Compare commits

..

23 Commits

Author SHA1 Message Date
OP (oppenheimer) 594f1e2f23 fix: Consolidate platform flags to use --custom-platform and eliminate deprecation warning (#158) 2025-11-21 11:25:52 +05:30
Abhay b6428af23d fix: [CI-19672]: fix vuln issue (#155) 2025-11-14 14:27:41 +05:30
tapankarangiya f83970e37a feat: [CI-19349]: Added oidc support for ACR (#154)
* feat: [CI-18693]: Added oidc support for ACR

* feat: [CI-19349]: error handling

* feat: [CI-19349]: Refactored the code and added cli flags

* feat: [CI-19349]: Added test cases

* Update cmd/kaniko-acr/main.go

* Update cmd/kaniko-acr/main.go

* Update cmd/kaniko-acr/main.go

* feat: [CI-19349]: changed the variable names

* feat: [CI-18693]: Added error handling

* feat: [CI-19349]: removed redundant code

---------

Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>
2025-10-23 12:25:13 +05:30
Satya a1d07a3262 fix: [CI-18923]: Build argument getting split if it has a comma in the value (#153)
* added the PLUGIN_MULTIPLE_BUILD_ARGS for all registries

* added the tests and README
2025-09-15 19:04:48 +05:30
Raghav ae33ce93b8 feat: [CI-17953]: Add warning if base image connector is not provided (#152)
* [CI-17953]: Add warning if base image connector is not provided

* [CI-17953]: Add warning if base image connector is not provided

* [CI-17953]: Add warning if base image connector is not provided
2025-07-09 16:03:56 +05:30
OP (oppenheimer) a8c364c9e7 update kaniko-executor base image to 1.25.0 from chaingaurds maintained fork (#150) 2025-07-03 19:14:28 +05:30
OP (oppenheimer) a879280371 push-only support to Kaniko ACR (#148) 2025-06-03 22:17:47 +05:30
OP (oppenheimer) 809fadc203 feat: [CI-17517]: Add push-only support for Kaniko-GAR (#147)
* Add push-only support to Kaniko-GAR

* Refactor GAR authentication and crane push to use Application Default Credentials

* Add robust GAR authentication with Docker config and crane options

* GAR authentication setup and remove redundant logging statements
2025-05-13 21:30:09 +05:30
ompragash.viswanathan@harness.io 87ca9fe1b7 Update pipeline drone-kaniko-harness 2025-05-12 20:38:33 +05:30
OP (oppenheimer) a091f2ad04 ECR auth for push-only operation + code refactoring (#144) 2025-04-25 18:11:30 +05:30
OP (oppenheimer) af2add0aa5 Update pipeline drone-kaniko-harness (#143) 2025-04-09 19:24:48 +05:30
OP (oppenheimer) 58bd727c07 feat: [CI-16588]: Add support to PLUGIN_TAR_PATH, PLUGIN_SOURCE_TAR_PATH and PLUGIN_PUSH_ONLY to kaniko-ecr (#141)
* Add support for tar-path, source-tar-path and push-only operations

* Updated cmd/kaniko-ecr/main.go

* Updated cmd/kaniko-ecr/main.go

* Update cmd/kaniko-ecr/main.go
2025-03-24 21:31:18 +05:30
ci-reporunner a73b8ee28d Update pipeline drone-kaniko-harness (#142)
Co-authored-by: ompragash.viswanathan@harness.io <ompragash.viswanathan@harness.io>
2025-03-20 19:10:13 +05:30
OP (oppenheimer) b826c7f408 feat: [CI-16392]: Authenticate And Pull Private Base Images when NO_PUSH is enabled (#140) 2025-03-06 20:32:35 +05:30
ci-reporunner e56198f84c Create pipeline drone-kaniko-harness (#136) 2025-03-04 19:18:44 +05:30
Devansh Mathur d6153866df feat: [CI-16330]: Adding default OutputFile as DRONE_OUTPUT. (#139)
* Adding default OutputFile as DRONE_OUTPUT.

