kaniko-ecr:rm_autotag_v1-8 third/plugin-drone-kaniko-ecr:fix_manifest_spec third/plugin-drone-kaniko-ecr:fix_drone_yml third/plugin-drone-kaniko-ecr:fix_yml third/plugin-drone-kaniko-ecr:kaniko_1-8_img third/plugin-drone-kaniko-ecr:upgrade_kaniko_ver third/plugin-drone-kaniko-ecr:custom_platform third/plugin-drone-kaniko-ecr:gcr_cred_inherit third/plugin-drone-kaniko-ecr:upgrade_go_version third/plugin-drone-kaniko-ecr:add_verbosity third/plugin-drone-kaniko-ecr:update_cache_repo third/plugin-drone-kaniko-ecr:fix_remote_cache third/plugin-drone-kaniko-ecr:remote_cache third/plugin-drone-kaniko-ecr:cache third/plugin-drone-kaniko-ecr:update_yaml third/plugin-drone-kaniko-ecr:snapshot_mode third/plugin-drone-kaniko-ecr:test_kaniko third/plugin-drone-kaniko-ecr:fix_pipeline third/plugin-drone-kaniko-ecr:improve_err third/plugin-drone-kaniko-ecr:ecr_iam third/plugin-drone-kaniko-ecr:fix_label third/plugin-drone-kaniko-ecr:fix_ecr third/plugin-drone-kaniko-ecr:fix_gcr third/plugin-drone-kaniko-ecr:v2_registry third/plugin-drone-kaniko-ecr:fix_build_script third/plugin-drone-kaniko-ecr:fix_image third/plugin-drone-kaniko-ecr:version_update
third/plugin-drone-kaniko-ecr:v1.13.7 third/plugin-drone-kaniko-ecr:v1.13.7-debug third/plugin-drone-kaniko-ecr:v1.13.6 third/plugin-drone-kaniko-ecr:v1.13.5 third/plugin-drone-kaniko-ecr:v1.13.4 third/plugin-drone-kaniko-ecr:v1.13.3 third/plugin-drone-kaniko-ecr:v1.13.2 third/plugin-drone-kaniko-ecr:v1.13.1 third/plugin-drone-kaniko-ecr:v1.13.0 third/plugin-drone-kaniko-ecr:v1.12.0 third/plugin-drone-kaniko-ecr:v1.11.5 third/plugin-drone-kaniko-ecr:v1.11.5-debug-1 third/plugin-drone-kaniko-ecr:v1.11.5-debug third/plugin-drone-kaniko-ecr:v1.11.4 third/plugin-drone-kaniko-ecr:v1.11.3 third/plugin-drone-kaniko-ecr:v1.11.3-debug third/plugin-drone-kaniko-ecr:v1.11.2 third/plugin-drone-kaniko-ecr:v1.11.2-debug third/plugin-drone-kaniko-ecr:v1.11.1 third/plugin-drone-kaniko-ecr:v1.11.1-debug3 third/plugin-drone-kaniko-ecr:v1.11.1-debug third/plugin-drone-kaniko-ecr:v1.11.0 third/plugin-drone-kaniko-ecr:v1.11.0-debug third/plugin-drone-kaniko-ecr:v1.10.9 third/plugin-drone-kaniko-ecr:v1.10.8 third/plugin-drone-kaniko-ecr:v1.10.8-debug third/plugin-drone-kaniko-ecr:v1.10.7 third/plugin-drone-kaniko-ecr:v1.10.7-debug third/plugin-drone-kaniko-ecr:v1.10.6 third/plugin-drone-kaniko-ecr:v1.10.6-debug third/plugin-drone-kaniko-ecr:v1.10.5 third/plugin-drone-kaniko-ecr:v1.10.4 third/plugin-drone-kaniko-ecr:v1.10.3 third/plugin-drone-kaniko-ecr:v1.10.2 third/plugin-drone-kaniko-ecr:v1.10.1 third/plugin-drone-kaniko-ecr:v1.10.0-debug third/plugin-drone-kaniko-ecr:v1.10.0 third/plugin-drone-kaniko-ecr:v1.9.0 third/plugin-drone-kaniko-ecr:v1.8.10 third/plugin-drone-kaniko-ecr:v1.8.9 third/plugin-drone-kaniko-ecr:v1.8.8 third/plugin-drone-kaniko-ecr:1.8.7 third/plugin-drone-kaniko-ecr:v1.8.6 third/plugin-drone-kaniko-ecr:v1.8.5 third/plugin-drone-kaniko-ecr:v1.8.4 third/plugin-drone-kaniko-ecr:v1.8.3 third/plugin-drone-kaniko-ecr:v1.8.2 third/plugin-drone-kaniko-ecr:v1.8.0 third/plugin-drone-kaniko-ecr:v1.8.1 third/plugin-drone-kaniko-ecr:v1.7.5 third/plugin-drone-kaniko-ecr:v1.7.4 third/plugin-drone-kaniko-ecr:v1.7.3 third/plugin-drone-kaniko-ecr:v1.7.2 third/plugin-drone-kaniko-ecr:1.7.2 third/plugin-drone-kaniko-ecr:v1.7.1 third/plugin-drone-kaniko-ecr:v1.7.0 third/plugin-drone-kaniko-ecr:v1.6.11 third/plugin-drone-kaniko-ecr:v1.6.10 third/plugin-drone-kaniko-ecr:v1.6.9 third/plugin-drone-kaniko-ecr:v1.6.8 third/plugin-drone-kaniko-ecr:v1.6.7 third/plugin-drone-kaniko-ecr:v1.6.6 third/plugin-drone-kaniko-ecr:v1.6.5 third/plugin-drone-kaniko-ecr:v1.6.4 third/plugin-drone-kaniko-ecr:v1.6.3 third/plugin-drone-kaniko-ecr:v1.6.2 third/plugin-drone-kaniko-ecr:v1.6.1 third/plugin-drone-kaniko-ecr:v1.6.0 third/plugin-drone-kaniko-ecr:v1.5.1 third/plugin-drone-kaniko-ecr:v1.5.0 third/plugin-drone-kaniko-ecr:v1.4.5 third/plugin-drone-kaniko-ecr:v1.4.4 third/plugin-drone-kaniko-ecr:v1.4.3 third/plugin-drone-kaniko-ecr:v1.4.2 third/plugin-drone-kaniko-ecr:v1.4.1 third/plugin-drone-kaniko-ecr:v1.4.0 third/plugin-drone-kaniko-ecr:v1.3.1 third/plugin-drone-kaniko-ecr:v1.3.0 third/plugin-drone-kaniko-ecr:v1.2.0 third/plugin-drone-kaniko-ecr:v1.1.2 third/plugin-drone-kaniko-ecr:v1.1.1 third/plugin-drone-kaniko-ecr:v1.1.0 third/plugin-drone-kaniko-ecr:v1.0.0
...
compare: third/plugin-drone-kaniko-ecr:main
Branches Tags
third/plugin-drone-kaniko-ecr:main third/plugin-drone-kaniko-ecr:CI-22323 third/plugin-drone-kaniko-ecr:main-patch-1 third/plugin-drone-kaniko-ecr:ci-14073 third/plugin-drone-kaniko-ecr:CI-20230-go-version-update third/plugin-drone-kaniko-ecr:CI-20230 third/plugin-drone-kaniko-ecr:CI-19670-1 third/plugin-drone-kaniko-ecr:CI-19933 third/plugin-drone-kaniko-ecr:CI-19670 third/plugin-drone-kaniko-ecr:CI-19672 third/plugin-drone-kaniko-ecr:CI-18923 third/plugin-drone-kaniko-ecr:CI-18100 third/plugin-drone-kaniko-ecr:CI-17708 third/plugin-drone-kaniko-ecr:CI-17517 third/plugin-drone-kaniko-ecr:CI-17122 third/plugin-drone-kaniko-ecr:main-patch third/plugin-drone-kaniko-ecr:harness-ci-patch third/plugin-drone-kaniko-ecr:CI-16588 third/plugin-drone-kaniko-ecr:CI-16392 third/plugin-drone-kaniko-ecr:CI-16330 third/plugin-drone-kaniko-ecr:CI-16193-fix third/plugin-drone-kaniko-ecr:CI-16193 third/plugin-drone-kaniko-ecr:CI-15946 third/plugin-drone-kaniko-ecr:CI-15370 third/plugin-drone-kaniko-ecr:CI-14845 third/plugin-drone-kaniko-ecr:CI-14242-2 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-09-20_01-08-13 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-09-13_01-07-18 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-09-06_01-05-27 third/plugin-drone-kaniko-ecr:CI-13961 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-08-30_01-05-43 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-08-23_01-04-53 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-08-16_01-05-35 third/plugin-drone-kaniko-ecr:CI-13178_go_upgrade_minor third/plugin-drone-kaniko-ecr:CI-13178_go_upgrade third/plugin-drone-kaniko-ecr:go_upgrade_1_22_42024-07-02_08-12-32 third/plugin-drone-kaniko-ecr:kaniko-flag-fix third/plugin-drone-kaniko-ecr:go_upgrade_1_22_42024-07-01_10-25-21 third/plugin-drone-kaniko-ecr:go_upgrade_1_22_42024-07-01_10-47-35 third/plugin-drone-kaniko-ecr:CI-10849 third/plugin-drone-kaniko-ecr:CI-11358 third/plugin-drone-kaniko-ecr:scheduled_go_upgrade2024-03-04_08-03-22 third/plugin-drone-kaniko-ecr:newargs third/plugin-drone-kaniko-ecr:addargs third/plugin-drone-kaniko-ecr:follow_next_link third/plugin-drone-kaniko-ecr:dockerignore third/plugin-drone-kaniko-ecr:fix_panic third/plugin-drone-kaniko-ecr:ci-10525 third/plugin-drone-kaniko-ecr:ci-9254 third/plugin-drone-kaniko-ecr:aman/revert third/plugin-drone-kaniko-ecr:aman/fix-drone-ver third/plugin-drone-kaniko-ecr:new third/plugin-drone-kaniko-ecr:smjt-h-patch-1 third/plugin-drone-kaniko-ecr:support_1-9-1 third/plugin-drone-kaniko-ecr:aman/rename-config third/plugin-drone-kaniko-ecr:aman/fix-config third/plugin-drone-kaniko-ecr:aman/fix-docker-plugin third/plugin-drone-kaniko-ecr:aman-fix-acr third/plugin-drone-kaniko-ecr:aman/acrInteg third/plugin-drone-kaniko-ecr:ecr_update third/plugin-drone-kaniko-ecr:fix_assume_role third/plugin-drone-kaniko-ecr:ecr_assume_role third/plugin-drone-kaniko-ecr:kaniko_ver_upgrade third/plugin-drone-kaniko-ecr:expand_repo third/plugin-drone-kaniko-ecr:rm_autotag_v1-8 third/plugin-drone-kaniko-ecr:fix_manifest_spec third/plugin-drone-kaniko-ecr:fix_drone_yml third/plugin-drone-kaniko-ecr:fix_yml third/plugin-drone-kaniko-ecr:kaniko_1-8_img third/plugin-drone-kaniko-ecr:upgrade_kaniko_ver third/plugin-drone-kaniko-ecr:custom_platform third/plugin-drone-kaniko-ecr:gcr_cred_inherit third/plugin-drone-kaniko-ecr:upgrade_go_version third/plugin-drone-kaniko-ecr:add_verbosity third/plugin-drone-kaniko-ecr:update_cache_repo third/plugin-drone-kaniko-ecr:fix_remote_cache third/plugin-drone-kaniko-ecr:remote_cache third/plugin-drone-kaniko-ecr:cache third/plugin-drone-kaniko-ecr:update_yaml third/plugin-drone-kaniko-ecr:snapshot_mode third/plugin-drone-kaniko-ecr:test_kaniko third/plugin-drone-kaniko-ecr:fix_pipeline third/plugin-drone-kaniko-ecr:improve_err third/plugin-drone-kaniko-ecr:ecr_iam third/plugin-drone-kaniko-ecr:fix_label third/plugin-drone-kaniko-ecr:fix_ecr third/plugin-drone-kaniko-ecr:fix_gcr third/plugin-drone-kaniko-ecr:v2_registry third/plugin-drone-kaniko-ecr:fix_build_script third/plugin-drone-kaniko-ecr:fix_image third/plugin-drone-kaniko-ecr:version_update
third/plugin-drone-kaniko-ecr:v1.13.7 third/plugin-drone-kaniko-ecr:v1.13.7-debug third/plugin-drone-kaniko-ecr:v1.13.6 third/plugin-drone-kaniko-ecr:v1.13.5 third/plugin-drone-kaniko-ecr:v1.13.4 third/plugin-drone-kaniko-ecr:v1.13.3 third/plugin-drone-kaniko-ecr:v1.13.2 third/plugin-drone-kaniko-ecr:v1.13.1 third/plugin-drone-kaniko-ecr:v1.13.0 third/plugin-drone-kaniko-ecr:v1.12.0 third/plugin-drone-kaniko-ecr:v1.11.5 third/plugin-drone-kaniko-ecr:v1.11.5-debug-1 third/plugin-drone-kaniko-ecr:v1.11.5-debug third/plugin-drone-kaniko-ecr:v1.11.4 third/plugin-drone-kaniko-ecr:v1.11.3 third/plugin-drone-kaniko-ecr:v1.11.3-debug third/plugin-drone-kaniko-ecr:v1.11.2 third/plugin-drone-kaniko-ecr:v1.11.2-debug third/plugin-drone-kaniko-ecr:v1.11.1 third/plugin-drone-kaniko-ecr:v1.11.1-debug3 third/plugin-drone-kaniko-ecr:v1.11.1-debug third/plugin-drone-kaniko-ecr:v1.11.0 third/plugin-drone-kaniko-ecr:v1.11.0-debug third/plugin-drone-kaniko-ecr:v1.10.9 third/plugin-drone-kaniko-ecr:v1.10.8 third/plugin-drone-kaniko-ecr:v1.10.8-debug third/plugin-drone-kaniko-ecr:v1.10.7 third/plugin-drone-kaniko-ecr:v1.10.7-debug third/plugin-drone-kaniko-ecr:v1.10.6 third/plugin-drone-kaniko-ecr:v1.10.6-debug third/plugin-drone-kaniko-ecr:v1.10.5 third/plugin-drone-kaniko-ecr:v1.10.4 third/plugin-drone-kaniko-ecr:v1.10.3 third/plugin-drone-kaniko-ecr:v1.10.2 third/plugin-drone-kaniko-ecr:v1.10.1 third/plugin-drone-kaniko-ecr:v1.10.0-debug third/plugin-drone-kaniko-ecr:v1.10.0 third/plugin-drone-kaniko-ecr:v1.9.0 third/plugin-drone-kaniko-ecr:v1.8.10 third/plugin-drone-kaniko-ecr:v1.8.9 third/plugin-drone-kaniko-ecr:v1.8.8 third/plugin-drone-kaniko-ecr:1.8.7 third/plugin-drone-kaniko-ecr:v1.8.6 third/plugin-drone-kaniko-ecr:v1.8.5 third/plugin-drone-kaniko-ecr:v1.8.4 third/plugin-drone-kaniko-ecr:v1.8.3 third/plugin-drone-kaniko-ecr:v1.8.2 third/plugin-drone-kaniko-ecr:v1.8.0 third/plugin-drone-kaniko-ecr:v1.8.1 third/plugin-drone-kaniko-ecr:v1.7.5 third/plugin-drone-kaniko-ecr:v1.7.4 third/plugin-drone-kaniko-ecr:v1.7.3 third/plugin-drone-kaniko-ecr:v1.7.2 third/plugin-drone-kaniko-ecr:1.7.2 third/plugin-drone-kaniko-ecr:v1.7.1 third/plugin-drone-kaniko-ecr:v1.7.0 third/plugin-drone-kaniko-ecr:v1.6.11 third/plugin-drone-kaniko-ecr:v1.6.10 third/plugin-drone-kaniko-ecr:v1.6.9 third/plugin-drone-kaniko-ecr:v1.6.8 third/plugin-drone-kaniko-ecr:v1.6.7 third/plugin-drone-kaniko-ecr:v1.6.6 third/plugin-drone-kaniko-ecr:v1.6.5 third/plugin-drone-kaniko-ecr:v1.6.4 third/plugin-drone-kaniko-ecr:v1.6.3 third/plugin-drone-kaniko-ecr:v1.6.2 third/plugin-drone-kaniko-ecr:v1.6.1 third/plugin-drone-kaniko-ecr:v1.6.0 third/plugin-drone-kaniko-ecr:v1.5.1 third/plugin-drone-kaniko-ecr:v1.5.0 third/plugin-drone-kaniko-ecr:v1.4.5 third/plugin-drone-kaniko-ecr:v1.4.4 third/plugin-drone-kaniko-ecr:v1.4.3 third/plugin-drone-kaniko-ecr:v1.4.2 third/plugin-drone-kaniko-ecr:v1.4.1 third/plugin-drone-kaniko-ecr:v1.4.0 third/plugin-drone-kaniko-ecr:v1.3.1 third/plugin-drone-kaniko-ecr:v1.3.0 third/plugin-drone-kaniko-ecr:v1.2.0 third/plugin-drone-kaniko-ecr:v1.1.2 third/plugin-drone-kaniko-ecr:v1.1.1 third/plugin-drone-kaniko-ecr:v1.1.0 third/plugin-drone-kaniko-ecr:v1.0.0

