third/plugin-drone-kaniko
1
0
Fork 0
mirror of https://github.com/drone/drone-kaniko.git synced 2026-06-04 18:23:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: third/plugin-drone-kaniko:fix_manifest_spec
Branches Tags
third/plugin-drone-kaniko:main third/plugin-drone-kaniko:CI-22323 third/plugin-drone-kaniko:main-patch-1 third/plugin-drone-kaniko:ci-14073 third/plugin-drone-kaniko:CI-20230-go-version-update third/plugin-drone-kaniko:CI-20230 third/plugin-drone-kaniko:CI-19670-1 third/plugin-drone-kaniko:CI-19933 third/plugin-drone-kaniko:CI-19670 third/plugin-drone-kaniko:CI-19672 third/plugin-drone-kaniko:CI-18923 third/plugin-drone-kaniko:CI-18100 third/plugin-drone-kaniko:CI-17708 third/plugin-drone-kaniko:CI-17517 third/plugin-drone-kaniko:CI-17122 third/plugin-drone-kaniko:main-patch third/plugin-drone-kaniko:harness-ci-patch third/plugin-drone-kaniko:CI-16588 third/plugin-drone-kaniko:CI-16392 third/plugin-drone-kaniko:CI-16330 third/plugin-drone-kaniko:CI-16193-fix third/plugin-drone-kaniko:CI-16193 third/plugin-drone-kaniko:CI-15946 third/plugin-drone-kaniko:CI-15370 third/plugin-drone-kaniko:CI-14845 third/plugin-drone-kaniko:CI-14242-2 third/plugin-drone-kaniko:scheduled_go_upgrade2024-09-20_01-08-13 third/plugin-drone-kaniko:scheduled_go_upgrade2024-09-13_01-07-18 third/plugin-drone-kaniko:scheduled_go_upgrade2024-09-06_01-05-27 third/plugin-drone-kaniko:CI-13961 third/plugin-drone-kaniko:scheduled_go_upgrade2024-08-30_01-05-43 third/plugin-drone-kaniko:scheduled_go_upgrade2024-08-23_01-04-53 third/plugin-drone-kaniko:scheduled_go_upgrade2024-08-16_01-05-35 third/plugin-drone-kaniko:CI-13178_go_upgrade_minor third/plugin-drone-kaniko:CI-13178_go_upgrade third/plugin-drone-kaniko:go_upgrade_1_22_42024-07-02_08-12-32 third/plugin-drone-kaniko:kaniko-flag-fix third/plugin-drone-kaniko:go_upgrade_1_22_42024-07-01_10-25-21 third/plugin-drone-kaniko:go_upgrade_1_22_42024-07-01_10-47-35 third/plugin-drone-kaniko:CI-10849 third/plugin-drone-kaniko:CI-11358 third/plugin-drone-kaniko:scheduled_go_upgrade2024-03-04_08-03-22 third/plugin-drone-kaniko:newargs third/plugin-drone-kaniko:addargs third/plugin-drone-kaniko:follow_next_link third/plugin-drone-kaniko:dockerignore third/plugin-drone-kaniko:fix_panic third/plugin-drone-kaniko:ci-10525 third/plugin-drone-kaniko:ci-9254 third/plugin-drone-kaniko:aman/revert third/plugin-drone-kaniko:aman/fix-drone-ver third/plugin-drone-kaniko:new third/plugin-drone-kaniko:smjt-h-patch-1 third/plugin-drone-kaniko:support_1-9-1 third/plugin-drone-kaniko:aman/rename-config third/plugin-drone-kaniko:aman/fix-config third/plugin-drone-kaniko:aman/fix-docker-plugin third/plugin-drone-kaniko:aman-fix-acr third/plugin-drone-kaniko:aman/acrInteg third/plugin-drone-kaniko:ecr_update third/plugin-drone-kaniko:fix_assume_role third/plugin-drone-kaniko:ecr_assume_role third/plugin-drone-kaniko:kaniko_ver_upgrade third/plugin-drone-kaniko:expand_repo third/plugin-drone-kaniko:rm_autotag_v1-8 third/plugin-drone-kaniko:fix_manifest_spec third/plugin-drone-kaniko:fix_drone_yml third/plugin-drone-kaniko:fix_yml third/plugin-drone-kaniko:kaniko_1-8_img third/plugin-drone-kaniko:upgrade_kaniko_ver third/plugin-drone-kaniko:custom_platform third/plugin-drone-kaniko:gcr_cred_inherit third/plugin-drone-kaniko:upgrade_go_version third/plugin-drone-kaniko:add_verbosity third/plugin-drone-kaniko:update_cache_repo third/plugin-drone-kaniko:fix_remote_cache