diff --git a/cmd/kaniko-acr/main.go b/cmd/kaniko-acr/main.go index 0fe39bd..ab53d1d 100644 --- a/cmd/kaniko-acr/main.go +++ b/cmd/kaniko-acr/main.go @@ -480,26 +480,29 @@ func setupAuth(tenantId, clientId, cert, return "", fmt.Errorf("registry must be specified") } - if noPush { - return "", nil - } + if !noPush { + // When pushing is enabled, do the full token-based authentication. + if clientId != "" { + token, publicUrl, err := getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry) + if err != nil { + return "", errors.Wrap(err, "failed to fetch ACR Token") + } - // case of client secret or cert based auth - if clientId != "" { - // only setup auth when pushing or credentials are defined - - token, publicUrl, err := getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry) - if err != nil { - return "", errors.Wrap(err, "failed to fetch ACR Token") + // Set up docker config with credentials for both push and pull. + if err := setDockerAuth(username, token, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil { + return "", errors.Wrap(err, "failed to create docker config") + } + return publicUrl, nil + } else { + return "", fmt.Errorf("managed authentication is not supported") } - - // setup docker config for azure registry and base image docker registry - if err := setDockerAuth(username, token, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil { - return "", errors.Wrap(err, "failed to create docker config") - } - return publicUrl, nil } else { - return "", fmt.Errorf("managed authentication is not supported") + // When no-push is enabled, we still need to set up pull credentials. + // We do not fetch a token (since we are not pushing) so we pass an empty string for push credentials. + if err := setDockerAuth(username, "", registry, dockerUsername, dockerPassword, dockerRegistry); err != nil { + return "", errors.Wrap(err, "failed to create docker config for pulling base image") + } + return "", nil } }