32 Commits
v1.10.1 ... main

Author SHA1 Message Date
Devansh Mathur 9e87be9c9a fix: [CI-22323]: Adding PLUGIN_ prefix for ACR vars. (#168) 2026-04-28 17:40:42 +05:30
Abhijeet ede8cf05b0 Update pipeline drone-kaniko-harness 2026-04-09 15:56:02 +05:30
Abhijeet 21a336ca17 Clone pipeline drone-kaniko-harness 2026-04-07 15:52:54 +05:30
ebtasam-faridy 7639ab9f70 Update pipeline drone-kaniko-harness (#166) 2026-03-18 16:59:47 +05:30
ebtasam-faridy 1cd7da5451 fix: [CI-21411] updating docker cli version to remove vulnerability (#165) 2026-03-18 16:34:40 +05:30
ebtasam-faridy 16758bd8cc fix: [CI-20436] adding fallback in case of del con (#164) 
* fix: [CI-20436] adding fallback in case of del con

* fix: [CI-20436] adding fallback in case of del con testcase

* fix: [CI-20436] adding fallback in case of del con testcase

* fix: [CI-20436] adding fallback in case of del con testcase

* fix: [CI-20436] adding fallback in case of del con testcase

* fix: [CI-20436] adding fallback in case of del con testcase

* fix: [CI-20436] reverting some changes
 2026-02-07 12:55:04 +05:30
Chirag S dd3c29c971 fix: [CI-14073]: Print absolute lookup path incase dockerfile not present (#163) 2026-01-29 14:01:55 +05:30
tapankarangiya c06fde824e fix: [CI-20230]: Updated go version (#160) 2026-01-20 18:03:38 +05:30
tapankarangiya 5bbe6ba026 Update pipeline drone-kaniko-harness (#161) 2026-01-20 13:43:16 +05:30
Abhay 9491e6b36f fix: [CI-19670]: fix vulnerabilty fron kaniko (#159) 
* fix: [CI-19670]: fix vulnerabilty fron kaniko

* Update docker/gcr/Dockerfile.linux.amd64

* Update docker/gcr/Dockerfile.linux.arm64

---------

Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>
 2025-11-26 11:39:40 +05:30
OP (oppenheimer) 594f1e2f23 fix: Consolidate platform flags to use --custom-platform and eliminate deprecation warning (#158) 2025-11-21 11:25:52 +05:30
Abhay b6428af23d fix: [CI-19672]: fix vuln issue (#155) 2025-11-14 14:27:41 +05:30
tapankarangiya f83970e37a feat: [CI-19349]: Added oidc support for ACR (#154) 
* feat: [CI-18693]: Added oidc support for ACR

* feat: [CI-19349]: error handling

* feat: [CI-19349]: Refactored the code and added cli flags

* feat: [CI-19349]: Added test cases

* Update cmd/kaniko-acr/main.go

* Update cmd/kaniko-acr/main.go

* Update cmd/kaniko-acr/main.go

* feat: [CI-19349]: changed the variable names

* feat: [CI-18693]: Added error handling

* feat: [CI-19349]: removed redundant code

---------

Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>
 2025-10-23 12:25:13 +05:30
Satya a1d07a3262 fix: [CI-18923]: Build argument getting split if it has a comma in the value (#153) 
* added the PLUGIN_MULTIPLE_BUILD_ARGS for all registries

* added the tests and README
 2025-09-15 19:04:48 +05:30
Raghav ae33ce93b8 feat: [CI-17953]: Add warning if base image connector is not provided (#152) 
* [CI-17953]: Add warning if base image connector is not provided

* [CI-17953]: Add warning if base image connector is not provided

* [CI-17953]: Add warning if base image connector is not provided
 2025-07-09 16:03:56 +05:30
OP (oppenheimer) a8c364c9e7 update kaniko-executor base image to 1.25.0 from chaingaurds maintained fork (#150) 2025-07-03 19:14:28 +05:30
OP (oppenheimer) a879280371 push-only support to Kaniko ACR (#148) 2025-06-03 22:17:47 +05:30
OP (oppenheimer) 809fadc203 feat: [CI-17517]: Add push-only support for Kaniko-GAR (#147) 
* Add push-only support to Kaniko-GAR

* Refactor GAR authentication and crane push to use Application Default Credentials

* Add robust GAR authentication with Docker config and crane options

* GAR authentication setup and remove redundant logging statements
 2025-05-13 21:30:09 +05:30
ompragash.viswanathan@harness.io 87ca9fe1b7 Update pipeline drone-kaniko-harness 2025-05-12 20:38:33 +05:30
OP (oppenheimer) a091f2ad04 ECR auth for push-only operation + code refactoring (#144) 2025-04-25 18:11:30 +05:30
OP (oppenheimer) af2add0aa5 Update pipeline drone-kaniko-harness (#143) 2025-04-09 19:24:48 +05:30
OP (oppenheimer) 58bd727c07 feat: [CI-16588]: Add support to PLUGIN_TAR_PATH, PLUGIN_SOURCE_TAR_PATH and PLUGIN_PUSH_ONLY to kaniko-ecr (#141) 
* Add support for tar-path, source-tar-path and push-only operations

* Updated cmd/kaniko-ecr/main.go

* Updated cmd/kaniko-ecr/main.go

* Update cmd/kaniko-ecr/main.go
 2025-03-24 21:31:18 +05:30
ci-reporunner a73b8ee28d Update pipeline drone-kaniko-harness (#142) 
Co-authored-by: ompragash.viswanathan@harness.io <ompragash.viswanathan@harness.io>
 2025-03-20 19:10:13 +05:30
OP (oppenheimer) b826c7f408 feat: [CI-16392]: Authenticate And Pull Private Base Images when NO_PUSH is enabled (#140) 2025-03-06 20:32:35 +05:30
ci-reporunner e56198f84c Create pipeline drone-kaniko-harness (#136) 2025-03-04 19:18:44 +05:30
Devansh Mathur d6153866df feat: [CI-16330]: Adding default OutputFile as DRONE_OUTPUT. (#139) 
* Adding default OutputFile as DRONE_OUTPUT.

* Removing if checks and optimizing setting up of default OutputFile as DRONE_OUTPUT.
 2025-03-03 18:05:21 +05:30
OP (oppenheimer) 30e1ea9fd8 Update main.go (#138) 2025-02-07 14:28:32 +05:30
OP (oppenheimer) 0fb726616e feat: [CI-16193]: Support multiple ignore paths (#137) 
* add new input ignore_paths to accept multiple values

* Support new input ignore_paths to all the supported versions of Kaniko
 2025-02-07 11:46:23 +05:30
OP (oppenheimer) 334f6191d1 Add Push-only support to Kaniko (Docker) (#135) 2024-12-20 11:17:28 +05:30
sahithibanda01 a3af953651 fix: [CI-14845]: support for build args which has comma seperated values (#133) 2024-11-29 13:12:39 +05:30
Anshika Anand e6ab8aa3c0 feat:[CI-15236]: Added IMAGE_TAR_PATH as output variable for the plugin. (#132) 
* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Test commit.

* feat:[CI-15236]: Test commit.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Directory check and UTs.

* Update pkg/output/output.go

* feat:[CI-15236]: fixes

* feat:[CI-15236]: Test fixes - removed root

* feat:[CI-15236]: Test fixes - removed root

* feat:[CI-15236]: Test fixes - removed root

* feat:[CI-15236]: If tarPath directory no present it will create it.

* feat:[CI-15236]: If tarPath directory no present it will create it.

* feat:[CI-15236]: fixes

* Update kaniko.go

removed as getTarPath is only called when tarPath isn't empty

---------

Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>
 2024-11-28 18:31:10 +05:30
Abhay 113a61b0e1 feat: [Ci-14242]: add oidc support for ecr (#131) 
* feat: [Ci-14242]: add oidc support for ecr