third/plugin-drone-kaniko:remote_cache third/plugin-drone-kaniko:cache third/plugin-drone-kaniko:update_yaml third/plugin-drone-kaniko:snapshot_mode third/plugin-drone-kaniko:test_kaniko third/plugin-drone-kaniko:fix_pipeline third/plugin-drone-kaniko:improve_err third/plugin-drone-kaniko:ecr_iam third/plugin-drone-kaniko:fix_label third/plugin-drone-kaniko:fix_ecr third/plugin-drone-kaniko:fix_gcr third/plugin-drone-kaniko:v2_registry third/plugin-drone-kaniko:fix_build_script third/plugin-drone-kaniko:fix_image third/plugin-drone-kaniko:version_update
third/plugin-drone-kaniko:v1.13.7 third/plugin-drone-kaniko:v1.13.7-debug third/plugin-drone-kaniko:v1.13.6 third/plugin-drone-kaniko:v1.13.5 third/plugin-drone-kaniko:v1.13.4 third/plugin-drone-kaniko:v1.13.3 third/plugin-drone-kaniko:v1.13.2 third/plugin-drone-kaniko:v1.13.1 third/plugin-drone-kaniko:v1.13.0 third/plugin-drone-kaniko:v1.12.0 third/plugin-drone-kaniko:v1.11.5 third/plugin-drone-kaniko:v1.11.5-debug-1 third/plugin-drone-kaniko:v1.11.5-debug third/plugin-drone-kaniko:v1.11.4 third/plugin-drone-kaniko:v1.11.3 third/plugin-drone-kaniko:v1.11.3-debug third/plugin-drone-kaniko:v1.11.2 third/plugin-drone-kaniko:v1.11.2-debug third/plugin-drone-kaniko:v1.11.1 third/plugin-drone-kaniko:v1.11.1-debug3 third/plugin-drone-kaniko:v1.11.1-debug third/plugin-drone-kaniko:v1.11.0 third/plugin-drone-kaniko:v1.11.0-debug third/plugin-drone-kaniko:v1.10.9 third/plugin-drone-kaniko:v1.10.8 third/plugin-drone-kaniko:v1.10.8-debug third/plugin-drone-kaniko:v1.10.7 third/plugin-drone-kaniko:v1.10.7-debug third/plugin-drone-kaniko:v1.10.6 third/plugin-drone-kaniko:v1.10.6-debug third/plugin-drone-kaniko:v1.10.5 third/plugin-drone-kaniko:v1.10.4 third/plugin-drone-kaniko:v1.10.3 third/plugin-drone-kaniko:v1.10.2 third/plugin-drone-kaniko:v1.10.1 third/plugin-drone-kaniko:v1.10.0-debug third/plugin-drone-kaniko:v1.10.0 third/plugin-drone-kaniko:v1.9.0 third/plugin-drone-kaniko:v1.8.10 third/plugin-drone-kaniko:v1.8.9 third/plugin-drone-kaniko:v1.8.8 third/plugin-drone-kaniko:1.8.7 third/plugin-drone-kaniko:v1.8.6 third/plugin-drone-kaniko:v1.8.5 third/plugin-drone-kaniko:v1.8.4 third/plugin-drone-kaniko:v1.8.3 third/plugin-drone-kaniko:v1.8.2 third/plugin-drone-kaniko:v1.8.0 third/plugin-drone-kaniko:v1.8.1 third/plugin-drone-kaniko:v1.7.5 third/plugin-drone-kaniko:v1.7.4 third/plugin-drone-kaniko:v1.7.3 third/plugin-drone-kaniko:v1.7.2 third/plugin-drone-kaniko:1.7.2 third/plugin-drone-kaniko:v1.7.1 third/plugin-drone-kaniko:v1.7.0 third/plugin-drone-kaniko:v1.6.11 third/plugin-drone-kaniko:v1.6.10 third/plugin-drone-kaniko:v1.6.9 third/plugin-drone-kaniko:v1.6.8 third/plugin-drone-kaniko:v1.6.7 third/plugin-drone-kaniko:v1.6.6 third/plugin-drone-kaniko:v1.6.5 third/plugin-drone-kaniko:v1.6.4 third/plugin-drone-kaniko:v1.6.3 third/plugin-drone-kaniko:v1.6.2 third/plugin-drone-kaniko:v1.6.1 third/plugin-drone-kaniko:v1.6.0 third/plugin-drone-kaniko:v1.5.1 third/plugin-drone-kaniko:v1.5.0 third/plugin-drone-kaniko:v1.4.5 third/plugin-drone-kaniko:v1.4.4 third/plugin-drone-kaniko:v1.4.3 third/plugin-drone-kaniko:v1.4.2 third/plugin-drone-kaniko:v1.4.1 third/plugin-drone-kaniko:v1.4.0 third/plugin-drone-kaniko:v1.3.1 third/plugin-drone-kaniko:v1.3.0 third/plugin-drone-kaniko:v1.2.0 third/plugin-drone-kaniko:v1.1.2 third/plugin-drone-kaniko:v1.1.1 third/plugin-drone-kaniko:v1.1.0 third/plugin-drone-kaniko:v1.0.0
...
