Updated cmd/kaniko-ecr/main.go

Add support for tar-path, source-tar-path and push-only operations
2026-06-16 14:49:02 +08:00 · 2025-03-20 09:37:21 +05:30 · 2025-03-17 14:02:36 +05:30 · 2025-03-11 17:34:03 +05:30
2 changed files with 77 additions and 80 deletions
@@ -12,6 +12,32 @@ pipeline:
        build: <+input>
        sparseCheckout: []
  stages:
+    - stage:
+        name: Manager Approval
+        identifier: Manager_Approval
+        description: ""
+        type: Approval
+        spec:
+          execution:
+            steps:
+              - step:
+                  name: CI Manager Approval
+                  identifier: CI_Manager_Approval
+                  type: HarnessApproval
+                  timeout: 1d
+                  spec:
+                    approvalMessage: |-
+                      Please review the following information
+                      and approve the pipeline progression
+                    includePipelineExecutionHistory: true
+                    approvers:
+                      minimumCount: 1
+                      disallowPipelineExecutor: false
+                      userGroups:
+                        - CI_Manager
+                    isAutoRejectEnabled: false
+                    approverInputs: []
+        tags: {}
    - parallel:
        - stage:
            name: linux-amd64
@@ -629,13 +655,13 @@ pipeline:
                          nodeName: manifest_<+matrix.repo>
                  - step:
                      type: Plugin
-                      name: Manifest_kaniko191
+                      name: Manifest_kaniko
                      identifier: Manifest_kaniko
                      spec:
                        connectorRef: Plugins_Docker_Hub_Connector
                        image: plugins/manifest
                        settings:
-                          auto_tag: "false"
+                          auto_tag: "true"
                          spec: docker/<+matrix.repo>/manifest-kaniko1.9.1.tmpl
                          username: drone
                          password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
@@ -653,4 +679,3 @@ pipeline:
                          nodeName: manifest_<+matrix.repo>
        when:
          pipelineStatus: Success
-  allowStageExecutions: true
@@ -879,72 +879,6 @@ func getOidcCreds(oidcToken, assumeRole string) (string, string, string, error)
 	return *result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken, nil
 }

-func createECRSession(region, accessKey, secretKey, sessionToken string) *ecrv1.ECR {
-	sess := session.Must(session.NewSession(&awsv1.Config{
-		Region: awsv1.String(region),
-		Credentials: credentials.NewStaticCredentials(
-			accessKey,
-			secretKey,
-			sessionToken,
-		),
-	}))
-	return ecrv1.New(sess)
-}
-
-func getECRCredentials(region, registry, assumeRole, externalId, accessKey, secretKey, oidcToken string) (string, string, error) {
-	if assumeRole != "" && oidcToken != "" {
-		// For OIDC auth with assume role
-		awsAccessKey, awsSecretKey, awsSessionToken, err := getOidcCreds(oidcToken, assumeRole)
-		if err != nil {
-			return "", "", fmt.Errorf("failed to get OIDC credentials: %w", err)
-		}
-
-		// Create ECR session and get auth info
-		svc := createECRSession(region, awsAccessKey, awsSecretKey, awsSessionToken)
-		username, password, _, err := getAuthInfo(svc)
-		if err != nil {
-			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
-		}
-		return username, password, nil
-	} else if assumeRole != "" {
-		// For assume role auth
-		username, password, _, err := getAssumeRoleCreds(region, assumeRole, externalId, "")
-		if err != nil {
-			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
-		}
-		return username, password, nil
-	} else if accessKey != "" && secretKey != "" {
-		// For direct credentials
-		sess := session.Must(session.NewSession(&awsv1.Config{
-			Region: awsv1.String(region),
-			Credentials: credentials.NewStaticCredentials(
-				accessKey,
-				secretKey,
-				"",
-			),
-		}))
-		svc := ecrv1.New(sess)
-
-		username, password, _, err := getAuthInfo(svc)
-		if err != nil {
-			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
-		}
-		return username, password, nil
-	} else {
-		// For IAM role auth (default credentials)
-		sess := session.Must(session.NewSession(&awsv1.Config{
-			Region: awsv1.String(region),
-		}))
-		svc := ecrv1.New(sess)
-
-		username, password, _, err := getAuthInfo(svc)
-		if err != nil {
-			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
-		}
-		return username, password, nil
-	}
-}
-
 func handlePushOnly(c *cli.Context) error {
 	sourceTarPath := c.String("source-tar-path")
 	if sourceTarPath == "" {
@@ -967,18 +901,56 @@ func handlePushOnly(c *cli.Context) error {
 		return fmt.Errorf("failed to load image from tarball: %v", err)
 	}

-	// Get ECR credentials using the common function
-	username, password, err := getECRCredentials(
-		c.String("region"),
-		registry,
-		c.String("assume-role"),
-		c.String("external-id"),
-		c.String("access-key"),
-		c.String("secret-key"),
-		c.String("oidc-token-id"),
-	)
+	// Get ECR credentials using existing auth methods
+	var username, password string
+	var svc *ecrv1.ECR
+	if oidcToken := c.String("oidc-token-id"); oidcToken != "" && c.String("assume-role") != "" {
+		accessKey, secretKey, sessionToken, err := getOidcCreds(oidcToken, c.String("assume-role"))
+		if err != nil {
+			return fmt.Errorf("failed to get OIDC credentials: %v", err)
+		}
+		
+		sess := session.Must(session.NewSession(&awsv1.Config{
+			Region: awsv1.String(c.String("region")),
+			Credentials: credentials.NewStaticCredentials(
+				accessKey,
+				secretKey,
+				sessionToken,
+			),
+		}))
+		svc = ecrv1.New(sess)
+	} else if assumeRole := c.String("assume-role"); assumeRole != "" {
+		accessKey, secretKey, sessionToken, err := getAssumeRoleCreds(c.String("region"), assumeRole, c.String("external-id"), "")
+		if err != nil {
+			return fmt.Errorf("failed to get assume role credentials: %v", err)
+		}
+		
+		sess := session.Must(session.NewSession(&awsv1.Config{
+			Region: awsv1.String(c.String("region")),
+			Credentials: credentials.NewStaticCredentials(
+				accessKey,
+				secretKey,
+				sessionToken,
+			),
+		}))
+		svc = ecrv1.New(sess)
+	} else {
+		// Use direct credentials or IAM role
+		sess := session.Must(session.NewSession(&awsv1.Config{
+			Region: awsv1.String(c.String("region")),
+			Credentials: credentials.NewStaticCredentials(
+				c.String("access-key"),
+				c.String("secret-key"),
+				"",
+			),
+		}))
+		svc = ecrv1.New(sess)
+	}
+	
+	// Get ECR auth token using the configured session
+	username, password, _, err = getAuthInfo(svc)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to get ECR credentials: %v", err)
 	}

 	// Setup crane auth
Author	SHA1	Message	Date
Ompragash Viswanathan	0d0510f029	Updated cmd/kaniko-ecr/main.go	2025-03-20 09:37:21 +05:30
Ompragash Viswanathan	e09b2ad589	Updated cmd/kaniko-ecr/main.go	2025-03-17 14:02:36 +05:30
Ompragash Viswanathan	5b4ff345a7	Add support for tar-path, source-tar-path and push-only operations	2025-03-11 17:34:03 +05:30