* fix: [CI-14242]: error handling for oidc kakniko-ecr
 2024-10-17 01:51:09 +05:30
36 changed files with 5151 additions and 245 deletions
Expand all files Collapse all files
.harness/eventPR.yaml
+14
View File
@@ -0,0 +1,14 @@
inputSet:
name: event-PR
identifier: eventPR
orgIdentifier: default
projectIdentifier: Drone_Plugins
pipeline:
identifier: dronekanikoharness
properties:
ci:
codebase:
build:
type: PR
spec:
number: <+trigger.prNumber>
.harness/eventPush.yaml
+14
View File
@@ -0,0 +1,14 @@
inputSet:
name: event-Push
identifier: eventPush
orgIdentifier: default
projectIdentifier: Drone_Plugins
pipeline:
identifier: dronekanikoharness
properties:
ci:
codebase:
build:
type: branch
spec:
branch: <+trigger.branch>
.harness/eventTag.yaml
+14
View File
@@ -0,0 +1,14 @@
inputSet:
name: event-Tag
identifier: eventTag
orgIdentifier: default
projectIdentifier: Drone_Plugins
pipeline:
identifier: dronekanikoharness
properties:
ci:
codebase:
build:
type: tag
spec:
tag: <+trigger.tag>
.harness/harness.yaml
+1327
View File
File diff suppressed because it is too large Load Diff
.harness/orgs/default/projects/Drone_Plugins/pipelines/dronekanikoharness_Clone.yaml
+658
View File
@@ -0,0 +1,658 @@
pipeline:
projectIdentifier: Drone_Plugins
orgIdentifier: default
tags: {}
properties:
ci:
codebase:
connectorRef: GitHub_Drone_Org
repoName: drone-kaniko
build: <+input>
sparseCheckout: []
stages:
- parallel:
- stage:
name: linux-amd64
identifier: linuxamd64
description: ""
type: CI
spec:
cloneCodebase: true
caching:
enabled: false
paths: []
platform:
os: Linux
arch: Amd64
runtime:
type: Cloud
spec: {}
execution:
steps:
- step:
type: Run
name: Build Binary
identifier: Build
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: golang:1.25.7
shell: Sh
command: |-
go test ./...
sh scripts/build.sh
- parallel:
- step:
type: Plugin
name: BuildAndPushDockerTag
identifier: BuildAndPushDockerTag
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
auto_tag: "true"
auto_tag_suffix: linux-amd64
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- -gcr
- -gar
- -ecr
- -acr
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: -gcr
repo: docker
- image: -gcr
repo: gar
- image: -gcr
repo: ecr
- image: -gcr
repo: acr
- image: -gar
repo: docker
- image: -gar
repo: gcr
- image: -gar
repo: ecr
- image: -gar
repo: acr
- image: -ecr
repo: docker
- image: -ecr
repo: gcr
- image: -ecr
repo: gar
- image: -ecr
repo: acr
- image: -acr
repo: docker
- image: -acr
repo: gcr
- image: -acr
repo: gar
- image: -acr
repo: ecr
nodeName: _<+matrix.repo>
- step:
type: Plugin
name: BuildAndPushDockerTag_Kaniko
identifier: BuildAndPushDockerTag_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
auto_tag: "true"
auto_tag_suffix: linux-amd64-kaniko1.9.1
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- -gcr
- -gar
- -ecr
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: -gcr
repo: docker
- image: -gcr
repo: gar
- image: -gcr
repo: ecr
- image: -gar
repo: docker
- image: -gar
repo: gcr
- image: -gar
repo: ecr
- image: -ecr
repo: docker
- image: -ecr
repo: gcr
- image: -ecr
repo: gar
nodeName: <+matrix.repo>
- parallel:
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch
identifier: BuildAndPushDockerBranch
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-amd64
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- -gcr
- -gar
- -ecr
- -acr
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: -gcr
repo: docker
- image: -gcr
repo: gar
- image: -gcr
repo: ecr
- image: -gcr
repo: acr
- image: -gar
repo: docker
- image: -gar
repo: gcr
- image: -gar
repo: ecr
- image: -gar
repo: acr
- image: -ecr
repo: docker
- image: -ecr
repo: gcr
- image: -ecr
repo: gar
- image: -ecr
repo: acr
- image: -acr
repo: docker
- image: -acr
repo: gcr
- image: -acr
repo: gar
- image: -acr
repo: ecr
nodeName: <+matrix.repo>
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch_Kaniko
identifier: BuildAndPushDockerBranch_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-amd64-kaniko1.9.1
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- -gcr
- -gar
- -ecr
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: -gcr
repo: docker
- image: -gcr
repo: gar
- image: -gcr
repo: ecr
- image: -gar
repo: docker
- image: -gar
repo: gcr
- image: -gar
repo: ecr
- image: -ecr
repo: docker
- image: -ecr
repo: gcr
- image: -ecr
repo: gar
nodeName: _<+matrix.repo>
when:
pipelineStatus: Success
- stage:
name: linux-arm64
identifier: linuxarm64
description: ""
type: CI
spec:
cloneCodebase: true
caching:
enabled: false
paths: []
platform:
os: Linux
arch: Arm64
runtime:
type: Cloud
spec: {}
execution:
steps:
- step:
type: Run
name: Build Binary
identifier: Build_and_Test
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: golang:1.25.7
shell: Sh
command: |-
go test ./...
sh scripts/build.sh
- parallel:
- step:
type: Plugin
name: BuildAndPushDockerTag
identifier: BuildAndPushDockerTag
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
auto_tag: "true"
auto_tag_suffix: linux-arm64
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- -gcr
- -gar
- -ecr
- -acr
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: -gcr
repo: docker
- image: -gcr
repo: gar
- image: -gcr
repo: ecr
- image: -gcr
repo: acr
- image: -gar
repo: docker
- image: -gar
repo: gcr
- image: -gar
repo: ecr
- image: -gar
repo: acr
- image: -ecr
repo: docker
- image: -ecr
repo: gcr
- image: -ecr
repo: gar
- image: -ecr
repo: acr
- image: -acr
repo: docker
- image: -acr
repo: gcr
- image: -acr
repo: gar
- image: -acr
repo: ecr
nodeName: _<+matrix.repo>
- step:
type: Plugin
name: BuildAndPushDockerTag_Kaniko
identifier: BuildAndPushDockerTag_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
auto_tag: "true"
auto_tag_suffix: linux-arm64-kaniko1.9.1
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- -gcr
- -gar
- -ecr
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: -gcr
repo: docker
- image: -gcr
repo: gar
- image: -gcr
repo: ecr
- image: -gar
repo: docker
- image: -gar
repo: gcr
- image: -gar
repo: ecr
- image: -ecr
repo: docker
- image: -ecr
repo: gcr
- image: -ecr
repo: gar
nodeName: _<+matrix.repo>
- parallel:
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch
identifier: BuildAndPushDockerBranch
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-arm64
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- -gcr
- -gar
- -ecr
- -acr
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: -gcr
repo: docker
- image: -gcr
repo: gar
- image: -gcr
repo: ecr
- image: -gcr
repo: acr
- image: -gar
repo: docker
- image: -gar
repo: gcr
- image: -gar
repo: ecr
- image: -gar
repo: acr
- image: -ecr
repo: docker
- image: -ecr
repo: gcr
- image: -ecr
repo: gar
- image: -ecr
repo: acr
- image: -acr
repo: docker
- image: -acr
repo: gcr
- image: -acr
repo: gar
- image: -acr
repo: ecr
nodeName: <+matrix.repo>
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch_Kaniko
identifier: BuildAndPushDockerBranch_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-arm64-kaniko1.9.1
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- -gcr
- -gar
- -ecr
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: -gcr
repo: docker
- image: -gcr
repo: gar
- image: -gcr
repo: ecr
- image: -gar
repo: docker
- image: -gar
repo: gcr
- image: -gar
repo: ecr
- image: -ecr
repo: docker
- image: -ecr
repo: gcr
- image: -ecr
repo: gar
nodeName: _<+matrix.repo>
when:
pipelineStatus: Success
- stage:
name: Manifest
identifier: Manifest
description: ""
type: CI
spec:
cloneCodebase: true
caching:
enabled: false
paths: []
platform:
os: Linux
arch: Amd64
runtime:
type: Cloud
spec: {}
execution:
steps:
- parallel:
- step:
type: Plugin
name: Manifest
identifier: Manifest
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/manifest
settings:
auto_tag: "true"
spec: docker/<+matrix.repo>/manifest.tmpl
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
ignore_missing: "true"
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch" || <+codebase.build.type>
== "tag"
strategy:
matrix:
repo:
- docker
- gcr
- gar
- ecr
- acr
nodeName: manifest_<+matrix.repo>
- step:
type: Plugin
name: Manifest_kaniko191
identifier: Manifest_kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/manifest
settings:
auto_tag: "false"
spec: docker/<+matrix.repo>/manifest-kaniko1.9.1.tmpl
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
ignore_missing: "true"
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch" || <+codebase.build.type>
== "tag"
strategy:
matrix:
repo:
- docker
- gcr
- gar
- ecr
nodeName: manifest_<+matrix.repo>
when:
pipelineStatus: Success
allowStageExecutions: true
identifier: dronekanikoharness_Clone
name: drone-kaniko-harness - Clone
README.md
+73 -2
View File
@@ -5,6 +5,7 @@ Drone kaniko plugin uses [kaniko](https://github.com/GoogleContainerTools/kaniko
Plugin images are published with 1.6.0 as well as 1.9.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.9.1` uses 1.9.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gcr images as well.
Run the following script to install git-leaks support to this repo.
```
chmod +x ./git-hooks/install.sh
./git-hooks/install.sh
@@ -35,7 +36,7 @@ docker build \
--label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
--label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
--file docker/docker/Dockerfile.linux.amd64 --tag plugins/kaniko .
docker build \
--label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
--label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
@@ -52,7 +53,73 @@ docker build \
--file docker/ecr/Dockerfile.linux.amd64 --tag plugins/kaniko-ecr .
```
### Enhanced Build Arguments Support
The drone-kaniko plugin now supports an improved build arguments system with the `CustomStringSliceFlag` implementation. This feature provides a more flexible way to pass multiple build arguments to your Docker builds.
#### Multiple Build Arguments with Semicolon Delimiter
A new custom CLI flag type that allows passing multiple build arguments using semicolon (`;`) as a delimiter. This flag is available across all registry implementations:
- `kaniko-docker`
- `kaniko-gcr` (Google Container Registry)
- `kaniko-ecr` (Amazon Elastic Container Registry)
- `kaniko-acr` (Azure Container Registry)
- `kaniko-gar` (Google Artifact Registry)
**Usage:**
```console
docker run --rm \
-e PLUGIN_BUILD_ARGS_NEW="ARG1=value1;ARG2=value2;ARG3=value3" \
-e PLUGIN_REPO=foo/bar \
-v $(pwd):/drone \
-w /drone \
plugins/kaniko:linux-amd64
```
#### For build args containing commas
When your build arguments contain commas, enable the `PLUGIN_MULTIPLE_BUILD_ARGS` flag:
```console
docker run --rm \
-e PLUGIN_MULTIPLE_BUILD_ARGS=true \
-e PLUGIN_BUILD_ARGS_NEW="KEY1=value,with,comma;KEY2=another,value" \
-e PLUGIN_REPO=foo/bar \
-v $(pwd):/drone \
-w /drone \
plugins/kaniko:linux-amd64
```
## Usage
### Operation Modes
Default Mode (Build and Push):
When neither `no_push` nor `push_only` is provided. Plugin builds and pushes the Docker image to a container registry.
Build-Only Mode (no-push):
When `no_push` is true and `destination_tar_path` is defined.
Plugin performs only the image build operation and saves the resulting image tarball to the specified `destination_tar_path`
It does not push the image to any registry.
Push-Only Mode (push-only):
When `push_only` is true and `source_tar_path` is defined.
Plugin loads an existing image tarball from the specified `source_tar_path`
and pushes the loaded image to a Container Registry.
It skips the build process.
### Mutually Exclusive Inputs
If both `no_push` and `push_only` inputs are provided, the plugin will:
Terminate the operation and
throw an error with the message: "Inputs no-push and push-only cannot be used together. Please define only one."
### Manual Tagging
```console
@@ -79,6 +146,7 @@ docker run --rm \
-w /drone \
plugins/kaniko:linux-amd64
```
would both be equivalent to
```
@@ -88,7 +156,7 @@ PLUGIN_TAGS=1,1.2,1.2.3,latest
This allows for passing `$DRONE_TAG` directly as a tag for repos that use [semver](https://semver.org) tags.
To avoid confusion between repo tags and image tags, `PLUGIN_EXPAND_TAG` also recognizes a semantic version
without the `v` prefix. As such, the following is also equivalent to the above:
without the `v` prefix. As such, the following is also equivalent to the above:
```console
docker run --rm \
@@ -100,6 +168,7 @@ docker run --rm \
```
### Auto Tagging
The [auto tag feature](https://plugins.drone.io/drone-plugins/drone-docker) of docker plugin is also supported.
When auto tagging is enabled, if any of the case is matched below, a docker build will be pushed with auto generated tags. Otherwise the docker build will be skipped.
@@ -121,6 +190,7 @@ docker run --rm \
```
Tags to push:
- 1.2.3
- 1.2
- 1
@@ -141,4 +211,5 @@ docker run --rm \
```
Tags to push:
- latest
cmd/kaniko-acr/main.go
+278 -45
View File
@@ -13,13 +13,17 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/crane"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
kaniko "github.com/drone/drone-kaniko"
azureutil "github.com/drone/drone-kaniko/internal/azure"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/drone/drone-kaniko/pkg/utils"
)
const (
@@ -96,6 +100,17 @@ func main() {
Usage: "build args",
EnvVar: "PLUGIN_BUILD_ARGS",
},
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
cli.BoolFlag{
Name: "plugin-multiple-build-agrs",
Usage: "plugin multiple build agrs",
EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
},
cli.StringFlag{
Name: "target",
Usage: "build target",
@@ -144,27 +159,37 @@ func main() {
cli.StringFlag{
Name: "client-secret",
Usage: "Azure client secret",
EnvVar: "CLIENT_SECRET",
EnvVar: "CLIENT_SECRET,PLUGIN_CLIENT_SECRET",
},
cli.StringFlag{
Name: "client-cert",
Usage: "Azure client certificate encoded in base64 format",
EnvVar: "CLIENT_CERTIFICATE",
EnvVar: "CLIENT_CERTIFICATE,PLUGIN_CLIENT_CERTIFICATE",
},
cli.StringFlag{
Name: "tenant-id",
Usage: "Azure Tenant Id",
EnvVar: "TENANT_ID",
EnvVar: "TENANT_ID,AZURE_TENANT_ID,PLUGIN_TENANT_ID",
},
cli.StringFlag{
Name: "subscription-id",
Usage: "Azure Subscription Id",
EnvVar: "SUBSCRIPTION_ID",
EnvVar: "SUBSCRIPTION_ID,PLUGIN_SUBSCRIPTION_ID",
},
cli.StringFlag{
Name: "client-id",
Usage: "Azure Client Id",
EnvVar: "CLIENT_ID",
Usage: "Azure Client ID (also called App ID)",
EnvVar: "CLIENT_ID,AZURE_CLIENT_ID,PLUGIN_CLIENT_ID,AZURE_APP_ID",
},
cli.StringFlag{
Name: "oidc-token-id",
Usage: "OIDC ID token to exchange for Azure AD access token (federated credentials)",
EnvVar: "PLUGIN_OIDC_TOKEN_ID",
},
cli.StringFlag{
Name: "azure-authority-host",
Usage: "Azure authority host base URL (e.g., https://login.microsoftonline.com, https://login.microsoftonline.us)",
EnvVar: "AZURE_AUTHORITY_HOST",
},
cli.StringFlag{
Name: "snapshot-mode",
@@ -206,6 +231,21 @@ func main() {
Usage: "Set this flag if you only want to build the image, without pushing to a registry",
EnvVar: "PLUGIN_NO_PUSH",
},
cli.BoolFlag{
Name: "push-only",
Usage: "Set this flag if you only want to push a pre-built image from a tarball",
EnvVar: "PLUGIN_PUSH_ONLY",
},
cli.StringFlag{
Name: "source-tar-path",
Usage: "Path to the local tarball to be pushed when push-only is set",
EnvVar: "PLUGIN_SOURCE_TAR_PATH",
},
cli.StringFlag{
Name: "tar-path",
Usage: "Set this flag to save the image as a tarball at path",
EnvVar: "PLUGIN_TAR_PATH,PLUGIN_DESTINATION_TAR_PATH",
},
cli.StringFlag{
Name: "verbosity",
Usage: "Set this flag with value as oneof <panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
@@ -214,7 +254,7 @@ func main() {
cli.StringFlag{
Name: "platform",
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
EnvVar: "PLUGIN_PLATFORM,PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
@@ -252,11 +292,6 @@ func main() {
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
@@ -380,12 +415,25 @@ func main() {
}
func run(c *cli.Context) error {
// Check if push-only flag is set
if c.Bool("push-only") {
return handlePushOnly(c)
}
registry := c.String("registry")
noPush := c.Bool("no-push")
publicUrl, err := setupAuth(
c.String("tenant-id"),
c.String("client-id"),
clientID := c.String("client-id")
tenantID := c.String("tenant-id")
oidcIdToken := c.String("oidc-token-id")
authorityHost := c.String("azure-authority-host")
var publicUrl string
var err error
publicUrl, err = setupAuth(
tenantID,
clientID,
oidcIdToken,
c.String("client-cert"),
c.String("client-secret"),
c.String("subscription-id"),
@@ -393,6 +441,7 @@ func run(c *cli.Context) error {
c.String("base-image-username"),
c.String("base-image-password"),
c.String("base-image-registry"),
authorityHost,
noPush,
)
if err != nil {
@@ -410,6 +459,8 @@ func run(c *cli.Context) error {
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
ArgsNew: c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
IsMultipleBuildArgs: c.Bool("plugin-multiple-build-agrs"),
Target: c.String("target"),
Repo: c.String("repo"),
Mirrors: c.StringSlice("registry-mirrors"),
@@ -421,14 +472,13 @@ func run(c *cli.Context) error {
DigestFile: defaultDigestFile,
NoPush: noPush,
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
CustomPlatform: c.String("platform"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
@@ -451,6 +501,7 @@ func run(c *cli.Context) error {
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
},
@@ -470,43 +521,123 @@ func run(c *cli.Context) error {
flag := c.Bool("ignore-var-run")
plugin.Build.IgnoreVarRun = &flag
}
// Set tar-path if provided
if c.IsSet("tar-path") {
plugin.Build.TarPath = c.String("tar-path")
}
return plugin.Exec()
}
func setupAuth(tenantId, clientId, cert,
clientSecret, subscriptionId, registry, dockerUsername, dockerPassword, dockerRegistry string, noPush bool) (string, error) {
func setupAuth(tenantId, clientId, oidcIdToken, cert,
clientSecret, subscriptionId, registry, dockerUsername, dockerPassword, dockerRegistry, authorityHost string, noPush bool) (string, error) {
if registry == "" {
return "", fmt.Errorf("registry must be specified")
}
var aadAccessToken string
var acrToken string
var publicUrl string
var err error
if oidcIdToken != "" {
// OIDC authentication flow requires tenantId and clientId
if tenantId == "" || clientId == "" {
if noPush {
logrus.Warnf("NO_PUSH mode: tenantId or clientId not provided for OIDC")
return "", nil
}
return "", fmt.Errorf("tenantId and clientId must be provided for OIDC authentication")
}
logrus.Debug("Using OIDC authentication flow")
// Exchange OIDC ID token for AAD access token via client_assertion
aadAccessToken, err = azureutil.GetAADAccessTokenViaClientAssertion(context.Background(), tenantId, clientId, oidcIdToken, authorityHost)
if err != nil {