* Removing if checks and optimizing setting up of default OutputFile as DRONE_OUTPUT.
2025-03-03 18:05:21 +05:30
OP (oppenheimer) 30e1ea9fd8 Update main.go (#138) 2025-02-07 14:28:32 +05:30
OP (oppenheimer) 0fb726616e feat: [CI-16193]: Support multiple ignore paths (#137)
* add new input ignore_paths to accept multiple values

* Support new input ignore_paths to all the supported versions of Kaniko
2025-02-07 11:46:23 +05:30
OP (oppenheimer) 334f6191d1 Add Push-only support to Kaniko (Docker) (#135) 2024-12-20 11:17:28 +05:30
sahithibanda01 a3af953651 fix: [CI-14845]: support for build args which has comma seperated values (#133) 2024-11-29 13:12:39 +05:30
Anshika Anand e6ab8aa3c0 feat:[CI-15236]: Added IMAGE_TAR_PATH as output variable for the plugin. (#132)
* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Test commit.

* feat:[CI-15236]: Test commit.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Directory check and UTs.

* Update pkg/output/output.go

* feat:[CI-15236]: fixes

* feat:[CI-15236]: Test fixes - removed root

* feat:[CI-15236]: Test fixes - removed root

* feat:[CI-15236]: Test fixes - removed root

* feat:[CI-15236]: If tarPath directory no present it will create it.

* feat:[CI-15236]: If tarPath directory no present it will create it.

* feat:[CI-15236]: fixes

* Update kaniko.go

removed as getTarPath is only called when tarPath isn't empty

---------

Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>
2024-11-28 18:31:10 +05:30
Abhay 113a61b0e1 feat: [Ci-14242]: add oidc support for ecr (#131)
* feat: [Ci-14242]: add oidc support for ecr