compare: third/plugin-drone-kaniko:CI-17517
Branches Tags
third/plugin-drone-kaniko:main third/plugin-drone-kaniko:CI-22323 third/plugin-drone-kaniko:main-patch-1 third/plugin-drone-kaniko:ci-14073 third/plugin-drone-kaniko:CI-20230-go-version-update third/plugin-drone-kaniko:CI-20230 third/plugin-drone-kaniko:CI-19670-1 third/plugin-drone-kaniko:CI-19933 third/plugin-drone-kaniko:CI-19670 third/plugin-drone-kaniko:CI-19672 third/plugin-drone-kaniko:CI-18923 third/plugin-drone-kaniko:CI-18100 third/plugin-drone-kaniko:CI-17708 third/plugin-drone-kaniko:CI-17517 third/plugin-drone-kaniko:CI-17122 third/plugin-drone-kaniko:main-patch third/plugin-drone-kaniko:harness-ci-patch third/plugin-drone-kaniko:CI-16588 third/plugin-drone-kaniko:CI-16392 third/plugin-drone-kaniko:CI-16330 third/plugin-drone-kaniko:CI-16193-fix third/plugin-drone-kaniko:CI-16193 third/plugin-drone-kaniko:CI-15946 third/plugin-drone-kaniko:CI-15370 third/plugin-drone-kaniko:CI-14845 third/plugin-drone-kaniko:CI-14242-2 third/plugin-drone-kaniko:scheduled_go_upgrade2024-09-20_01-08-13 third/plugin-drone-kaniko:scheduled_go_upgrade2024-09-13_01-07-18 third/plugin-drone-kaniko:scheduled_go_upgrade2024-09-06_01-05-27 third/plugin-drone-kaniko:CI-13961 third/plugin-drone-kaniko:scheduled_go_upgrade2024-08-30_01-05-43 third/plugin-drone-kaniko:scheduled_go_upgrade2024-08-23_01-04-53 third/plugin-drone-kaniko:scheduled_go_upgrade2024-08-16_01-05-35 third/plugin-drone-kaniko:CI-13178_go_upgrade_minor third/plugin-drone-kaniko:CI-13178_go_upgrade third/plugin-drone-kaniko:go_upgrade_1_22_42024-07-02_08-12-32 third/plugin-drone-kaniko:kaniko-flag-fix third/plugin-drone-kaniko:go_upgrade_1_22_42024-07-01_10-25-21 third/plugin-drone-kaniko:go_upgrade_1_22_42024-07-01_10-47-35 third/plugin-drone-kaniko:CI-10849 third/plugin-drone-kaniko:CI-11358 third/plugin-drone-kaniko:scheduled_go_upgrade2024-03-04_08-03-22 third/plugin-drone-kaniko:newargs third/plugin-drone-kaniko:addargs third/plugin-drone-kaniko:follow_next_link third/plugin-drone-kaniko:dockerignore third/plugin-drone-kaniko:fix_panic third/plugin-drone-kaniko:ci-10525 third/plugin-drone-kaniko:ci-9254 third/plugin-drone-kaniko:aman/revert third/plugin-drone-kaniko:aman/fix-drone-ver third/plugin-drone-kaniko:new third/plugin-drone-kaniko:smjt-h-patch-1 third/plugin-drone-kaniko:support_1-9-1 third/plugin-drone-kaniko:aman/rename-config third/plugin-drone-kaniko:aman/fix-config third/plugin-drone-kaniko:aman/fix-docker-plugin third/plugin-drone-kaniko:aman-fix-acr third/plugin-drone-kaniko:aman/acrInteg third/plugin-drone-kaniko:ecr_update third/plugin-drone-kaniko:fix_assume_role third/plugin-drone-kaniko:ecr_assume_role third/plugin-drone-kaniko:kaniko_ver_upgrade third/plugin-drone-kaniko:expand_repo third/plugin-drone-kaniko:rm_autotag_v1-8 third/plugin-drone-kaniko:fix_manifest_spec third/plugin-drone-kaniko:fix_drone_yml third/plugin-drone-kaniko:fix_yml third/plugin-drone-kaniko:kaniko_1-8_img third/plugin-drone-kaniko:upgrade_kaniko_ver