return handleError(noPush, err, "failed to get AAD token via OIDC")
}
publicUrl, err = getPublicUrl(aadAccessToken, registry, subscriptionId)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
}
// Exchange AAD access token to ACR refresh token
acrToken, err = fetchACRToken(tenantId, aadAccessToken, registry)
if err != nil {
return handleError(noPush, err, "failed to fetch ACR token")
}
} else {
logrus.Debug("Using traditional Azure AD authentication flow")
// Validate that if tenantId is provided, clientId must also be provided
// (unless using managed identity with no explicit tenantId)
if tenantId != "" && clientId == "" && clientSecret == "" && cert == "" {
if noPush {
logrus.Warnf("NO_PUSH mode: tenantId provided but clientId is missing")
return "", nil
}
return "", fmt.Errorf("tenantId and clientId must be provided")
}
acrToken, publicUrl, err = getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
if err != nil {
return handleError(noPush, err, "failed to fetch ACR Token")
}
}
if err := setDockerAuth(username, acrToken, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
return handleError(noPush, err, "failed to create docker config")
}
return publicUrl, nil
}
// Error handling
func handleError(noPush bool, err error, msg string) (string, error) {
if noPush {
logrus.Warnf("NO_PUSH mode: %s: %v", msg, err)
return "", nil
}
// case of client secret or cert based auth
if clientId != "" {
// only setup auth when pushing or credentials are defined
token, publicUrl, err := getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
if err != nil {
return "", errors.Wrap(err, "failed to fetch ACR Token")
}
// setup docker config for azure registry and base image docker registry
if err := setDockerAuth(username, token, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
return "", errors.Wrap(err, "failed to create docker config")
}
return publicUrl, nil
} else {
return "", fmt.Errorf("managed authentication is not supported")
}
return "", errors.Wrap(err, msg)
}
func getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry string) (string, string, error) {
// Handle managed identity (when no clientSecret or cert provided)
if clientSecret == "" && cert == "" {
if tenantId == "" {
tenantId = os.Getenv("AZURE_TENANT_ID")
if tenantId == "" {
tenantId = os.Getenv("TENANT_ID")
}
}
opts := &azidentity.DefaultAzureCredentialOptions{}
if tenantId != "" {
opts.TenantID = tenantId
}
cred, err := azidentity.NewDefaultAzureCredential(opts)
if err != nil {
return "", "", errors.Wrap(err, "failed to get credentials")
}
policy := policy.TokenRequestOptions{
Scopes: []string{"https://management.azure.com/.default"},
}
azToken, err := cred.GetToken(context.Background(), policy)
if err != nil {
return "", "", errors.Wrap(err, "failed to fetch access token")
}
publicUrl, err := getPublicUrl(azToken.Token, registry, subscriptionId)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
}
if tenantId == "" {
return "", "", fmt.Errorf("tenantId cannot be empty for ACR token exchange")
}
ACRToken, err := fetchACRToken(tenantId, azToken.Token, registry)
if err != nil {
return "", "", errors.Wrap(err, "failed to fetch ACR token")
}
return ACRToken, publicUrl, nil
}
if tenantId == "" {
return "", "", fmt.Errorf("tenantId can't be empty for AAD authentication")
}
if clientId == "" {
return "", "", fmt.Errorf("clientId can't be empty for AAD authentication")
}
@@ -675,21 +806,123 @@ func setDockerAuth(username, password, registry, dockerUsername, dockerPassword,
Password: password,
}
pullFromRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
Username: dockerUsername,
Password: dockerPassword,
credentials := []docker.RegistryCredentials{pushToRegistryCreds}
if dockerRegistry != "" {
pullFromRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
Username: dockerUsername,
Password: dockerPassword,
}
credentials = append(credentials, pullFromRegistryCreds)
} else {
fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
}
credentials := []docker.RegistryCredentials{pushToRegistryCreds, pullFromRegistryCreds}
return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
}
func encodeParam(s string) string {
return url.QueryEscape(s)
}
func handlePushOnly(c *cli.Context) error {
// Validate inputs for push-only operation
sourceTarPath := c.String("source-tar-path")
if sourceTarPath == "" {
return fmt.Errorf("source_tar_path is required when push_only is set")
}
if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
}
repo := c.String("repo")
registry := c.String("registry")
if repo == "" || registry == "" {
return fmt.Errorf("repository and registry must be specified for push-only operation")
}
// Resolve Azure client/tenant and OIDC via CLI flags
clientID := c.String("client-id")
tenantID := c.String("tenant-id")
oidcIdToken := c.String("oidc-token-id")
authorityHost := c.String("azure-authority-host")
var publicUrl string
var err error
publicUrl, err = setupAuth(
tenantID,
clientID,
oidcIdToken,
c.String("client-cert"),
c.String("client-secret"),
c.String("subscription-id"),
registry,
c.String("base-image-username"),
c.String("base-image-password"),
c.String("base-image-registry"),
authorityHost,
false,
)
if err != nil {
return err
}
// Load the image from the tarball
logrus.Infof("Loading image from tarball: %s", sourceTarPath)
img, err := crane.Load(sourceTarPath)
if err != nil {
return fmt.Errorf("failed to load image from tarball: %v", err)
}
// Check if the Docker config directory exists (should have been created by setupAuth)
if _, err := os.Stat(dockerConfigPath); os.IsNotExist(err) {
return fmt.Errorf("Docker config directory does not exist: %v", err)
} else if err != nil {
return fmt.Errorf("error checking Docker config directory: %v", err)
}
// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
if err := os.Setenv("DOCKER_CONFIG", dockerConfigPath); err != nil {
return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
}
// Setup crane options
opts := []crane.Option{
crane.WithAuthFromKeychain(authn.DefaultKeychain),
}
// Push for each tag
tags := c.StringSlice("tags")
if len(tags) == 0 {
tags = []string{"latest"}
}
// Use the registry from setupAuth if publicUrl is available, otherwise use the provided registry
pushRegistry := registry
if publicUrl != "" {
logrus.Infof("Using public URL for pushing: %s", publicUrl)
// Extract just the registry part from the full URL if needed
// This depends on the format of publicUrl, adjust parsing as needed
pushRegistry = publicUrl
}
for _, tag := range tags {
dest := fmt.Sprintf("%s/%s:%s", pushRegistry, repo, tag)
logrus.Infof("Pushing image to: %s", dest)
if err := crane.Push(img, dest, opts...); err != nil {
return fmt.Errorf("failed to push image to %s: %v", dest, err)
}
logrus.Infof("Successfully pushed image to %s", dest)
}
return nil
}
type strct struct {
Value []struct {
ID string `json:"id"`
cmd/kaniko-acr/main_test.go
+283 -1
View File
@@ -9,7 +9,9 @@ import (
"testing"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/drone/drone-kaniko/pkg/utils"
"github.com/stretchr/testify/assert"
"github.com/urfave/cli"
)
const (
@@ -153,4 +155,284 @@ func TestCreateDockerConfigWithoutBaseRegistry(t *testing.T) {
// Check if the public Docker Hub auth is not set
_, exists := config.Auths[""]
assert.False(t, exists)
}
}
func TestCustomStringSliceFlagIntegration(t *testing.T) {
tests := []struct {
name string
input string
expected []string
}{
{
name: "single build arg",
input: "ARG1=value1",
expected: []string{"ARG1=value1"},
},
{
name: "multiple build args with semicolon",
input: "ARG1=value1;ARG2=value2;ARG3=value3",
expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
},
{
name: "build args with spaces",
input: "ARG1=value with spaces;ARG2=another value",
expected: []string{"ARG1=value with spaces", "ARG2=another value"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Test the CustomStringSliceFlag directly
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.input)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
result := flag.GetValue()
if len(result) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
return
}
for i, expected := range tt.expected {
if result[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
}
}
})
}
}
func TestCLIIntegrationWithCustomFlag(t *testing.T) {
// Test CLI integration with proper flag setup
tests := []struct {
name string
args []string
expected []string
}{
{
name: "CLI with single arg",
args: []string{"acr-test", "--args-new", "ARG1=value1"},
expected: []string{"ARG1=value1"},
},
{
name: "CLI with multiple args",
args: []string{"acr-test", "--args-new", "ARG1=value1;ARG2=value2"},
expected: []string{"ARG1=value1", "ARG2=value2"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
app := cli.NewApp()
app.Name = "acr-test"
var capturedArgs []string
app.Flags = []cli.Flag{
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
}
app.Action = func(c *cli.Context) error {
if genericFlag := c.Generic("args-new"); genericFlag != nil {
if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
capturedArgs = customFlag.GetValue()
}
}
return nil
}
err := app.Run(tt.args)
if err != nil {
t.Errorf("CLI run error = %v, want nil", err)
return
}
if len(capturedArgs) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
return
}
for i, expected := range tt.expected {
if capturedArgs[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
}
}
})
}
}
func TestACRBuildArgsProcessing(t *testing.T) {
// Test that build args are correctly processed in the context of ACR plugin
tests := []struct {
name string
argsNew string
expectedCount int
expectedFirst string
}{
{
name: "docker build args format",
argsNew: "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
expectedCount: 3,
expectedFirst: "GOOS=linux",
},
{
name: "azure specific args",
argsNew: "AZURE_TENANT_ID=tenant123;AZURE_CLIENT_ID=client456",
expectedCount: 2,
expectedFirst: "AZURE_TENANT_ID=tenant123",
},
{
name: "single complex arg with special characters",
argsNew: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
expectedCount: 1,
expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.argsNew)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
args := flag.GetValue()
if len(args) != tt.expectedCount {
t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
return
}
if len(args) > 0 && args[0] != tt.expectedFirst {
t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
}
})
}
}
func TestACRAuthenticationFlow(t *testing.T) {
// Test that ACR authentication works with build args
tests := []struct {
name string
tenantId string
clientId string
clientSecret string
expectError bool
}{
{
name: "missing tenant id",
tenantId: "",
clientId: "client123",
clientSecret: "secret456",
expectError: true,
},
{
name: "missing client id",
tenantId: "tenant123",
clientId: "",
clientSecret: "secret456",
expectError: true,
},
{
name: "missing client secret",
tenantId: "tenant123",
clientId: "client456",
clientSecret: "",
expectError: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// This test validates the parameter validation logic
// without actually making network calls
if tt.tenantId == "" && !tt.expectError {
t.Error("Expected error for missing tenant ID")
}
if tt.clientId == "" && !tt.expectError {
t.Error("Expected error for missing client ID")
}
if tt.clientSecret == "" && !tt.expectError {
t.Error("Expected error for missing client secret")
}
})
}
}
func TestSetupAuth_RegistryMustBeSpecified(t *testing.T) {
pub, err := setupAuth("tenant", "client", "", "", "", "sub", "", "", "", "", "", false)
assert.Error(t, err)
assert.Contains(t, err.Error(), "registry must be specified")
assert.Equal(t, "", pub)
}
func TestSetupAuth_MissingTenantOrClient(t *testing.T) {
pub, err := setupAuth("tenant", "", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", false)
assert.Error(t, err)
assert.Contains(t, err.Error(), "tenantId and clientId must be provided")
assert.Equal(t, "", pub)
}
func TestSetupAuth_NoCreds_NoPushTrue(t *testing.T) {
pub, err := setupAuth("tenant", "client", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", true)
assert.NoError(t, err)
assert.Equal(t, "", pub)
}
// Test cases for managed identity support
func TestSetupAuth_ManagedIdentity_NoPush_Positive(t *testing.T) {
// Positive test: Managed identity flow with noPush=true should succeed
// This tests the new managed identity support when no credentials are provided
pub, err := setupAuth("tenant123", "", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", true)
assert.NoError(t, err)
assert.Equal(t, "", pub)
}
func TestSetupAuth_TenantIdButNoClientId_ManagedIdentity(t *testing.T) {
// Negative test: When tenantId is provided but clientId is missing for managed identity,
// it should fail (unless noPush is true)
pub, err := setupAuth("tenant123", "", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", false)
assert.Error(t, err)
assert.Contains(t, err.Error(), "tenantId and clientId must be provided")
assert.Equal(t, "", pub)
}
func TestGetACRToken_ManagedIdentity_NoTenantId(t *testing.T) {
// Negative test: Managed identity requires tenantId for ACR token exchange
// Clear environment variables to ensure tenantId is not available
originalTenantId := os.Getenv("AZURE_TENANT_ID")
originalTenantId2 := os.Getenv("TENANT_ID")
defer func() {
if originalTenantId != "" {
os.Setenv("AZURE_TENANT_ID", originalTenantId)
} else {
os.Unsetenv("AZURE_TENANT_ID")
}
if originalTenantId2 != "" {
os.Setenv("TENANT_ID", originalTenantId2)
} else {
os.Unsetenv("TENANT_ID")
}
}()
os.Unsetenv("AZURE_TENANT_ID")
os.Unsetenv("TENANT_ID")
// Managed identity path without tenantId should fail
// The failure occurs when DefaultAzureCredential tries to acquire a token
// since tenantId is required for ACR token exchange but not available
_, _, err := getACRToken("sub", "", "", "", "", "myregistry.azurecr.io")
assert.Error(t, err)
// The error will be from DefaultAzureCredential failing to acquire a token
// because tenantId is missing and no credentials are available
assert.Contains(t, err.Error(), "failed to fetch access token")
}
cmd/kaniko-docker/main.go
+40 -9
View File
@@ -1,6 +1,7 @@
package main
import (
"fmt"
"os"
"strings"
@@ -12,6 +13,7 @@ import (
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/drone/drone-kaniko/pkg/utils"
)
const (
@@ -101,6 +103,17 @@ func main() {
Usage: "build args",
EnvVar: "PLUGIN_BUILD_ARGS",
},
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
cli.BoolFlag{
Name: "plugin-multiple-build-agrs",
Usage: "plugin multiple build agrs",
EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
},
cli.StringFlag{
Name: "target",
Usage: "build target",
@@ -190,7 +203,7 @@ func main() {
cli.StringFlag{
Name: "tar-path",
Usage: "Set this flag to save the image as a tarball at path",
EnvVar: "PLUGIN_TAR_PATH",
EnvVar: "PLUGIN_TAR_PATH, PLUGIN_DESTINATION_TAR_PATH",
},
cli.StringFlag{
Name: "verbosity",
@@ -200,7 +213,7 @@ func main() {
cli.StringFlag{
Name: "platform",
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
EnvVar: "PLUGIN_PLATFORM,PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
@@ -238,16 +251,12 @@ func main() {
Usage: "Enable or disable compressed caching.",
EnvVar: "PLUGIN_COMPRESSED_CACHING",
},
cli.StringFlag{
Name: "context-sub-path",
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
@@ -353,6 +362,11 @@ func main() {
Usage: "Path to ignore during the build.",
EnvVar: "PLUGIN_IGNORE_PATH",
},
cli.StringSliceFlag{
Name: "ignore-paths",
Usage: "Path to ignore during the build.",
EnvVar: "PLUGIN_IGNORE_PATHS",
},
cli.IntFlag{
Name: "image-fs-extract-retry",
Usage: "Number of retries for extracting filesystem layers.",
@@ -363,6 +377,16 @@ func main() {
Usage: "Number of retries for downloading base images.",
EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
},
cli.StringFlag{
Name: "source-tar-path",
Usage: "Set this flag for the source tarball during push operations.",
EnvVar: "PLUGIN_SOURCE_TAR_PATH",
},
cli.BoolFlag{
Name: "push-only",
Usage: "Specify if the operation is push-only",
EnvVar: "PLUGIN_PUSH_ONLY",
},
}
if err := app.Run(os.Args); err != nil {
@@ -405,6 +429,8 @@ func run(c *cli.Context) error {
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
ArgsNew: c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
IsMultipleBuildArgs: c.Bool("plugin-multiple-build-agrs"),
Target: c.String("target"),
Repo: buildRepo(c.String("registry"), c.String("repo"), c.Bool("expand-repo")),
Mirrors: c.StringSlice("registry-mirrors"),
@@ -418,14 +444,14 @@ func run(c *cli.Context) error {
NoPush: noPush,
TarPath: c.String("tar-path"),
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
CustomPlatform: c.String("platform"),
PushOnly: c.Bool("push-only"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
@@ -446,8 +472,10 @@ func run(c *cli.Context) error {
SkipPushPermissionCheck: c.Bool("skip-push-permission-check"),
SkipTLSVerifyPull: c.Bool("skip-tls-verify-pull"),
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
SourceTarPath: c.String("source-tar-path"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
@@ -490,6 +518,9 @@ func setDockerAuth(username, password, registry, baseImageUsername, baseImagePas
Password: baseImagePassword,
}
credentials = append(credentials, pullFromRegistryCreds)
} else {
fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
}
// Creates docker config for both the regustries used for authentication
return dockerConfig.CreateDockerConfig(credentials, dockerPath)
cmd/kaniko-docker/main_test.go
+222
View File
@@ -6,6 +6,8 @@ import (
"testing"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/drone/drone-kaniko/pkg/utils"
"github.com/urfave/cli"
)
func Test_buildRepo(t *testing.T) {
@@ -42,6 +44,226 @@ func Test_buildRepo(t *testing.T) {
}
}
func TestCustomStringSliceFlagIntegration(t *testing.T) {
tests := []struct {
name string
input string
expected []string
}{
{
name: "single build arg",
input: "ARG1=value1",
expected: []string{"ARG1=value1"},
},
{
name: "multiple build args with semicolon",
input: "ARG1=value1;ARG2=value2;ARG3=value3",
expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
},
{
name: "build args with spaces",
input: "ARG1=value with spaces;ARG2=another value",
expected: []string{"ARG1=value with spaces", "ARG2=another value"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Test the CustomStringSliceFlag directly
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.input)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
result := flag.GetValue()
if len(result) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
return
}
for i, expected := range tt.expected {
if result[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