* fix: [CI-14242]: error handling for oidc kakniko-ecr
2024-10-17 01:51:09 +05:30
rahkumar56 982c141391 feat: [CI-13961]: Upgraded gcr.io/kaniko-project/executor version to v1.23.2. (#125) 2024-09-09 11:23:40 +05:30
33 changed files with 3713 additions and 232 deletions
+14
View File
@@ -0,0 +1,14 @@
inputSet:
name: event-PR
identifier: eventPR
orgIdentifier: default
projectIdentifier: Drone_Plugins
pipeline:
identifier: dronekanikoharness
properties:
ci:
codebase:
build:
type: PR
spec:
number: <+trigger.prNumber>
+14
View File
@@ -0,0 +1,14 @@
inputSet:
name: event-Push
identifier: eventPush
orgIdentifier: default
projectIdentifier: Drone_Plugins
pipeline:
identifier: dronekanikoharness
properties:
ci:
codebase:
build:
type: branch
spec:
branch: <+trigger.branch>
+14
View File
@@ -0,0 +1,14 @@
inputSet:
name: event-Tag
identifier: eventTag
orgIdentifier: default
projectIdentifier: Drone_Plugins
pipeline:
identifier: dronekanikoharness
properties:
ci:
codebase:
build:
type: tag
spec:
tag: <+trigger.tag>
+656
View File
@@ -0,0 +1,656 @@
pipeline:
name: drone-kaniko-harness
identifier: dronekanikoharness
projectIdentifier: Drone_Plugins
orgIdentifier: default
tags: {}
properties:
ci:
codebase:
connectorRef: GitHub_Drone_Org
repoName: drone-kaniko
build: <+input>
sparseCheckout: []
stages:
- parallel:
- stage:
name: linux-amd64
identifier: linuxamd64
description: ""
type: CI
spec:
cloneCodebase: true
caching:
enabled: false
paths: []
platform:
os: Linux
arch: Amd64
runtime:
type: Cloud
spec: {}
execution:
steps:
- step:
type: Run
name: Build Binary
identifier: Build
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: golang:1.23.0
shell: Sh
command: |-
go test ./...
sh scripts/build.sh
- parallel:
- step:
type: Plugin
name: BuildAndPushDockerTag
identifier: BuildAndPushDockerTag
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
auto_tag: "true"
auto_tag_suffix: linux-amd64
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
- "-acr"
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gcr"
repo: acr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-gar"
repo: acr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
- image: "-ecr"
repo: acr
- image: "-acr"
repo: docker
- image: "-acr"
repo: gcr
- image: "-acr"
repo: gar
- image: "-acr"
repo: ecr
nodeName: _<+matrix.repo>
- step:
type: Plugin
name: BuildAndPushDockerTag_Kaniko
identifier: BuildAndPushDockerTag_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
auto_tag: "true"
auto_tag_suffix: linux-amd64-kaniko1.9.1
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
nodeName: <+matrix.repo>
- parallel:
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch
identifier: BuildAndPushDockerBranch
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-amd64
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
- "-acr"
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gcr"
repo: acr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-gar"
repo: acr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
- image: "-ecr"
repo: acr
- image: "-acr"
repo: docker
- image: "-acr"
repo: gcr
- image: "-acr"
repo: gar
- image: "-acr"
repo: ecr
nodeName: <+matrix.repo>
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch_Kaniko
identifier: BuildAndPushDockerBranch_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-amd64-kaniko1.9.1
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
nodeName: _<+matrix.repo>
when:
pipelineStatus: Success
- stage:
name: linux-arm64
identifier: linuxarm64
description: ""
type: CI
spec:
cloneCodebase: true
caching:
enabled: false
paths: []
platform:
os: Linux
arch: Arm64
runtime:
type: Cloud
spec: {}
execution:
steps:
- step:
type: Run
name: Build Binary
identifier: Build_and_Test
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: golang:1.23.0
shell: Sh
command: |-
go test ./...
sh scripts/build.sh
- parallel:
- step:
type: Plugin
name: BuildAndPushDockerTag
identifier: BuildAndPushDockerTag
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
auto_tag: "true"
auto_tag_suffix: linux-arm64
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
- "-acr"
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gcr"
repo: acr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-gar"
repo: acr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
- image: "-ecr"
repo: acr
- image: "-acr"
repo: docker
- image: "-acr"
repo: gcr
- image: "-acr"
repo: gar
- image: "-acr"
repo: ecr
nodeName: _<+matrix.repo>
- step:
type: Plugin
name: BuildAndPushDockerTag_Kaniko