}
}
})
}
}
func TestCLIIntegrationWithCustomFlag(t *testing.T) {
// Test CLI integration with proper flag setup
tests := []struct {
name string
args []string
expected []string
}{
{
name: "CLI with single arg",
args: []string{"docker-test", "--args-new", "ARG1=value1"},
expected: []string{"ARG1=value1"},
},
{
name: "CLI with multiple args",
args: []string{"docker-test", "--args-new", "ARG1=value1;ARG2=value2"},
expected: []string{"ARG1=value1", "ARG2=value2"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
app := cli.NewApp()
app.Name = "docker-test"
var capturedArgs []string
app.Flags = []cli.Flag{
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
}
app.Action = func(c *cli.Context) error {
if genericFlag := c.Generic("args-new"); genericFlag != nil {
if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
capturedArgs = customFlag.GetValue()
}
}
return nil
}
err := app.Run(tt.args)
if err != nil {
t.Errorf("CLI run error = %v, want nil", err)
return
}
if len(capturedArgs) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
return
}
for i, expected := range tt.expected {
if capturedArgs[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
}
}
})
}
}
func TestDockerBuildArgsProcessing(t *testing.T) {
// Test that build args are correctly processed in the context of Docker plugin
tests := []struct {
name string
argsNew string
expectedCount int
expectedFirst string
}{
{
name: "docker build args format",
argsNew: "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
expectedCount: 3,
expectedFirst: "GOOS=linux",
},
{
name: "single complex arg with special characters",
argsNew: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
expectedCount: 1,
expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
},
{
name: "args with equals and semicolons",
argsNew: "API_URL=https://api.example.com;DEBUG=true;VERSION=1.0.0",
expectedCount: 3,
expectedFirst: "API_URL=https://api.example.com",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.argsNew)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
args := flag.GetValue()
if len(args) != tt.expectedCount {
t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
return
}
if len(args) > 0 && args[0] != tt.expectedFirst {
t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
}
})
}
}
func TestPlatformEnvVarMapping(t *testing.T) {
tests := []struct {
name string
envVar string
envValue string
expectedValue string
}{
{
name: "PLUGIN_PLATFORM env var",
envVar: "PLUGIN_PLATFORM",
envValue: "linux/amd64",
expectedValue: "linux/amd64",
},
{
name: "PLUGIN_CUSTOM_PLATFORM env var",
envVar: "PLUGIN_CUSTOM_PLATFORM",
envValue: "linux/arm64",
expectedValue: "linux/arm64",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Set the environment variable
os.Setenv(tt.envVar, tt.envValue)
defer os.Unsetenv(tt.envVar)
app := cli.NewApp()
app.Name = "kaniko-docker-test"
var capturedPlatform string
app.Flags = []cli.Flag{
cli.StringFlag{
Name: "platform",
Usage: "Allows to build with another default platform than the host",
EnvVar: "PLUGIN_PLATFORM,PLUGIN_CUSTOM_PLATFORM",
},
}
app.Action = func(c *cli.Context) error {
capturedPlatform = c.String("platform")
return nil
}
err := app.Run([]string{"kaniko-docker-test"})
if err != nil {
t.Errorf("CLI run error = %v, want nil", err)
return
}
if capturedPlatform != tt.expectedValue {
t.Errorf("Got platform = %v, want %v", capturedPlatform, tt.expectedValue)
}
})
}
}
func TestCreateDockerConfig(t *testing.T) {
config := docker.NewConfig()
tempDir, err := ioutil.TempDir("", "docker-config-test")
cmd/kaniko-ecr/main.go
+242 -10
View File
@@ -7,16 +7,19 @@ import (
"io/ioutil"
"os"
"strings"
"time"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/ecr"
"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
awsv1 "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
ecrpublicv1 "github.com/aws/aws-sdk-go/service/ecrpublic"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/aws/smithy-go"
"github.com/hashicorp/go-version"
"github.com/joho/godotenv"
@@ -27,6 +30,9 @@ import (
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/drone/drone-kaniko/pkg/utils"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/crane"
)
const (
@@ -35,6 +41,7 @@ const (
secretKeyEnv string = "AWS_SECRET_ACCESS_KEY"
ecrPublicDomain string = "public.ecr.aws"
kanikoVersionEnv string = "KANIKO_VERSION"
sessionKeyEnv string = "AWS_SESSION_TOKEN"
oneDotEightVersion string = "1.8.0"
defaultDigestFile string = "/kaniko/digest-file"
@@ -122,6 +129,17 @@ func main() {
Usage: "build args",
EnvVar: "PLUGIN_BUILD_ARGS",
},
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
cli.BoolFlag{
Name: "plugin-multiple-build-agrs",
Usage: "plugin multiple build agrs",
EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
},
cli.StringFlag{
Name: "target",
Usage: "build target",
@@ -226,7 +244,7 @@ func main() {
cli.StringFlag{
Name: "platform",
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
EnvVar: "PLUGIN_PLATFORM,PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
@@ -264,11 +282,6 @@ func main() {
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
@@ -384,6 +397,26 @@ func main() {
Usage: "Number of retries for downloading base images.",
EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
},
cli.StringFlag{
Name: "oidc-token-id",
Usage: "OIDC token for assuming role via web identity",
EnvVar: "PLUGIN_OIDC_TOKEN_ID",
},
cli.StringFlag{
Name: "tar-path",
Usage: "Set this flag to save the image as a tarball at path",
EnvVar: "PLUGIN_TAR_PATH, PLUGIN_DESTINATION_TAR_PATH",
},
cli.StringFlag{
Name: "source-tar-path",
Usage: "Set this flag for the source tarball during push operations.",
EnvVar: "PLUGIN_SOURCE_TAR_PATH",
},
cli.BoolFlag{
Name: "push-only",
Usage: "Specify if the operation is push-only",
EnvVar: "PLUGIN_PUSH_ONLY",
},
}
if err := app.Run(os.Args); err != nil {
@@ -396,8 +429,20 @@ func run(c *cli.Context) error {
registry := c.String("registry")
region := c.String("region")
noPush := c.Bool("no-push")
pushOnly := c.Bool("push-only")
assumeRole := c.String("assume-role")
externalId := c.String("external-id")
oidcToken := c.String("oidc-token-id")
// Validate flags
if noPush && pushOnly {
return fmt.Errorf("no-push and push-only flags cannot be used together")
}
// Handle push-only operation
if pushOnly {
return handlePushOnly(c)
}
// setup docker config for azure registry and base image docker registry
err := setDockerAuth(
@@ -411,6 +456,7 @@ func run(c *cli.Context) error {
externalId,
region,
noPush,
oidcToken,
)
if err != nil {
return errors.Wrap(err, "failed to create docker config")
@@ -454,6 +500,8 @@ func run(c *cli.Context) error {
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
ArgsNew: c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
IsMultipleBuildArgs: c.Bool("plugin-multiple-build-agrs"),
Target: c.String("target"),
Repo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
Mirrors: c.StringSlice("registry-mirrors"),
@@ -465,14 +513,13 @@ func run(c *cli.Context) error {
DigestFile: defaultDigestFile,
NoPush: noPush,
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
CustomPlatform: c.String("platform"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
@@ -495,8 +542,12 @@ func run(c *cli.Context) error {
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
TarPath: c.String("tar-path"),
SourceTarPath: c.String("source-tar-path"),
PushOnly: c.Bool("push-only"),
},
Artifact: kaniko.Artifact{
Tags: c.StringSlice("tags"),
@@ -518,7 +569,7 @@ func run(c *cli.Context) error {
}
func setDockerAuth(dockerRegistry, dockerUsername, dockerPassword, accessKey, secretKey,
registry, assumeRole, externalId, region string, noPush bool) error {
registry, assumeRole, externalId, region string, noPush bool, oidcToken string) error {
dockerConfig := docker.NewConfig()
credentials := []docker.RegistryCredentials{}
// set docker credentials for base image registry
@@ -529,9 +580,29 @@ func setDockerAuth(dockerRegistry, dockerUsername, dockerPassword, accessKey, se
Password: dockerPassword,
}
credentials = append(credentials, pullFromRegistryCreds)
} else {
fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
}
if assumeRole != "" {
if assumeRole != "" && oidcToken != "" {
oidcAccessKey, oidcSecretKey, oidcSessionKey, err := getOidcCreds(oidcToken, assumeRole)
if err != nil {
return err
}
_ = os.Setenv(accessKeyEnv, oidcAccessKey)
_ = os.Setenv(secretKeyEnv, oidcSecretKey)
_ = os.Setenv(sessionKeyEnv, oidcSessionKey)
// kaniko-executor >=1.8.0 does not require additional cred helper logic for ECR,
// as it discovers ECR repositories automatically and acts accordingly.
if isKanikoVersionBelowOneDotEight(os.Getenv(kanikoVersionEnv)) {
dockerConfig.SetCredHelper(ecrPublicDomain, "ecr-login")
dockerConfig.SetCredHelper(registry, "ecr-login")
}
} else if assumeRole != "" {
var err error
username, password, registry, err := getAssumeRoleCreds(region, assumeRole, externalId, "")
if err != nil {
@@ -771,3 +842,164 @@ func isKanikoVersionBelowOneDotEight(v string) bool {
return currVer.LessThan(oneEightVer)
}
func getOidcCreds(oidcToken, assumeRole string) (string, string, string, error) {
// Create a new session
sess, err := session.NewSession()
if err != nil {
return "", "", "", fmt.Errorf("failed to create AWS session: %w", err)
}
// Create a new STS client
svc := sts.New(sess)
// Prepare the input parameters for the STS call
duration := int64(time.Hour / time.Second)
input := &sts.AssumeRoleWithWebIdentityInput{
RoleArn: aws.String(assumeRole),
RoleSessionName: aws.String("kaniko-ecr-oidc"),
WebIdentityToken: aws.String(oidcToken),
DurationSeconds: aws.Int64(duration),
}
// Call the AssumeRoleWithWebIdentity function
result, err := svc.AssumeRoleWithWebIdentity(input)
if err != nil {
return "", "", "", fmt.Errorf("failed to assume role with web identity: %w", err)
}
// Check if credentials exist in the result
if result.Credentials == nil {
return "", "", "", errors.New("no credentials returned by AssumeRoleWithWebIdentity")
}
// Return the credentials
return *result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken, nil
}
func createECRSession(region, accessKey, secretKey, sessionToken string) *ecrv1.ECR {
sess := session.Must(session.NewSession(&awsv1.Config{
Region: awsv1.String(region),
Credentials: credentials.NewStaticCredentials(
accessKey,
secretKey,
sessionToken,
),
}))
return ecrv1.New(sess)
}
func getECRCredentials(region, registry, assumeRole, externalId, accessKey, secretKey, oidcToken string) (string, string, error) {
if assumeRole != "" && oidcToken != "" {
// For OIDC auth with assume role
awsAccessKey, awsSecretKey, awsSessionToken, err := getOidcCreds(oidcToken, assumeRole)
if err != nil {
return "", "", fmt.Errorf("failed to get OIDC credentials: %w", err)
}
// Create ECR session and get auth info
svc := createECRSession(region, awsAccessKey, awsSecretKey, awsSessionToken)
username, password, _, err := getAuthInfo(svc)
if err != nil {
return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
}
return username, password, nil
} else if assumeRole != "" {
// For assume role auth
username, password, _, err := getAssumeRoleCreds(region, assumeRole, externalId, "")
if err != nil {
return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
}
return username, password, nil
} else if accessKey != "" && secretKey != "" {
// For direct credentials
sess := session.Must(session.NewSession(&awsv1.Config{
Region: awsv1.String(region),
Credentials: credentials.NewStaticCredentials(
accessKey,
secretKey,
"",
),
}))
svc := ecrv1.New(sess)
username, password, _, err := getAuthInfo(svc)
if err != nil {
return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
}
return username, password, nil
} else {
// For IAM role auth (default credentials)
sess := session.Must(session.NewSession(&awsv1.Config{
Region: awsv1.String(region),
}))
svc := ecrv1.New(sess)
username, password, _, err := getAuthInfo(svc)
if err != nil {
return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
}
return username, password, nil
}
}
func handlePushOnly(c *cli.Context) error {
sourceTarPath := c.String("source-tar-path")
if sourceTarPath == "" {
return fmt.Errorf("source_tar_path is required when push_only is set")
}
if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
}
repo := c.String("repo")
registry := c.String("registry")
if repo == "" || registry == "" {
return fmt.Errorf("repository and registry must be specified for push-only operation")
}
// Load the image from the tarball
img, err := crane.Load(sourceTarPath)
if err != nil {
return fmt.Errorf("failed to load image from tarball: %v", err)
}
// Get ECR credentials using the common function
username, password, err := getECRCredentials(
c.String("region"),
registry,
c.String("assume-role"),
c.String("external-id"),
c.String("access-key"),
c.String("secret-key"),
c.String("oidc-token-id"),
)
if err != nil {
return err
}
// Setup crane auth
opts := []crane.Option{
crane.WithAuth(&authn.Basic{
Username: username,
Password: password,
}),
}
// Push for each tag
tags := c.StringSlice("tags")
if len(tags) == 0 {
tags = []string{"latest"}
}
for _, tag := range tags {
dest := fmt.Sprintf("%s/%s:%s", registry, repo, tag)
if err := crane.Push(img, dest, opts...); err != nil {
return fmt.Errorf("failed to push image to %s: %v", dest, err)
}
fmt.Printf("Successfully pushed image to %s\n", dest)
}
return nil
}
cmd/kaniko-ecr/main_test.go
+165 -1
View File
@@ -7,7 +7,9 @@ import (
"testing"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/drone/drone-kaniko/pkg/utils"
"github.com/stretchr/testify/assert"
"github.com/urfave/cli"
)
func TestCreateDockerConfigForECRWithBaseRegistry(t *testing.T) {
@@ -42,4 +44,166 @@ func TestCreateDockerConfigForECRWithBaseRegistry(t *testing.T) {
expectedDockerAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(dockerUsername + ":" + dockerPassword))}
assert.Equal(t, expectedDockerAuth, config.Auths[dockerRegistry])
}
}
func TestCustomStringSliceFlagIntegration(t *testing.T) {
tests := []struct {
name string
input string
expected []string
}{
{
name: "single build arg",
input: "ARG1=value1",
expected: []string{"ARG1=value1"},
},
{
name: "multiple build args with semicolon",
input: "ARG1=value1;ARG2=value2;ARG3=value3",
expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
},
{
name: "build args with spaces",
input: "ARG1=value with spaces;ARG2=another value",
expected: []string{"ARG1=value with spaces", "ARG2=another value"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Test the CustomStringSliceFlag directly
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.input)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
result := flag.GetValue()
if len(result) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
return
}
for i, expected := range tt.expected {
if result[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
}
}
})
}
}
func TestCLIIntegrationWithCustomFlag(t *testing.T) {
// Test CLI integration with proper flag setup
tests := []struct {
name string
args []string
expected []string
}{
{
name: "CLI with single arg",
args: []string{"ecr-test", "--args-new", "ARG1=value1"},
expected: []string{"ARG1=value1"},
},
{
name: "CLI with multiple args",
args: []string{"ecr-test", "--args-new", "ARG1=value1;ARG2=value2"},
expected: []string{"ARG1=value1", "ARG2=value2"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
app := cli.NewApp()
app.Name = "ecr-test"
var capturedArgs []string
app.Flags = []cli.Flag{
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
}
app.Action = func(c *cli.Context) error {
if genericFlag := c.Generic("args-new"); genericFlag != nil {
if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
capturedArgs = customFlag.GetValue()
}
}
return nil
}
err := app.Run(tt.args)
if err != nil {
t.Errorf("CLI run error = %v, want nil", err)
return
}
if len(capturedArgs) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
return
}
for i, expected := range tt.expected {
if capturedArgs[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
}
}
})
}
}
func TestECRBuildArgsProcessing(t *testing.T) {
// Test that build args are correctly processed in the context of ECR plugin
tests := []struct {
name string
argsNew string
expectedCount int
expectedFirst string
}{
{
name: "docker build args format",
argsNew: "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
expectedCount: 3,
expectedFirst: "GOOS=linux",
},
{
name: "aws specific args",
argsNew: "AWS_REGION=us-west-2;AWS_ACCOUNT_ID=123456789012",
expectedCount: 2,
expectedFirst: "AWS_REGION=us-west-2",
},
{
name: "single complex arg with special characters",
argsNew: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
expectedCount: 1,
expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.argsNew)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
args := flag.GetValue()
if len(args) != tt.expectedCount {
t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
return
}
if len(args) > 0 && args[0] != tt.expectedFirst {
t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
}
})
}
}
cmd/kaniko-gar/main.go
+163 -12
View File
@@ -1,9 +1,12 @@
package main
import (
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"github.com/joho/godotenv"
"github.com/pkg/errors"
@@ -13,13 +16,17 @@ import (
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/crane"
"github.com/drone/drone-kaniko/pkg/utils"
)
const (
dockerConfigPath string = "/kaniko/.docker"
// GAR JSON key file path
garKeyPath string = "/kaniko/config.json"
garEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
garKeyPath string = "/kaniko/config.json"
garEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
defaultDigestFile string = "/kaniko/digest-file"
)
@@ -91,6 +98,17 @@ func main() {
Usage: "build args",
EnvVar: "PLUGIN_BUILD_ARGS",
},
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
cli.BoolFlag{
Name: "plugin-multiple-build-agrs",
Usage: "plugin multiple build agrs",
EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
},
cli.StringFlag{
Name: "target",
Usage: "build target",
@@ -166,6 +184,21 @@ func main() {
Usage: "Set this flag if you only want to build the image, without pushing to a registry",
EnvVar: "PLUGIN_NO_PUSH",
},
cli.BoolFlag{
Name: "push-only",
Usage: "Set this flag if you only want to push a pre-built image from a tarball",
EnvVar: "PLUGIN_PUSH_ONLY",
},
cli.StringFlag{
Name: "source-tar-path",
Usage: "Path to the local tarball to be pushed when push-only is set",
EnvVar: "PLUGIN_SOURCE_TAR_PATH",
},
cli.StringFlag{
Name: "tar-path",
Usage: "Set this flag to save the image as a tarball at path",
EnvVar: "PLUGIN_TAR_PATH,PLUGIN_DESTINATION_TAR_PATH",
},
cli.StringFlag{
Name: "verbosity",
Usage: "Set this flag as --verbosity=<panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
@@ -174,7 +207,7 @@ func main() {
cli.StringFlag{
Name: "platform",
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
EnvVar: "PLUGIN_PLATFORM,PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
@@ -212,11 +245,6 @@ func main() {
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
@@ -340,6 +368,11 @@ func main() {
}
func run(c *cli.Context) error {
// Check if this is a push-only operation
if c.Bool("push-only") {
return handlePushOnly(c)
}
noPush := c.Bool("no-push")
jsonKey := c.String("json-key")
// JSON key may not be set in the following cases:
@@ -351,7 +384,7 @@ func run(c *cli.Context) error {
}
// setup docker config only when base image registry is specified
if c.String("base-image-registry") != ""{
if c.String("base-image-registry") != "" {
if err := setDockerAuth(
c.String("base-image-username"),
c.String("base-image-password"),
@@ -359,6 +392,9 @@ func run(c *cli.Context) error {
); err != nil {
return errors.Wrap(err, "failed to create docker config")
}
} else {
fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
}
}
@@ -373,6 +409,8 @@ func run(c *cli.Context) error {
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
ArgsNew: c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
IsMultipleBuildArgs: c.Bool("plugin-multiple-build-agrs"),
Target: c.String("target"),
Repo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
Mirrors: c.StringSlice("registry-mirrors"),
@@ -383,15 +421,17 @@ func run(c *cli.Context) error {
CacheTTL: c.Int("cache-ttl"),
DigestFile: defaultDigestFile,
NoPush: noPush,
PushOnly: c.Bool("push-only"),
SourceTarPath: c.String("source-tar-path"),
TarPath: c.String("tar-path"),
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
CustomPlatform: c.String("platform"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
@@ -414,6 +454,7 @@ func run(c *cli.Context) error {
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
},
@@ -436,7 +477,7 @@ func run(c *cli.Context) error {
return plugin.Exec()
}
func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) (error) {
func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) error {
dockerConfig := docker.NewConfig()
dockerRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
@@ -460,3 +501,113 @@ func setupGARAuth(jsonKey string) error {
}
return nil
}
func handlePushOnly(c *cli.Context) error {
// Validate inputs for push-only operation
sourceTarPath := c.String("source-tar-path")
if sourceTarPath == "" {
return fmt.Errorf("source_tar_path is required when push_only is set")
}
if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
}
repo := c.String("repo")
registry := c.String("registry")
if repo == "" || registry == "" {
return fmt.Errorf("repository and registry must be specified for push-only operation")
}
// Authentication options for crane
var opts []crane.Option
// Setup GAR authentication
jsonKey := c.String("json-key")
if jsonKey != "" {
if err := setupGARAuth(jsonKey); err != nil {
return err
}
logrus.Info("Setting up authentication for GAR")
// Create Docker config directory if it doesn't exist
dockerConfigDir := "/kaniko/.docker"
if err := os.MkdirAll(dockerConfigDir, 0755); err != nil {
return fmt.Errorf("failed to create Docker config directory: %v", err)
}
// Generate a Docker config with GAR auth
type DockerAuth struct {
Username string `json:"username"`
Password string `json:"password"`
Auth string `json:"auth"`
}
type DockerConfig struct {
Auths map[string]DockerAuth `json:"auths"`
}
// Create proper Auth field (base64 encoded username:password)
username := "_json_key"
authString := base64.StdEncoding.EncodeToString([]byte(username + ":" + jsonKey))
// Use _json_key as username and the key content as password for GAR
config := DockerConfig{
Auths: map[string]DockerAuth{
registry: {
Username: username,
Password: jsonKey,
Auth: authString,
},
},
}
// Write the Docker config
configBytes, err := json.Marshal(config)
if err != nil {
return fmt.Errorf("failed to marshal Docker config: %v", err)
}
dockerConfigPath := filepath.Join(dockerConfigDir, "config.json")
if err := ioutil.WriteFile(dockerConfigPath, configBytes, 0644); err != nil {
return fmt.Errorf("failed to write Docker config: %v", err)
}
// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
if err := os.Setenv("DOCKER_CONFIG", dockerConfigDir); err != nil {
return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
}
// Set up crane to use basic auth with docker config
opts = append(opts, crane.WithAuthFromKeychain(authn.DefaultKeychain))
} else {
logrus.Warn("No JSON key provided, authentication may fail if not running with workload identity")
}
// Load the image from the tarball
logrus.Infof("Loading image from tarball: %s", sourceTarPath)
img, err := crane.Load(sourceTarPath)
if err != nil {
return fmt.Errorf("failed to load image from tarball: %v", err)
}
// Push for each tag
tags := c.StringSlice("tags")
if len(tags) == 0 {
tags = []string{"latest"}
}
for _, tag := range tags {
dest := fmt.Sprintf("%s/%s:%s", registry, repo, tag)
logrus.Infof("Pushing image to: %s", dest)
if err := crane.Push(img, dest, opts...); err != nil {
return fmt.Errorf("failed to push image to %s: %v", dest, err)
}
logrus.Infof("Successfully pushed image to %s", dest)
}
return nil
}
cmd/kaniko-gar/main_test.go
+286
View File
@@ -0,0 +1,286 @@
package main
import (
"os"
"testing"
"github.com/drone/drone-kaniko/pkg/utils"
"github.com/urfave/cli"
)
func TestCustomStringSliceFlagIntegration(t *testing.T) {
tests := []struct {
name string
input string
expected []string
}{
{
name: "single build arg",
input: "ARG1=value1",
expected: []string{"ARG1=value1"},
},
{
name: "multiple build args with semicolon",
input: "ARG1=value1;ARG2=value2;ARG3=value3",
expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
},
{
name: "build args with spaces",
input: "ARG1=value with spaces;ARG2=another value",
expected: []string{"ARG1=value with spaces", "ARG2=another value"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Test the CustomStringSliceFlag directly
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.input)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
result := flag.GetValue()
if len(result) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
return
}
for i, expected := range tt.expected {
if result[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
}
}
})
}
}
func TestCLIIntegrationWithCustomFlag(t *testing.T) {
// Test CLI integration with proper flag setup
tests := []struct {
name string
args []string
expected []string
}{
{
name: "CLI with single arg",
args: []string{"gar-test", "--args-new", "ARG1=value1"},
expected: []string{"ARG1=value1"},
},
{
name: "CLI with multiple args",
args: []string{"gar-test", "--args-new", "ARG1=value1;ARG2=value2"},
expected: []string{"ARG1=value1", "ARG2=value2"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
app := cli.NewApp()
app.Name = "gar-test"
var capturedArgs []string
app.Flags = []cli.Flag{
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
}
app.Action = func(c *cli.Context) error {
if genericFlag := c.Generic("args-new"); genericFlag != nil {
if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
capturedArgs = customFlag.GetValue()
}
}
return nil
}
err := app.Run(tt.args)
if err != nil {
t.Errorf("CLI run error = %v, want nil", err)
return
}
if len(capturedArgs) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
return
}
for i, expected := range tt.expected {
if capturedArgs[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
}
}
})
}
}
func TestEnvironmentVariableIntegration(t *testing.T) {
// Test that environment variables work with CustomStringSliceFlag
originalEnv := os.Getenv("PLUGIN_BUILD_ARGS_NEW")
defer func() {
if originalEnv != "" {
os.Setenv("PLUGIN_BUILD_ARGS_NEW", originalEnv)
} else {
os.Unsetenv("PLUGIN_BUILD_ARGS_NEW")
}
}()
os.Setenv("PLUGIN_BUILD_ARGS_NEW", "ENV_ARG1=env_value1;ENV_ARG2=env_value2")
app := cli.NewApp()
app.Flags = []cli.Flag{
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
}
var capturedArgs []string
app.Action = func(c *cli.Context) error {
if flag := c.Generic("args-new"); flag != nil {
if customFlag, ok := flag.(*utils.CustomStringSliceFlag); ok {
capturedArgs = customFlag.GetValue()
}
}
return nil
}
err := app.Run([]string{"test"})
if err != nil {
t.Errorf("App.Run() error = %v, want nil", err)
return
}
expected := []string{"ENV_ARG1=env_value1", "ENV_ARG2=env_value2"}
if len(capturedArgs) != len(expected) {
t.Errorf("Environment variable test: got %d args, want %d", len(capturedArgs), len(expected))
return
}
for i, exp := range expected {
if capturedArgs[i] != exp {
t.Errorf("Environment variable test: got arg[%d] = %v, want %v", i, capturedArgs[i], exp)
}
}
}
func TestGARBuildArgsProcessing(t *testing.T) {
// Test that build args are correctly processed in the context of GAR plugin
tests := []struct {
name string
argsNew string
expectedCount int
expectedFirst string
}{
{
name: "docker build args format",
argsNew: "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
expectedCount: 3,
expectedFirst: "GOOS=linux",
},
{
name: "google cloud specific args",
argsNew: "GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json;PROJECT_ID=my-project",
expectedCount: 2,
expectedFirst: "GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json",
},
{
name: "single complex arg with special characters",
argsNew: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
expectedCount: 1,
expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.argsNew)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
args := flag.GetValue()
if len(args) != tt.expectedCount {
t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
return
}
if len(args) > 0 && args[0] != tt.expectedFirst {
t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
}
})
}
}
func TestGARRegistryFormatting(t *testing.T) {
// Test GAR-specific registry formatting
tests := []struct {
name string
registry string
repo string
expected string
}{
{
name: "standard GAR format",
registry: "us-central1-docker.pkg.dev",
repo: "my-project/my-repo/my-image",
expected: "us-central1-docker.pkg.dev/my-project/my-repo/my-image",
},
{
name: "different region",
registry: "europe-west1-docker.pkg.dev",
repo: "project123/repo456/image789",
expected: "europe-west1-docker.pkg.dev/project123/repo456/image789",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// This would be the format used in the GAR plugin
result := tt.registry + "/" + tt.repo
if result != tt.expected {
t.Errorf("GAR formatting: got %v, want %v", result, tt.expected)
}
})
}
}
func TestGARAuthSetup(t *testing.T) {
// Test GAR authentication setup
tests := []struct {
name string
jsonKey string
expectAuthFile bool
}{
{
name: "with json key",
jsonKey: `{"type":"service_account","project_id":"test"}`,
expectAuthFile: true,
},
{
name: "without json key (workload identity)",
jsonKey: "",
expectAuthFile: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// This simulates the auth setup logic
hasAuthFile := tt.jsonKey != ""
if hasAuthFile != tt.expectAuthFile {
t.Errorf("Auth file expectation: got %v, want %v", hasAuthFile, tt.expectAuthFile)
}
})
}
}
cmd/kaniko-gcr/main.go
+25 -12
View File
@@ -13,13 +13,14 @@ import (
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/drone/drone-kaniko/pkg/utils"
)
const (
dockerConfigPath string = "/kaniko/.docker"
// GCR JSON key file path
gcrKeyPath string = "/kaniko/config.json"
gcrEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
gcrKeyPath string = "/kaniko/config.json"
gcrEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
defaultDigestFile string = "/kaniko/digest-file"
)
@@ -175,7 +176,7 @@ func main() {
cli.StringFlag{
Name: "platform",
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
EnvVar: "PLUGIN_PLATFORM,PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
@@ -213,11 +214,6 @@ func main() {
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
@@ -333,6 +329,18 @@ func main() {
Usage: "Number of retries for downloading base images.",
EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
},
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
cli.BoolFlag{
Name: "plugin-multiple-build-agrs",
Usage: "plugin multiple build agrs",
EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
},
}
if err := app.Run(os.Args); err != nil {
@@ -353,7 +361,7 @@ func run(c *cli.Context) error {
}
// setup docker config only when base image registry is specified
if c.String("base-image-registry") != ""{
if c.String("base-image-registry") != "" {
if err := setDockerAuth(
c.String("base-image-username"),
c.String("base-image-password"),
@@ -361,6 +369,9 @@ func run(c *cli.Context) error {
); err != nil {
return errors.Wrap(err, "failed to create docker config")
}
} else {
fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
}
}
@@ -375,6 +386,8 @@ func run(c *cli.Context) error {
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
ArgsNew: c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
IsMultipleBuildArgs: c.Bool("plugin-multiple-build-agrs"),
Target: c.String("target"),
Repo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
Mirrors: c.StringSlice("registry-mirrors"),
@@ -386,14 +399,13 @@ func run(c *cli.Context) error {
DigestFile: defaultDigestFile,
NoPush: noPush,
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
CustomPlatform: c.String("platform"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
@@ -416,6 +428,7 @@ func run(c *cli.Context) error {
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
},
@@ -438,7 +451,7 @@ func run(c *cli.Context) error {
return plugin.Exec()
}
func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) (error) {
func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) error {
dockerConfig := docker.NewConfig()
dockerRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
cmd/kaniko-gcr/main_test.go
+270
View File
@@ -0,0 +1,270 @@
package main
import (
"encoding/json"
"os"
"testing"
"github.com/drone/drone-kaniko/pkg/utils"
"github.com/urfave/cli"
)
func TestCustomStringSliceFlagIntegration(t *testing.T) {
tests := []struct {
name string
input string
expected []string
}{
{
name: "single build arg",
input: "ARG1=value1",
expected: []string{"ARG1=value1"},
},
{
name: "multiple build args with semicolon",
input: "ARG1=value1;ARG2=value2;ARG3=value3",
expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
},
{
name: "build args with spaces",
input: "ARG1=value with spaces;ARG2=another value",
expected: []string{"ARG1=value with spaces", "ARG2=another value"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Test the CustomStringSliceFlag directly
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.input)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
result := flag.GetValue()
if len(result) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
return
}
for i, expected := range tt.expected {
if result[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
}
}
})
}
}
func TestEnvironmentVariableIntegration(t *testing.T) {
// Test that environment variables work with CustomStringSliceFlag
originalEnv := os.Getenv("PLUGIN_BUILD_ARGS_NEW")
defer func() {
if originalEnv != "" {
os.Setenv("PLUGIN_BUILD_ARGS_NEW", originalEnv)
} else {
os.Unsetenv("PLUGIN_BUILD_ARGS_NEW")
}
}()
os.Setenv("PLUGIN_BUILD_ARGS_NEW", "ENV_ARG1=env_value1;ENV_ARG2=env_value2")
app := cli.NewApp()
app.Flags = []cli.Flag{
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
}
var capturedArgs []string
app.Action = func(c *cli.Context) error {
if flag := c.Generic("args-new"); flag != nil {
if customFlag, ok := flag.(*utils.CustomStringSliceFlag); ok {
capturedArgs = customFlag.GetValue()
}
}
return nil
}
err := app.Run([]string{"test"})
if err != nil {
t.Errorf("App.Run() error = %v, want nil", err)
return
}
expected := []string{"ENV_ARG1=env_value1", "ENV_ARG2=env_value2"}
if len(capturedArgs) != len(expected) {
t.Errorf("Environment variable test: got %d args, want %d", len(capturedArgs), len(expected))
return
}
for i, exp := range expected {
if capturedArgs[i] != exp {
t.Errorf("Environment variable test: got arg[%d] = %v, want %v", i, capturedArgs[i], exp)
}
}
}
func TestGCRBuildArgsProcessing(t *testing.T) {
// Test that build args are correctly processed in the context of GCR plugin
tests := []struct {
name string
argsNew string
expectedCount int
expectedFirst string
}{
{
name: "docker build args format",
argsNew: "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
expectedCount: 3,
expectedFirst: "GOOS=linux",
},
{
name: "google cloud specific args",
argsNew: "GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json;PROJECT_ID=my-project",
expectedCount: 2,
expectedFirst: "GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json",
},
{
name: "single complex arg with special characters",
argsNew: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
expectedCount: 1,
expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.argsNew)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
args := flag.GetValue()
if len(args) != tt.expectedCount {
t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
return
}
if len(args) > 0 && args[0] != tt.expectedFirst {
t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
}
})
}
}
func TestGCRRegistryFormatting(t *testing.T) {
// Test GCR-specific registry formatting
tests := []struct {
name string
registry string
repo string
expected string
}{
{
name: "standard GCR format",
registry: "gcr.io",
repo: "my-project/my-image",
expected: "gcr.io/my-project/my-image",
},
{
name: "regional GCR",
registry: "us.gcr.io",
repo: "project123/image456",
expected: "us.gcr.io/project123/image456",
},
{
name: "european GCR",
registry: "eu.gcr.io",
repo: "my-eu-project/my-app",
expected: "eu.gcr.io/my-eu-project/my-app",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// This would be the format used in the GCR plugin
result := tt.registry + "/" + tt.repo
if result != tt.expected {
t.Errorf("GCR formatting: got %v, want %v", result, tt.expected)
}
})
}
}
func TestGCRJSONKeyValidation(t *testing.T) {
// Test JSON key validation for GCR authentication
tests := []struct {
name string
jsonKey string
expectErr bool
}{
{
name: "empty json key",
jsonKey: "",
expectErr: false, // Empty is allowed (workload identity)
},
{
name: "valid json structure",
jsonKey: `{"type":"service_account","project_id":"test","private_key_id":"123"}`,
expectErr: false,
},
{
name: "invalid json",
jsonKey: `{invalid json}`,
expectErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// This simulates the JSON key validation that would happen in GCR