identifier: BuildAndPushDockerTag_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
auto_tag: "true"
auto_tag_suffix: linux-arm64-kaniko1.9.1
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
nodeName: _<+matrix.repo>
- parallel:
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch
identifier: BuildAndPushDockerBranch
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-arm64
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
- "-acr"
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gcr"
repo: acr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-gar"
repo: acr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
- image: "-ecr"
repo: acr
- image: "-acr"
repo: docker
- image: "-acr"
repo: gcr
- image: "-acr"
repo: gar
- image: "-acr"
repo: ecr
nodeName: <+matrix.repo>
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch_Kaniko
identifier: BuildAndPushDockerBranch_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-arm64-kaniko1.9.1
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
nodeName: _<+matrix.repo>
when:
pipelineStatus: Success
- stage:
name: Manifest
identifier: Manifest
description: ""
type: CI
spec:
cloneCodebase: true
caching:
enabled: false
paths: []
platform:
os: Linux
arch: Amd64
runtime:
type: Cloud
spec: {}
execution:
steps:
- parallel:
- step:
type: Plugin
name: Manifest
identifier: Manifest
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/manifest
settings:
auto_tag: "true"
spec: docker/<+matrix.repo>/manifest.tmpl
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
ignore_missing: "true"
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch" || <+codebase.build.type> == "tag"
strategy:
matrix:
repo:
- docker
- gcr
- gar
- ecr
- acr
nodeName: manifest_<+matrix.repo>
- step:
type: Plugin
name: Manifest_kaniko191
identifier: Manifest_kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/manifest
settings:
auto_tag: "false"
spec: docker/<+matrix.repo>/manifest-kaniko1.9.1.tmpl
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
ignore_missing: "true"
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch" || <+codebase.build.type> == "tag"
strategy:
matrix:
repo:
- docker
- gcr
- gar
- ecr
nodeName: manifest_<+matrix.repo>
when:
pipelineStatus: Success
allowStageExecutions: true
+73 -2
View File
@@ -5,6 +5,7 @@ Drone kaniko plugin uses [kaniko](https://github.com/GoogleContainerTools/kaniko
Plugin images are published with 1.6.0 as well as 1.9.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.9.1` uses 1.9.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gcr images as well.
Run the following script to install git-leaks support to this repo.
```
chmod +x ./git-hooks/install.sh
./git-hooks/install.sh
@@ -35,7 +36,7 @@ docker build \
--label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
--label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
--file docker/docker/Dockerfile.linux.amd64 --tag plugins/kaniko .
docker build \
--label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
--label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
@@ -52,7 +53,73 @@ docker build \
--file docker/ecr/Dockerfile.linux.amd64 --tag plugins/kaniko-ecr .
```
### Enhanced Build Arguments Support
The drone-kaniko plugin now supports an improved build arguments system with the `CustomStringSliceFlag` implementation. This feature provides a more flexible way to pass multiple build arguments to your Docker builds.
#### Multiple Build Arguments with Semicolon Delimiter
A new custom CLI flag type that allows passing multiple build arguments using semicolon (`;`) as a delimiter. This flag is available across all registry implementations:
- `kaniko-docker`
- `kaniko-gcr` (Google Container Registry)
- `kaniko-ecr` (Amazon Elastic Container Registry)
- `kaniko-acr` (Azure Container Registry)
- `kaniko-gar` (Google Artifact Registry)
**Usage:**
```console
docker run --rm \
-e PLUGIN_BUILD_ARGS_NEW="ARG1=value1;ARG2=value2;ARG3=value3" \
-e PLUGIN_REPO=foo/bar \
-v $(pwd):/drone \
-w /drone \
plugins/kaniko:linux-amd64
```
#### For build args containing commas
When your build arguments contain commas, enable the `PLUGIN_MULTIPLE_BUILD_ARGS` flag:
```console
docker run --rm \
-e PLUGIN_MULTIPLE_BUILD_ARGS=true \
-e PLUGIN_BUILD_ARGS_NEW="KEY1=value,with,comma;KEY2=another,value" \
-e PLUGIN_REPO=foo/bar \
-v $(pwd):/drone \
-w /drone \
plugins/kaniko:linux-amd64
```
## Usage
### Operation Modes
Default Mode (Build and Push):
When neither `no_push` nor `push_only` is provided. Plugin builds and pushes the Docker image to a container registry.
Build-Only Mode (no-push):
When `no_push` is true and `destination_tar_path` is defined.
Plugin performs only the image build operation and saves the resulting image tarball to the specified `destination_tar_path`
It does not push the image to any registry.
Push-Only Mode (push-only):
When `push_only` is true and `source_tar_path` is defined.
Plugin loads an existing image tarball from the specified `source_tar_path`
and pushes the loaded image to a Container Registry.
It skips the build process.
### Mutually Exclusive Inputs
If both `no_push` and `push_only` inputs are provided, the plugin will:
Terminate the operation and
throw an error with the message: "Inputs no-push and push-only cannot be used together. Please define only one."
### Manual Tagging
```console
@@ -79,6 +146,7 @@ docker run --rm \
-w /drone \
plugins/kaniko:linux-amd64
```
would both be equivalent to
```
@@ -88,7 +156,7 @@ PLUGIN_TAGS=1,1.2,1.2.3,latest
This allows for passing `$DRONE_TAG` directly as a tag for repos that use [semver](https://semver.org) tags.
To avoid confusion between repo tags and image tags, `PLUGIN_EXPAND_TAG` also recognizes a semantic version
without the `v` prefix. As such, the following is also equivalent to the above:
without the `v` prefix. As such, the following is also equivalent to the above:
```console
docker run --rm \
@@ -100,6 +168,7 @@ docker run --rm \
```
### Auto Tagging
The [auto tag feature](https://plugins.drone.io/drone-plugins/drone-docker) of docker plugin is also supported.
When auto tagging is enabled, if any of the case is matched below, a docker build will be pushed with auto generated tags. Otherwise the docker build will be skipped.
@@ -121,6 +190,7 @@ docker run --rm \
```
Tags to push:
- 1.2.3
- 1.2
- 1
@@ -141,4 +211,5 @@ docker run --rm \
```
Tags to push:
- latest
+227 -35
View File
@@ -13,13 +13,17 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/crane"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
kaniko "github.com/drone/drone-kaniko"
azureutil "github.com/drone/drone-kaniko/internal/azure"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/drone/drone-kaniko/pkg/utils"
)
const (
@@ -96,6 +100,17 @@ func main() {
Usage: "build args",
EnvVar: "PLUGIN_BUILD_ARGS",
},
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
cli.BoolFlag{
Name: "plugin-multiple-build-agrs",
Usage: "plugin multiple build agrs",
EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
},
cli.StringFlag{
Name: "target",
Usage: "build target",
@@ -154,7 +169,7 @@ func main() {
cli.StringFlag{
Name: "tenant-id",
Usage: "Azure Tenant Id",
EnvVar: "TENANT_ID",
EnvVar: "TENANT_ID,AZURE_TENANT_ID,PLUGIN_TENANT_ID",
},
cli.StringFlag{
Name: "subscription-id",
@@ -163,8 +178,18 @@ func main() {
},
cli.StringFlag{
Name: "client-id",
Usage: "Azure Client Id",
EnvVar: "CLIENT_ID",
Usage: "Azure Client ID (also called App ID)",
EnvVar: "CLIENT_ID,AZURE_CLIENT_ID,PLUGIN_CLIENT_ID,AZURE_APP_ID",
},
cli.StringFlag{
Name: "oidc-token-id",
Usage: "OIDC ID token to exchange for Azure AD access token (federated credentials)",
EnvVar: "PLUGIN_OIDC_TOKEN_ID",
},
cli.StringFlag{
Name: "azure-authority-host",
Usage: "Azure authority host base URL (e.g., https://login.microsoftonline.com, https://login.microsoftonline.us)",
EnvVar: "AZURE_AUTHORITY_HOST",
},
cli.StringFlag{
Name: "snapshot-mode",
@@ -206,6 +231,21 @@ func main() {
Usage: "Set this flag if you only want to build the image, without pushing to a registry",
EnvVar: "PLUGIN_NO_PUSH",
},
cli.BoolFlag{
Name: "push-only",
Usage: "Set this flag if you only want to push a pre-built image from a tarball",
EnvVar: "PLUGIN_PUSH_ONLY",
},
cli.StringFlag{
Name: "source-tar-path",
Usage: "Path to the local tarball to be pushed when push-only is set",
EnvVar: "PLUGIN_SOURCE_TAR_PATH",
},
cli.StringFlag{
Name: "tar-path",
Usage: "Set this flag to save the image as a tarball at path",
EnvVar: "PLUGIN_TAR_PATH,PLUGIN_DESTINATION_TAR_PATH",
},
cli.StringFlag{
Name: "verbosity",
Usage: "Set this flag with value as oneof <panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
@@ -214,7 +254,7 @@ func main() {
cli.StringFlag{
Name: "platform",
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
EnvVar: "PLUGIN_PLATFORM,PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
@@ -252,11 +292,6 @@ func main() {
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
@@ -380,12 +415,25 @@ func main() {
}
func run(c *cli.Context) error {
// Check if push-only flag is set
if c.Bool("push-only") {
return handlePushOnly(c)
}
registry := c.String("registry")