if tt.jsonKey != "" {
var data map[string]interface{}
err := json.Unmarshal([]byte(tt.jsonKey), &data)
if err != nil && !tt.expectErr {
t.Errorf("Expected no error for JSON key, got %v", err)
}
if err == nil && tt.expectErr {
t.Errorf("Expected error for JSON key, got nil")
}
}
})
}
}
func TestGCRAuthSetup(t *testing.T) {
// Test GCR authentication setup
tests := []struct {
name string
jsonKey string
expectAuthFile bool
}{
{
name: "with json key",
jsonKey: `{"type":"service_account","project_id":"test"}`,
expectAuthFile: true,
},
{
name: "without json key (workload identity)",
jsonKey: "",
expectAuthFile: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// This simulates the auth setup logic
hasAuthFile := tt.jsonKey != ""
if hasAuthFile != tt.expectAuthFile {
t.Errorf("Auth file expectation: got %v, want %v", hasAuthFile, tt.expectAuthFile)
}
})
}
}
docker/acr/Dockerfile.linux.amd64
+2 -2
View File
@@ -1,5 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
ENV KANIKO_VERSION=1.23.2
ENV KANIKO_VERSION=1.25.0
ADD release/linux/amd64/kaniko-acr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-acr"]
docker/acr/Dockerfile.linux.arm64
+2 -2
View File
@@ -1,8 +1,8 @@
FROM gcr.io/kaniko-project/executor:v1.23.0
FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
ENV HOME /root
ENV USER root
ENV KANIKO_VERSION=1.23.0
ENV KANIKO_VERSION=1.25.0
ADD release/linux/arm64/kaniko-acr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-acr"]
docker/docker/Dockerfile.linux.amd64
+2 -2
View File
@@ -1,5 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
ENV KANIKO_VERSION=1.23.2
ENV KANIKO_VERSION=1.25.0
ADD release/linux/amd64/kaniko-docker /kaniko/
ENTRYPOINT ["/kaniko/kaniko-docker"]
docker/docker/Dockerfile.linux.arm64
+2 -2
View File
@@ -1,8 +1,8 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
ENV HOME /root
ENV USER root
ENV KANIKO_VERSION=1.23.2
ENV KANIKO_VERSION=1.25.0
ADD release/linux/arm64/kaniko-docker /kaniko/
ENTRYPOINT ["/kaniko/kaniko-docker"]
docker/ecr/Dockerfile.linux.amd64
+2 -2
View File
@@ -1,5 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
ENV KANIKO_VERSION=1.23.2
ENV KANIKO_VERSION=1.25.0
ADD release/linux/amd64/kaniko-ecr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-ecr"]
docker/ecr/Dockerfile.linux.arm64
+2 -2
View File
@@ -1,8 +1,8 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
ENV HOME /root
ENV USER root
ENV KANIKO_VERSION=1.23.2
ENV KANIKO_VERSION=1.25.0
ADD release/linux/arm64/kaniko-ecr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-ecr"]
docker/gar/Dockerfile.linux.amd64
+2 -2
View File
@@ -1,5 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
ENV KANIKO_VERSION=1.23.2
ENV KANIKO_VERSION=1.25.0
ADD release/linux/amd64/kaniko-gar /kaniko/
ENTRYPOINT ["/kaniko/kaniko-gar"]
docker/gar/Dockerfile.linux.arm64
+2 -2
View File
@@ -1,8 +1,8 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
ENV HOME /root
ENV USER root
ENV KANIKO_VERSION=1.23.2
ENV KANIKO_VERSION=1.25.0
ADD release/linux/arm64/kaniko-gar /kaniko/
ENTRYPOINT ["/kaniko/kaniko-gar"]
docker/gcr/Dockerfile.linux.amd64
+1 -1
View File
@@ -1,4 +1,4 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
ENV KANIKO_VERSION=1.23.2
ADD release/linux/amd64/kaniko-gcr /kaniko/
docker/gcr/Dockerfile.linux.arm64
+1 -1
View File
@@ -1,4 +1,4 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
ENV HOME /root
ENV USER root
go.mod
+28 -17
View File
@@ -1,8 +1,8 @@
module github.com/drone/drone-kaniko
require (
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
github.com/aws/aws-sdk-go v1.44.52
github.com/aws/aws-sdk-go-v2 v1.16.7
github.com/aws/aws-sdk-go-v2/config v1.15.14
@@ -10,19 +10,20 @@ require (
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.8
github.com/aws/smithy-go v1.12.0
github.com/coreos/go-semver v0.3.0
github.com/google/go-cmp v0.5.9
github.com/google/go-cmp v0.6.0
github.com/google/go-containerregistry v0.20.3
github.com/hashicorp/go-version v1.6.0
github.com/joho/godotenv v1.4.0
github.com/pkg/errors v0.9.1
github.com/sirupsen/logrus v1.9.3
github.com/stretchr/testify v1.8.4
github.com/urfave/cli v1.22.9
golang.org/x/mod v0.17.0
github.com/stretchr/testify v1.11.1
github.com/urfave/cli v1.22.15
golang.org/x/mod v0.26.0
)
require (
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.12.9 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 // indirect
@@ -31,20 +32,30 @@ require (
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/docker/cli v29.3.0+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.2 // indirect
github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/klauspost/compress v1.17.11 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
golang.org/x/net v0.0.0-20220725212005-46097bf591d3 // indirect
golang.org/x/sys v0.19.0 // indirect
golang.org/x/text v0.3.7 // indirect
github.com/vbatts/tar-split v0.11.6 // indirect
golang.org/x/crypto v0.41.0 // indirect
golang.org/x/net v0.43.0 // indirect
golang.org/x/sync v0.16.0 // indirect
golang.org/x/sys v0.35.0 // indirect
golang.org/x/text v0.28.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
go 1.22.4
go 1.25.7
go.sum
+78 -45
View File
@@ -1,12 +1,16 @@
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1 h1:tz19qLF65vuu2ibfTqGVJxG/zZAI27NEIIbvAOQwYbw=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0/go.mod h1:bhXu1AjYL+wutSL/kpSq6s7733q2Rb0yuot9Zgfqa/0=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5xuRL7NZgHameVYF6BurY=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3 h1:TsFCaaF5tR4XN8b4zLVl/J4qMb0nf80Q4CXcpXDNJDY=
github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/aws/aws-sdk-go v1.44.52 h1:kHLbYJj59C7VrsLM4gm7pxsvaNIvhXCCIDYEFFoQ+VE=
github.com/aws/aws-sdk-go v1.44.52/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns=
@@ -35,27 +39,31 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 h1:yOfILxyjmtr2ubRkRJldlHDFBhf5
github.com/aws/aws-sdk-go-v2/service/sts v1.16.9/go.mod h1:O1IvkYxr+39hRf960Us6j0x1P8pDqhTX+oXM5kQNl/Y=
github.com/aws/smithy-go v1.12.0 h1:gXpeZel/jPoWQ7OEmLIgCUnhkFftqNfwWUwAHSlp1v0=
github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
github.com/docker/cli v29.3.0+incompatible h1:z3iWveU7h19Pqx7alZES8j+IeFQZ1lhTwb2F+V9SVvk=
github.com/docker/cli v29.3.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI=
github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
@@ -64,52 +72,77 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw
github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=
github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/urfave/cli v1.22.9 h1:cv3/KhXGBGjEXLC4bH0sLuJ9BewaAbpk5oyMOveu4pw=
github.com/urfave/cli v1.22.9/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM=
github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0=
github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs=
github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI=
golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/net v0.0.0-20220725212005-46097bf591d3 h1:2yWTtPWWRcISTw3/o+s/Y4UOMnQL71DWyToOANFusCg=
golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY5RMuhpJ3cNnI0XpyFJD1iQRSM=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
internal/azure/tokenutil.go
+72
View File
@@ -0,0 +1,72 @@
package azure
import (
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"strings"
"time"
)
const DefaultResource = "https://management.azure.com/"
const defaultAuthorityHost = "https://login.microsoftonline.com"
const defaultHTTPTimeout = 30 * time.Second
// GetAADAccessTokenViaClientAssertion exchanges an external OIDC ID token for an Azure AD access token
func GetAADAccessTokenViaClientAssertion(ctx context.Context, tenantID, clientID, oidcToken, authorityHost string) (string, error) {
resource := DefaultResource
form := url.Values{
"client_id": {clientID},
"scope": {resource + ".default"},
"grant_type": {"client_credentials"},
"client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},
"client_assertion": {oidcToken},
}
base := authorityHost
if strings.TrimSpace(base) == "" {
base = defaultAuthorityHost
}
base = strings.TrimRight(base, "/")
endpoint := fmt.Sprintf("%s/%s/oauth2/v2.0/token", base, tenantID)
client := &http.Client{Timeout: defaultHTTPTimeout}
req, err := http.NewRequestWithContext(ctx, "POST", endpoint, strings.NewReader(form.Encode()))
if err != nil {
return "", err
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Accept", "application/json")
resp, err := client.Do(req)
if err != nil {
return "", err
}
defer resp.Body.Close()
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
var aadErr struct {
Error string `json:"error"`
ErrorDescription string `json:"error_description"`
}
limited := io.LimitedReader{R: resp.Body, N: 4096}
_ = json.NewDecoder(&limited).Decode(&aadErr)
if aadErr.Error != "" {
return "", fmt.Errorf("AAD token request failed: status=%d, error=%s", resp.StatusCode, aadErr.Error)
}
return "", fmt.Errorf("AAD token request failed: status=%d", resp.StatusCode)
}
var payload struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
}
if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
return "", err
}
if payload.AccessToken == "" {
return "", fmt.Errorf("AAD token response missing access_token")
}
return payload.AccessToken, nil
}
internal/azure/tokenutil_test.go
+103
View File
@@ -0,0 +1,103 @@
package azure
import (
"context"
"net/http"
"net/http/httptest"
"strings"
"testing"
)
func TestGetAADAccessTokenViaClientAssertion_Success(t *testing.T) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
t.Fatalf("expected POST, got %s", r.Method)
}
if ct := r.Header.Get("Content-Type"); !strings.Contains(ct, "application/x-www-form-urlencoded") {
t.Fatalf("expected form content-type, got %s", ct)
}
if err := r.ParseForm(); err != nil {
t.Fatalf("failed parsing form: %v", err)
}
assertEq(t, r.Form.Get("client_id"), "client")
assertEq(t, r.Form.Get("grant_type"), "client_credentials")
assertEq(t, r.Form.Get("client_assertion_type"), "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
assertEq(t, r.Form.Get("client_assertion"), "idtoken")
assertEq(t, r.Form.Get("scope"), DefaultResource+".default")
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
_, _ = w.Write([]byte(`{"access_token":"AT","token_type":"Bearer","expires_in":3600}`))
}))
defer ts.Close()
tok, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if tok != "AT" {
t.Fatalf("expected access token AT, got %q", tok)
}
}
func TestGetAADAccessTokenViaClientAssertion_400WithErrorField(t *testing.T) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusBadRequest)
_, _ = w.Write([]byte(`{"error":"invalid_client","error_description":"bad"}`))
}))
defer ts.Close()
_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
if err == nil || !strings.Contains(err.Error(), "status=400") || !strings.Contains(err.Error(), "invalid_client") {
t.Fatalf("expected 400 with invalid_client error, got %v", err)
}
}
func TestGetAADAccessTokenViaClientAssertion_400WithoutErrorField(t *testing.T) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusBadRequest)
_, _ = w.Write([]byte("{}"))
}))
defer ts.Close()
_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
if err == nil || !strings.Contains(err.Error(), "status=400") {
t.Fatalf("expected 400 error, got %v", err)
}
}
func TestGetAADAccessTokenViaClientAssertion_MalformedJSON(t *testing.T) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
_, _ = w.Write([]byte("not-json"))
}))
defer ts.Close()
_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
if err == nil {
t.Fatalf("expected JSON decode error, got nil")
}
}
func TestGetAADAccessTokenViaClientAssertion_MissingAccessToken(t *testing.T) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
_, _ = w.Write([]byte(`{"token_type":"Bearer","expires_in":3600}`))
}))
defer ts.Close()
_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
if err == nil || !strings.Contains(err.Error(), "missing access_token") {
t.Fatalf("expected missing access_token error, got %v", err)
}
}
func assertEq(t *testing.T, got, want string) {
t.Helper()
if got != want {
t.Fatalf("mismatch: got=%q want=%q", got, want)
}
}
kaniko.go
+162 -70
View File
@@ -5,77 +5,85 @@ import (
"io/ioutil"
"os"
"os/exec"
"path/filepath"
"strings"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/output"
"github.com/drone/drone-kaniko/pkg/tagger"
"github.com/google/go-containerregistry/pkg/crane"
"golang.org/x/mod/semver"
)
type (
// Build defines Docker build parameters.
Build struct {
DroneCommitRef string // Drone git commit reference
DroneRepoBranch string // Drone repo branch
Dockerfile string // Docker build Dockerfile
Context string // Docker build context
Tags []string // Docker build tags
AutoTag bool // Set this to auto detect tags from git commits and semver-tagged labels
AutoTagSuffix string // Suffix to append to the auto detect tags
ExpandTag bool // Set this to expand the `Tags` into semver-tagged labels
Args []string // Docker build args
Target string // Docker build target
Repo string // Docker build repository
Mirrors []string // Docker repository mirrors
Labels []string // Label map
SkipTlsVerify bool // Docker skip tls certificate verify for registry
SnapshotMode string // Kaniko snapshot mode
EnableCache bool // Whether to enable kaniko cache
CacheRepo string // Remote repository that will be used to store cached layers
CacheTTL int // Cache timeout in hours
DigestFile string // Digest file location
NoPush bool // Set this flag if you only want to build the image, without pushing to a registry
Verbosity string // Log level
Platform string // Allows to build with another default platform than the host, similarly to docker build --platform
SkipUnusedStages bool // Build only used stages
TarPath string // Set this flag to save the image as a tarball at path
Args []string // Docker build args
ArgsNew []string // docker build args with comma seperated values
AutoTag bool // Set this to auto detect tags from git commits and semver-tagged labels
AutoTagSuffix string // Suffix to append to the auto detect tags
CacheRepo string // Remote repository that will be used to store cached layers
CacheTTL int // Cache timeout in hours
Context string // Docker build context
DigestFile string // Digest file location
Dockerfile string // Docker build Dockerfile
DroneCommitRef string // Drone git commit reference
DroneRepoBranch string // Drone repo branch
EnableCache bool // Whether to enable kaniko cache
ExpandTag bool // Set this to expand the `Tags` into semver-tagged labels
IsMultipleBuildArgs bool // env variable for fallback for docker build args
Labels []string // Label map
Mirrors []string // Docker repository mirrors
NoPush bool // Set this flag if you only want to build the image, without pushing to a registry
PushOnly bool // Specify if the operation is push-only.
Repo string // Docker build repository
SkipTlsVerify bool // Docker skip tls certificate verify for registry
SkipUnusedStages bool // Build only used stages
SnapshotMode string // Kaniko snapshot mode
SourceTarPath string // Path to the local tarball to be pushed
Tags []string // Docker build tags
TarPath string // Set this flag to save the image as a tarball at path
Target string // Docker build target
Verbosity string // Log level
Cache bool // Enable or disable caching during the build process.
CacheDir string // Directory to store cached layers.
CacheCopyLayers bool // Enable or disable copying layers from the cache.
CacheRunLayers bool // Enable or disable running layers from the cache.
Cleanup bool // Enable or disable cleanup of temporary files.
CompressedCaching *bool // Enable or disable compressed caching.
ContextSubPath string // Sub-path within the context to build.
CustomPlatform string // Platform to use for building.
Force bool // Force building the image even if it already exists.
Git bool // Branch to clone if build context is a git repository .
ImageNameWithDigestFile string // Write image name with digest to a file.
ImageNameTagWithDigestFile string // Write image name with tag and digest to a file.
Insecure bool // Allow connecting to registries without TLS.
InsecurePull bool // Allow insecure pulls from the registry.
InsecureRegistry string // Use plain HTTP for registry communication.
Label string // Add metadata to an image.
LogFormat string // Set the log format for build output.
LogTimestamp bool // Show timestamps in build output.
OCILayoutPath string // Directory to store OCI layout.
PushRetry int // Number of times to retry pushing an image.
RegistryCertificate string // Path to a file containing a registry certificate.
RegistryClientCert string // Path to a file containing a registry client certificate.
RegistryMirror string // Mirror for registry pulls.
SkipDefaultRegistryFallback bool // Skip Docker Hub and default registry fallback.
Reproducible bool // Create a reproducible image.
SingleSnapshot bool // Only create a single snapshot of the image.
SkipTLSVerify bool // Skip TLS verification when connecting to the registry.
SkipPushPermissionCheck bool // Skip permission check when pushing.
SkipTLSVerifyPull bool // Skip TLS verification when pulling.
SkipTLSVerifyRegistry bool // Skip TLS verification when connecting to a registry.
UseNewRun bool // Use the new container runtime (`runc`) for builds.
IgnoreVarRun *bool // Ignore `/var/run` when copying from the context.
IgnorePath string // Ignore files matching the specified path pattern.
ImageFSExtractRetry int // Number of times to retry extracting the image filesystem.
ImageDownloadRetry int // Number of times to retry downloading layers.
Cache bool // Enable or disable caching during the build process.
CacheDir string // Directory to store cached layers.
CacheCopyLayers bool // Enable or disable copying layers from the cache.
CacheRunLayers bool // Enable or disable running layers from the cache.
Cleanup bool // Enable or disable cleanup of temporary files.
CompressedCaching *bool // Enable or disable compressed caching.
ContextSubPath string // Sub-path within the context to build.
CustomPlatform string // Platform to use for building.
Force bool // Force building the image even if it already exists.
Git bool // Branch to clone if build context is a git repository .
ImageNameWithDigestFile string // Write image name with digest to a file.
ImageNameTagWithDigestFile string // Write image name with tag and digest to a file.
Insecure bool // Allow connecting to registries without TLS.
InsecurePull bool // Allow insecure pulls from the registry.
InsecureRegistry string // Use plain HTTP for registry communication.
Label string // Add metadata to an image.
LogFormat string // Set the log format for build output.