noPush := c.Bool("no-push")
publicUrl, err := setupAuth(
c.String("tenant-id"),
c.String("client-id"),
clientID := c.String("client-id")
tenantID := c.String("tenant-id")
oidcIdToken := c.String("oidc-token-id")
authorityHost := c.String("azure-authority-host")
var publicUrl string
var err error
publicUrl, err = setupAuth(
tenantID,
clientID,
oidcIdToken,
c.String("client-cert"),
c.String("client-secret"),
c.String("subscription-id"),
@@ -393,6 +441,7 @@ func run(c *cli.Context) error {
c.String("base-image-username"),
c.String("base-image-password"),
c.String("base-image-registry"),
authorityHost,
noPush,
)
if err != nil {
@@ -410,6 +459,8 @@ func run(c *cli.Context) error {
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
ArgsNew: c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
IsMultipleBuildArgs: c.Bool("plugin-multiple-build-agrs"),
Target: c.String("target"),
Repo: c.String("repo"),
Mirrors: c.StringSlice("registry-mirrors"),
@@ -421,14 +472,13 @@ func run(c *cli.Context) error {
DigestFile: defaultDigestFile,
NoPush: noPush,
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
CustomPlatform: c.String("platform"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
@@ -451,6 +501,7 @@ func run(c *cli.Context) error {
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
},
@@ -470,36 +521,75 @@ func run(c *cli.Context) error {
flag := c.Bool("ignore-var-run")
plugin.Build.IgnoreVarRun = &flag
}
// Set tar-path if provided
if c.IsSet("tar-path") {
plugin.Build.TarPath = c.String("tar-path")
}
return plugin.Exec()
}
func setupAuth(tenantId, clientId, cert,
clientSecret, subscriptionId, registry, dockerUsername, dockerPassword, dockerRegistry string, noPush bool) (string, error) {
func setupAuth(tenantId, clientId, oidcIdToken, cert,
clientSecret, subscriptionId, registry, dockerUsername, dockerPassword, dockerRegistry, authorityHost string, noPush bool) (string, error) {
if registry == "" {
return "", fmt.Errorf("registry must be specified")
}
if noPush {
return "", nil
// Determine auth path: OIDC or Service Principal (secret/cert)
if tenantId == "" || clientId == "" {
if noPush {
logrus.Warnf("NO_PUSH mode: tenantId or clientId not provided")
return "", nil
}
return "", fmt.Errorf("tenantId and clientId must be provided")
}
// case of client secret or cert based auth
if clientId != "" {
// only setup auth when pushing or credentials are defined
var aadAccessToken string
var acrToken string
var publicUrl string
var err error
token, publicUrl, err := getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
if oidcIdToken != "" {
// Exchange OIDC ID token for AAD access token via client_assertion
aadAccessToken, err = azureutil.GetAADAccessTokenViaClientAssertion(context.Background(), tenantId, clientId, oidcIdToken, authorityHost)
if err != nil {
return "", errors.Wrap(err, "failed to fetch ACR Token")
return handleError(noPush, err, "failed to get AAD token via OIDC")
}
// setup docker config for azure registry and base image docker registry
if err := setDockerAuth(username, token, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
return "", errors.Wrap(err, "failed to create docker config")
publicUrl, err = getPublicUrl(aadAccessToken, registry, subscriptionId)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
}
// Exchange AAD access token to ACR refresh token
acrToken, err = fetchACRToken(tenantId, aadAccessToken, registry)
if err != nil {
return handleError(noPush, err, "failed to fetch ACR token")
}
} else if clientSecret != "" || cert != "" {
acrToken, publicUrl, err = getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
if err != nil {
return handleError(noPush, err, "failed to fetch ACR Token")
}
return publicUrl, nil
} else {
if noPush {
return "", nil
}
return "", fmt.Errorf("managed authentication is not supported")
}
if err := setDockerAuth(username, acrToken, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
return handleError(noPush, err, "failed to create docker config")
}
return publicUrl, nil
}
// Error handling
func handleError(noPush bool, err error, msg string) (string, error) {
if noPush {
logrus.Warnf("NO_PUSH mode: %s: %v", msg, err)
return "", nil
}
return "", errors.Wrap(err, msg)
}
func getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry string) (string, string, error) {
@@ -675,21 +765,123 @@ func setDockerAuth(username, password, registry, dockerUsername, dockerPassword,
Password: password,
}
pullFromRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
Username: dockerUsername,
Password: dockerPassword,
credentials := []docker.RegistryCredentials{pushToRegistryCreds}
if dockerRegistry != "" {
pullFromRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
Username: dockerUsername,
Password: dockerPassword,
}
credentials = append(credentials, pullFromRegistryCreds)
} else {
fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
}
credentials := []docker.RegistryCredentials{pushToRegistryCreds, pullFromRegistryCreds}
return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
}
func encodeParam(s string) string {
return url.QueryEscape(s)
}
func handlePushOnly(c *cli.Context) error {
// Validate inputs for push-only operation
sourceTarPath := c.String("source-tar-path")
if sourceTarPath == "" {
return fmt.Errorf("source_tar_path is required when push_only is set")
}
if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
}
repo := c.String("repo")
registry := c.String("registry")
if repo == "" || registry == "" {
return fmt.Errorf("repository and registry must be specified for push-only operation")
}
// Resolve Azure client/tenant and OIDC via CLI flags
clientID := c.String("client-id")
tenantID := c.String("tenant-id")
oidcIdToken := c.String("oidc-token-id")
authorityHost := c.String("azure-authority-host")
var publicUrl string
var err error
publicUrl, err = setupAuth(
tenantID,
clientID,
oidcIdToken,
c.String("client-cert"),
c.String("client-secret"),
c.String("subscription-id"),
registry,
c.String("base-image-username"),
c.String("base-image-password"),
c.String("base-image-registry"),
authorityHost,
false,
)
if err != nil {
return err
}
// Load the image from the tarball
logrus.Infof("Loading image from tarball: %s", sourceTarPath)
img, err := crane.Load(sourceTarPath)
if err != nil {
return fmt.Errorf("failed to load image from tarball: %v", err)
}
// Check if the Docker config directory exists (should have been created by setupAuth)
if _, err := os.Stat(dockerConfigPath); os.IsNotExist(err) {
return fmt.Errorf("Docker config directory does not exist: %v", err)
} else if err != nil {
return fmt.Errorf("error checking Docker config directory: %v", err)
}
// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
if err := os.Setenv("DOCKER_CONFIG", dockerConfigPath); err != nil {
return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
}
// Setup crane options
opts := []crane.Option{
crane.WithAuthFromKeychain(authn.DefaultKeychain),
}
// Push for each tag
tags := c.StringSlice("tags")
if len(tags) == 0 {
tags = []string{"latest"}
}
// Use the registry from setupAuth if publicUrl is available, otherwise use the provided registry
pushRegistry := registry
if publicUrl != "" {
logrus.Infof("Using public URL for pushing: %s", publicUrl)
// Extract just the registry part from the full URL if needed
// This depends on the format of publicUrl, adjust parsing as needed
pushRegistry = publicUrl
}
for _, tag := range tags {
dest := fmt.Sprintf("%s/%s:%s", pushRegistry, repo, tag)
logrus.Infof("Pushing image to: %s", dest)
if err := crane.Push(img, dest, opts...); err != nil {
return fmt.Errorf("failed to push image to %s: %v", dest, err)
}
logrus.Infof("Successfully pushed image to %s", dest)
}
return nil
}
type strct struct {
Value []struct {
ID string `json:"id"`
+234 -1
View File
@@ -9,7 +9,9 @@ import (
"testing"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/drone/drone-kaniko/pkg/utils"
"github.com/stretchr/testify/assert"
"github.com/urfave/cli"
)
const (
@@ -153,4 +155,235 @@ func TestCreateDockerConfigWithoutBaseRegistry(t *testing.T) {
// Check if the public Docker Hub auth is not set
_, exists := config.Auths[""]
assert.False(t, exists)
}
}
func TestCustomStringSliceFlagIntegration(t *testing.T) {
tests := []struct {
name string
input string
expected []string
}{
{
name: "single build arg",
input: "ARG1=value1",
expected: []string{"ARG1=value1"},
},
{
name: "multiple build args with semicolon",
input: "ARG1=value1;ARG2=value2;ARG3=value3",
expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
},
{
name: "build args with spaces",
input: "ARG1=value with spaces;ARG2=another value",
expected: []string{"ARG1=value with spaces", "ARG2=another value"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Test the CustomStringSliceFlag directly
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.input)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
result := flag.GetValue()
if len(result) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
return
}
for i, expected := range tt.expected {
if result[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
}
}
})
}
}