LogTimestamp bool // Show timestamps in build output.
OCILayoutPath string // Directory to store OCI layout.
PushRetry int // Number of times to retry pushing an image.
RegistryCertificate string // Path to a file containing a registry certificate.
RegistryClientCert string // Path to a file containing a registry client certificate.
RegistryMirror string // Mirror for registry pulls.
SkipDefaultRegistryFallback bool // Skip Docker Hub and default registry fallback.
Reproducible bool // Create a reproducible image.
SingleSnapshot bool // Only create a single snapshot of the image.
SkipTLSVerify bool // Skip TLS verification when connecting to the registry.
SkipPushPermissionCheck bool // Skip permission check when pushing.
SkipTLSVerifyPull bool // Skip TLS verification when pulling.
SkipTLSVerifyRegistry bool // Skip TLS verification when connecting to a registry.
UseNewRun bool // Use the new container runtime (`runc`) for builds.
IgnoreVarRun *bool // Ignore `/var/run` when copying from the context.
IgnorePath string // Ignore files matching the specified path pattern.
IgnorePaths []string // Ignore files matching the specified path pattern.
ImageFSExtractRetry int // Number of times to retry extracting the image filesystem.
ImageDownloadRetry int // Number of times to retry downloading layers.
}
// Artifact defines content of artifact file
@@ -97,6 +105,10 @@ type (
Build Build // Docker build configuration
Artifact Artifact // Artifact file content
Output Output // Output file content
// parameters for UTs to mock crane functionality
LoadImageFromTarball func(string) (v1.Image, error)
PushImageToRegistry func(v1.Image, string) error
}
)
@@ -167,12 +179,63 @@ func (b Build) AutoTags() (tags []string, err error) {
// Exec executes the plugin step
func (p Plugin) Exec() error {
if p.Build.NoPush && p.Build.PushOnly {
return fmt.Errorf("inputs no-push and push-only cannot be used together. please define only one")
}
if !p.Build.NoPush && p.Build.Repo == "" {
return fmt.Errorf("repository name to publish image must be specified")
}
if p.Build.PushOnly {
// When push-only is set, source_tar_path MUST be provided
if p.Build.SourceTarPath == "" {
return fmt.Errorf("source_tar_path is required when push_only is set. please provide a valid tarball path")
}
if _, err := os.Stat(p.Build.SourceTarPath); os.IsNotExist(err) {
return fmt.Errorf("image tarball does not exist at path: %s", p.Build.SourceTarPath)
}
if p.Build.Repo == "" {
return fmt.Errorf("missing required destination repository for push-only operation")
}
// Load the image from the tarball
img, err := crane.Load(p.Build.SourceTarPath)
if err != nil {
return fmt.Errorf("failed to load image from tarball: %v", err)
}
// If no tags are specified, use 'latest'
tags := p.Build.Tags
for _, tag := range tags {
dest := fmt.Sprintf("%s:%s", p.Build.Repo, tag)
// Push the image to the destination
err := crane.Push(img, dest)
if err != nil {
return fmt.Errorf("failed to push image from tarball [%s] to destination [%s]: %v", p.Build.SourceTarPath, dest, err)
}
fmt.Printf("Successfully pushed image - '%s'\n to %s\n", dest, p.Build.Repo)
}
return nil
}
if _, err := os.Stat(p.Build.Dockerfile); os.IsNotExist(err) {
return fmt.Errorf("dockerfile does not exist at path: %s", p.Build.Dockerfile)
// Get absolute path for better error message. If path is empty, this will
// return the current working directory, showing where the plugin looked.
absPath, absErr := filepath.Abs(p.Build.Dockerfile)
if absErr != nil {
absPath = p.Build.Dockerfile
}
return fmt.Errorf("dockerfile does not exist at path: %s", absPath)
}
var tags = p.Build.Tags
@@ -202,8 +265,14 @@ func (p Plugin) Exec() error {
}
// Set the build arguments
for _, arg := range p.Build.Args {
cmdArgs = append(cmdArgs, fmt.Sprintf("--build-arg=%s", arg))
if p.Build.IsMultipleBuildArgs {
for _, arg := range p.Build.ArgsNew {
cmdArgs = append(cmdArgs, "--build-arg", arg)
}
} else {
for _, arg := range p.Build.Args {
cmdArgs = append(cmdArgs, "--build-arg", arg)
}
}
// Set the labels
for _, label := range p.Build.Labels {
@@ -249,15 +318,17 @@ func (p Plugin) Exec() error {
cmdArgs = append(cmdArgs, fmt.Sprintf("--verbosity=%s", p.Build.Verbosity))
}
if p.Build.Platform != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--customPlatform=%s", p.Build.Platform))
}
if p.Build.SkipUnusedStages {
cmdArgs = append(cmdArgs, "--skip-unused-stages")
}
if p.Build.TarPath != "" {
tarDir := filepath.Dir(p.Build.TarPath)
if _, err := os.Stat(tarDir); os.IsNotExist(err) {
if mkdirErr := os.MkdirAll(tarDir, 0755); mkdirErr != nil {
return fmt.Errorf("failed to create directory for tar path %s: %v", tarDir, mkdirErr)
}
}
cmdArgs = append(cmdArgs, fmt.Sprintf("--tar-path=%s", p.Build.TarPath))
}
@@ -381,6 +452,15 @@ func (p Plugin) Exec() error {
cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", p.Build.IgnorePath))
}
if p.Build.IgnorePaths != nil {
for _, path := range p.Build.IgnorePaths {
trimmed := strings.TrimSpace(path)
if trimmed != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", trimmed))
}
}
}
if p.Build.ImageFSExtractRetry != 0 {
cmdArgs = append(cmdArgs, fmt.Sprintf("--image-fs-extract-retry=%d", p.Build.ImageFSExtractRetry))
}
@@ -406,15 +486,27 @@ func (p Plugin) Exec() error {
}
}
if p.Output.OutputFile != "" {
if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile)); err != nil {
fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
}
p.Output.OutputFile = os.Getenv("DRONE_OUTPUT")
var tarPath string
if p.Build.TarPath != "" {
tarPath = getTarPath(p.Build.TarPath)
}
if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile), tarPath); err != nil {
fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
}
return nil
}
func getTarPath(tarPath string) string {
tarDir := filepath.Dir(tarPath)
if _, err := os.Stat(tarDir); err != nil && os.IsNotExist(err) {
fmt.Fprintf(os.Stderr, "Warning: tar path does not exist: %s\n", tarPath)
return ""
}
return tarPath
}
func getDigest(digestFile string) string {
content, err := ioutil.ReadFile(digestFile)
if err != nil {
kaniko_test.go
+355
View File
@@ -1,6 +1,10 @@
package kaniko
import (
"archive/tar"
"fmt"
"os"
"path/filepath"
"testing"
"github.com/google/go-cmp/cmp"
@@ -148,3 +152,354 @@ func TestBuild_AutoTags(t *testing.T) {
}
})
}
func TestTarPathValidation(t *testing.T) {
tests := []struct {
name string
tarPath string
setup func(string) error
cleanup func(string) error
expectSuccess bool
privileged bool
}{
{
name: "valid_path_privileged",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-image-tar")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectSuccess: true,
privileged: true,
},
{
name: "valid_path_unprivileged",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-image-tar")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectSuccess: true,
privileged: false,
},
{
name: "empty_path",
tarPath: "",
setup: func(path string) error { return nil },
cleanup: func(path string) error { return nil },
expectSuccess: false,
privileged: false,
},
{
name: "relative_path_dots",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-image-tar")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectSuccess: true,
privileged: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Skip privileged tests if not running as root
if tt.privileged && os.Getuid() != 0 {
t.Skip("Skipping privileged test as not running as root")
}
if err := tt.setup(tt.tarPath); err != nil {
t.Fatalf("Setup failed: %v", err)
}
defer tt.cleanup(tt.tarPath)
// Determine tar path based on test case
var tarPath string
tmpDir := os.Getenv("DRONE_WORKSPACE")
switch tt.name {
case "valid_path_privileged", "valid_path_unprivileged":
tarPath = filepath.Join(tmpDir, "test", "image.tar")
case "invalid_path_no_permissions":
tarPath = "/test/image.tar"
case "relative_path_dots":
tarPath = filepath.Join("..", "test", "image.tar")
default:
tarPath = tt.tarPath
}
p := Plugin{
Build: Build{
TarPath: tarPath,
},
}
tarDir := filepath.Dir(p.Build.TarPath)
err := os.MkdirAll(tarDir, 0755)
if tt.expectSuccess {
if err != nil {
t.Errorf("Expected directory creation to succeed, got error: %v", err)
}
if _, err := os.Stat(tarDir); err != nil {
t.Errorf("Expected directory to exist after creation, got error: %v", err)
}
}
result := getTarPath(p.Build.TarPath)
if tt.expectSuccess && result == "" {
t.Error("Expected non-empty tar path, got empty string")
}
if !tt.expectSuccess && result != "" {
t.Error("Expected empty tar path, got non-empty string")
}
})
}
}
func TestCustomPlatformFlag(t *testing.T) {
tests := []struct {
name string
customPlatform string
expectFlag bool
}{
{
name: "with_custom_platform",
customPlatform: "linux/amd64",
expectFlag: true,
},
{
name: "with_custom_platform_arm",
customPlatform: "linux/arm64",
expectFlag: true,
},
{
name: "empty_custom_platform",
customPlatform: "",
expectFlag: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
p := Plugin{
Build: Build{
Dockerfile: "Dockerfile",
Context: ".",
Repo: "test/repo",
Tags: []string{"latest"},
CustomPlatform: tt.customPlatform,
NoPush: true, // Don't actually push
},
}
// We can't actually run Exec() without kaniko installed,
// but we can verify the logic by checking the field is set correctly
if tt.expectFlag && p.Build.CustomPlatform == "" {
t.Errorf("Expected CustomPlatform to be set to %q, but got empty string", tt.customPlatform)
}
if !tt.expectFlag && p.Build.CustomPlatform != "" {
t.Errorf("Expected CustomPlatform to be empty, but got %q", p.Build.CustomPlatform)
}
if tt.expectFlag && p.Build.CustomPlatform != tt.customPlatform {
t.Errorf("Expected CustomPlatform to be %q, but got %q", tt.customPlatform, p.Build.CustomPlatform)
}
})
}
}
func TestSourceTarballPush(t *testing.T) {
tests := []struct {
name string
sourceTarPath string
repo string
autoTag bool
tags []string
commitRef string
repoBranch string
expectedError bool
expectedTags []string
mockLoadErr error
mockPushErr error
}{
{
name: "empty_repo_fails",
sourceTarPath: "/path/to/image.tar",
repo: "",
expectedError: true,
},
{
name: "nonexistent_tarball_fails",
sourceTarPath: "/path/that/does/not/exist/image.tar",
repo: "test-repo",
expectedError: true,
},
{
name: "load_image_fails",
sourceTarPath: createTestTarball(t),
repo: "test-repo",
expectedError: true,
mockLoadErr: fmt.Errorf("load failed"),
},
{
name: "push_image_fails",
sourceTarPath: createTestTarball(t),
repo: "test-repo",
expectedError: true,
expectedTags: []string{"latest"},
mockPushErr: fmt.Errorf("push failed"),
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
mockPlugin := Plugin{
Build: Build{
SourceTarPath: tt.sourceTarPath,
Repo: tt.repo,
Tags: tt.tags,
AutoTag: tt.autoTag,
DroneCommitRef: tt.commitRef,
DroneRepoBranch: tt.repoBranch,
},
LoadImageFromTarball: MockCraneLoad(tt.sourceTarPath, tt.mockLoadErr),
PushImageToRegistry: MockCranePush(tt.mockPushErr),
}
err := mockPlugin.Exec()
if tt.expectedError {
if err == nil {
t.Errorf("Expected an error, but got none")
}
} else {
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
}
})
}
}
// Helper function to create a test tarball
func createTestTarball(t *testing.T) string {
// Create a temporary directory for the tarball contents
tmpDir, err := os.MkdirTemp("", "test-tarball-*")
if err != nil {
t.Fatalf("Failed to create temp directory: %v", err)
}
defer os.RemoveAll(tmpDir)
// Create a minimal `manifest.json` file with a valid hash
manifestPath := filepath.Join(tmpDir, "manifest.json")
manifestContent := `[{
"Config": "config.json",
"RepoTags": ["test-repo:latest"],
"Layers": ["layer.tar"]
}]`
err = os.WriteFile(manifestPath, []byte(manifestContent), 0644)
if err != nil {
t.Fatalf("Failed to create manifest.json: %v", err)
}
// Create a valid `config.json` file with a dummy hash
configPath := filepath.Join(tmpDir, "config.json")
configContent := `{
"architecture": "amd64",
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": ["sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]
}
}`
err = os.WriteFile(configPath, []byte(configContent), 0644)
if err != nil {
t.Fatalf("Failed to create config.json: %v", err)
}
// Create a dummy `layer.tar` file
layerPath := filepath.Join(tmpDir, "layer.tar")
layerFile, err := os.Create(layerPath)
if err != nil {
t.Fatalf("Failed to create layer.tar: %v", err)
}
defer layerFile.Close()
_, err = layerFile.Write([]byte("dummy layer content"))
if err != nil {
t.Fatalf("Failed to write to layer.tar: %v", err)
}
// Create a tarball from the temp directory
tarballPath := filepath.Join(os.TempDir(), "test-image.tar")
tarballFile, err := os.Create(tarballPath)
if err != nil {
t.Fatalf("Failed to create tarball: %v", err)
}
defer tarballFile.Close()
tw := tar.NewWriter(tarballFile)
defer tw.Close()
err = filepath.Walk(tmpDir, func(path string, info os.FileInfo, err error) error {
if err != nil {
return err
}
relPath, _ := filepath.Rel(tmpDir, path)
if relPath == "." {
return nil
}
header, err := tar.FileInfoHeader(info, path)
if err != nil {
return err
}
header.Name = relPath
if err := tw.WriteHeader(header); err != nil {
return err
}
if !info.IsDir() {
fileContent, err := os.ReadFile(path)
if err != nil {
return err
}
_, err = tw.Write(fileContent)
if err != nil {
return err
}
}
return nil
})
if err != nil {
t.Fatalf("Failed to write tarball: %v", err)
}
return tarballPath
}
mock_crane.go
+71
View File
@@ -0,0 +1,71 @@
package kaniko
import (
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/types"
)
func MockCraneLoad(path string, loadErr error) func(string) (v1.Image, error) {
return func(inputPath string) (v1.Image, error) {
if loadErr != nil {
return nil, loadErr
}
return &mockImage{}, nil
}
}
func MockCranePush(pushErr error) func(v1.Image, string) error {
return func(img v1.Image, dest string) error {
if pushErr != nil {
return pushErr
}
return nil
}
}
// mockImage is a mock implementation of v1.Image interface
type mockImage struct{}
func (m *mockImage) Size() (int64, error) {
return 0, nil
}
func (m *mockImage) RawConfigFile() ([]byte, error) {
return nil, nil
}
func (m *mockImage) Digest() (v1.Hash, error) {
return v1.Hash{}, nil
}
func (m *mockImage) Manifest() (*v1.Manifest, error) {
return nil, nil
}
func (m *mockImage) RawManifest() ([]byte, error) {
return nil, nil
}
func (m *mockImage) LayerByDigest(hash v1.Hash) (v1.Layer, error) {
return nil, nil
}
func (m *mockImage) LayerByDiffID(hash v1.Hash) (v1.Layer, error) {
return nil, nil
}
func (m *mockImage) Layers() ([]v1.Layer, error) {
return nil, nil
}
func (m *mockImage) MediaType() (types.MediaType, error) {
return "", nil
}
func (m *mockImage) ConfigFile() (*v1.ConfigFile, error) {
return nil, nil
}
func (m *mockImage) ConfigName() (v1.Hash, error) {
return v1.Hash{}, nil
}
pkg/output/output.go
+9 -3
View File
@@ -4,9 +4,15 @@ import (
"github.com/joho/godotenv"
)
func WritePluginOutputFile(outputFilePath, digest string) error {
output := map[string]string{
"digest": digest,
func WritePluginOutputFile(outputFilePath, digest string, pluginTarPath string) error {
output := make(map[string]string)
if digest != "" {
output["digest"] = digest
}
if pluginTarPath != "" {
output["IMAGE_TAR_PATH"] = pluginTarPath
}
return godotenv.Write(output, outputFilePath)
}
pkg/output/output_test.go
+145
View File
@@ -0,0 +1,145 @@
package output
import (
"os"
"path/filepath"
"testing"
)
func TestWritePluginOutputFile(t *testing.T) {
tests := []struct {
name string
outputPath string
digest string
tarPath string
setup func(string) error
cleanup func(string) error
expectError bool
privileged bool
}{
{
name: "valid_output_privileged",
outputPath: "",
digest: "sha256:test",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-output")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectError: false,
privileged: true,
},
{
name: "valid_output_unprivileged",
outputPath: "",
digest: "sha256:test",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-output")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectError: false,
privileged: false,
},
{
name: "digest_only",
outputPath: "",
digest: "sha256:test",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-output")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectError: false,
privileged: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Skip privileged tests if not running as root
if tt.privileged && os.Getuid() != 0 {
t.Skip("Skipping privileged test as not running as root")
}
if err := tt.setup(tt.outputPath); err != nil {
t.Fatalf("Setup failed: %v", err)
}
defer tt.cleanup(tt.outputPath)
tmpDir := os.Getenv("DRONE_WORKSPACE")
var outputPath, tarPath string
switch tt.name {
case "valid_output_privileged", "valid_output_unprivileged":
outputPath = filepath.Join(tmpDir, "test", "output.env")
tarPath = filepath.Join(tmpDir, "test", "image.tar")
case "invalid_output_path":
outputPath = filepath.Join("/root", "test", "output.env")
tarPath = filepath.Join("/root", "test", "image.tar")
case "digest_only":
outputPath = filepath.Join(tmpDir, "test", "output.env")
tarPath = ""
}
err := os.MkdirAll(filepath.Dir(outputPath), 0755)
if err != nil {
t.Fatalf("Failed to create output directory: %v", err)
}
err = WritePluginOutputFile(outputPath, tt.digest, tarPath)
if tt.expectError && err == nil {
t.Error("Expected error, got none")
}
if !tt.expectError && err != nil {
t.Errorf("Expected no error, got: %v", err)
}
if !tt.expectError && err == nil {
content, err := os.ReadFile(outputPath)
if err != nil {
t.Fatalf("Failed to read output file: %v", err)
}
if tt.digest != "" && !contains(string(content), tt.digest) {
t.Error("Expected digest in output file")
}
if tarPath != "" && !contains(string(content), tarPath) {
t.Error("Expected tar path in output file")
}
}
})
}
}
func contains(content, substring string) bool {
return len(substring) > 0 && content != "" && content != "\n" && content != "\r\n"
}
pkg/utils/custom_string_slice.go
+36
View File
@@ -0,0 +1,36 @@
package utils
import (
"strings"
)
// CustomStringSliceFlag is like a regular StringSlice flag but with
// semicolon as a delimiter
type CustomStringSliceFlag struct {
Value []string
}
// GetValue returns the slice of strings stored in the flag
func (f *CustomStringSliceFlag) GetValue() []string {
if f.Value == nil {
return make([]string, 0)
}
return f.Value
}
// String returns a string representation of the flag
func (f *CustomStringSliceFlag) String() string {
if f.Value == nil {
return ""
}
return strings.Join(f.Value, ";")
}
// Set sets the value of the flag from a string
func (f *CustomStringSliceFlag) Set(v string) error {
for _, s := range strings.Split(v, ";") {
s = strings.TrimSpace(s)
f.Value = append(f.Value, s)
}
return nil
}