func TestCLIIntegrationWithCustomFlag(t *testing.T) {
// Test CLI integration with proper flag setup
tests := []struct {
name string
args []string
expected []string
}{
{
name: "CLI with single arg",
args: []string{"acr-test", "--args-new", "ARG1=value1"},
expected: []string{"ARG1=value1"},
},
{
name: "CLI with multiple args",
args: []string{"acr-test", "--args-new", "ARG1=value1;ARG2=value2"},
expected: []string{"ARG1=value1", "ARG2=value2"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
app := cli.NewApp()
app.Name = "acr-test"
var capturedArgs []string
app.Flags = []cli.Flag{
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
}
app.Action = func(c *cli.Context) error {
if genericFlag := c.Generic("args-new"); genericFlag != nil {
if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
capturedArgs = customFlag.GetValue()
}
}
return nil
}
err := app.Run(tt.args)
if err != nil {
t.Errorf("CLI run error = %v, want nil", err)
return
}
if len(capturedArgs) != len(tt.expected) {
t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
return
}
for i, expected := range tt.expected {
if capturedArgs[i] != expected {
t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
}
}
})
}
}
func TestACRBuildArgsProcessing(t *testing.T) {
// Test that build args are correctly processed in the context of ACR plugin
tests := []struct {
name string
argsNew string
expectedCount int
expectedFirst string
}{
{
name: "docker build args format",
argsNew: "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
expectedCount: 3,
expectedFirst: "GOOS=linux",
},
{
name: "azure specific args",
argsNew: "AZURE_TENANT_ID=tenant123;AZURE_CLIENT_ID=client456",
expectedCount: 2,
expectedFirst: "AZURE_TENANT_ID=tenant123",
},
{
name: "single complex arg with special characters",
argsNew: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
expectedCount: 1,
expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
flag := &utils.CustomStringSliceFlag{}
err := flag.Set(tt.argsNew)
if err != nil {
t.Errorf("Set() error = %v, want nil", err)
return
}
args := flag.GetValue()
if len(args) != tt.expectedCount {
t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
return
}
if len(args) > 0 && args[0] != tt.expectedFirst {
t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
}
})
}
}
func TestACRAuthenticationFlow(t *testing.T) {
// Test that ACR authentication works with build args
tests := []struct {
name string
tenantId string
clientId string
clientSecret string
expectError bool
}{
{
name: "missing tenant id",
tenantId: "",
clientId: "client123",
clientSecret: "secret456",
expectError: true,
},
{
name: "missing client id",
tenantId: "tenant123",
clientId: "",
clientSecret: "secret456",
expectError: true,
},
{
name: "missing client secret",
tenantId: "tenant123",
clientId: "client456",
clientSecret: "",
expectError: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// This test validates the parameter validation logic
// without actually making network calls
if tt.tenantId == "" && !tt.expectError {
t.Error("Expected error for missing tenant ID")
}
if tt.clientId == "" && !tt.expectError {
t.Error("Expected error for missing client ID")
}
if tt.clientSecret == "" && !tt.expectError {
t.Error("Expected error for missing client secret")
}
})
}
}
func TestSetupAuth_RegistryMustBeSpecified(t *testing.T) {
pub, err := setupAuth("tenant", "client", "", "", "", "sub", "", "", "", "", "", false)
assert.Error(t, err)
assert.Contains(t, err.Error(), "registry must be specified")
assert.Equal(t, "", pub)
}
func TestSetupAuth_MissingTenantOrClient(t *testing.T) {
pub, err := setupAuth("tenant", "", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", false)
assert.Error(t, err)
assert.Contains(t, err.Error(), "tenantId and clientId must be provided")
assert.Equal(t, "", pub)
}
func TestSetupAuth_NoCreds_NoPushTrue(t *testing.T) {
pub, err := setupAuth("tenant", "client", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", true)
assert.NoError(t, err)
assert.Equal(t, "", pub)
}
+40 -9
View File
@@ -1,6 +1,7 @@
package main
import (
"fmt"
"os"
"strings"
@@ -12,6 +13,7 @@ import (
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/drone/drone-kaniko/pkg/utils"
)
const (
@@ -101,6 +103,17 @@ func main() {
Usage: "build args",
EnvVar: "PLUGIN_BUILD_ARGS",
},
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(utils.CustomStringSliceFlag),
},
cli.BoolFlag{
Name: "plugin-multiple-build-agrs",
Usage: "plugin multiple build agrs",
EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
},
cli.StringFlag{
Name: "target",