third/plugin-drone-kaniko:custom_platform third/plugin-drone-kaniko:gcr_cred_inherit third/plugin-drone-kaniko:upgrade_go_version third/plugin-drone-kaniko:add_verbosity third/plugin-drone-kaniko:update_cache_repo third/plugin-drone-kaniko:fix_remote_cache third/plugin-drone-kaniko:remote_cache third/plugin-drone-kaniko:cache third/plugin-drone-kaniko:update_yaml third/plugin-drone-kaniko:snapshot_mode third/plugin-drone-kaniko:test_kaniko third/plugin-drone-kaniko:fix_pipeline third/plugin-drone-kaniko:improve_err third/plugin-drone-kaniko:ecr_iam third/plugin-drone-kaniko:fix_label third/plugin-drone-kaniko:fix_ecr third/plugin-drone-kaniko:fix_gcr third/plugin-drone-kaniko:v2_registry third/plugin-drone-kaniko:fix_build_script third/plugin-drone-kaniko:fix_image third/plugin-drone-kaniko:version_update
third/plugin-drone-kaniko:v1.13.7 third/plugin-drone-kaniko:v1.13.7-debug third/plugin-drone-kaniko:v1.13.6 third/plugin-drone-kaniko:v1.13.5 third/plugin-drone-kaniko:v1.13.4 third/plugin-drone-kaniko:v1.13.3 third/plugin-drone-kaniko:v1.13.2 third/plugin-drone-kaniko:v1.13.1 third/plugin-drone-kaniko:v1.13.0 third/plugin-drone-kaniko:v1.12.0 third/plugin-drone-kaniko:v1.11.5 third/plugin-drone-kaniko:v1.11.5-debug-1 third/plugin-drone-kaniko:v1.11.5-debug third/plugin-drone-kaniko:v1.11.4 third/plugin-drone-kaniko:v1.11.3 third/plugin-drone-kaniko:v1.11.3-debug third/plugin-drone-kaniko:v1.11.2 third/plugin-drone-kaniko:v1.11.2-debug third/plugin-drone-kaniko:v1.11.1 third/plugin-drone-kaniko:v1.11.1-debug3 third/plugin-drone-kaniko:v1.11.1-debug third/plugin-drone-kaniko:v1.11.0 third/plugin-drone-kaniko:v1.11.0-debug third/plugin-drone-kaniko:v1.10.9 third/plugin-drone-kaniko:v1.10.8 third/plugin-drone-kaniko:v1.10.8-debug third/plugin-drone-kaniko:v1.10.7 third/plugin-drone-kaniko:v1.10.7-debug third/plugin-drone-kaniko:v1.10.6 third/plugin-drone-kaniko:v1.10.6-debug third/plugin-drone-kaniko:v1.10.5 third/plugin-drone-kaniko:v1.10.4 third/plugin-drone-kaniko:v1.10.3 third/plugin-drone-kaniko:v1.10.2 third/plugin-drone-kaniko:v1.10.1 third/plugin-drone-kaniko:v1.10.0-debug third/plugin-drone-kaniko:v1.10.0 third/plugin-drone-kaniko:v1.9.0 third/plugin-drone-kaniko:v1.8.10 third/plugin-drone-kaniko:v1.8.9 third/plugin-drone-kaniko:v1.8.8 third/plugin-drone-kaniko:1.8.7 third/plugin-drone-kaniko:v1.8.6 third/plugin-drone-kaniko:v1.8.5 third/plugin-drone-kaniko:v1.8.4 third/plugin-drone-kaniko:v1.8.3 third/plugin-drone-kaniko:v1.8.2 third/plugin-drone-kaniko:v1.8.0 third/plugin-drone-kaniko:v1.8.1 third/plugin-drone-kaniko:v1.7.5 third/plugin-drone-kaniko:v1.7.4 third/plugin-drone-kaniko:v1.7.3 third/plugin-drone-kaniko:v1.7.2 third/plugin-drone-kaniko:1.7.2 third/plugin-drone-kaniko:v1.7.1 third/plugin-drone-kaniko:v1.7.0 third/plugin-drone-kaniko:v1.6.11 third/plugin-drone-kaniko:v1.6.10 third/plugin-drone-kaniko:v1.6.9 third/plugin-drone-kaniko:v1.6.8 third/plugin-drone-kaniko:v1.6.7 third/plugin-drone-kaniko:v1.6.6 third/plugin-drone-kaniko:v1.6.5 third/plugin-drone-kaniko:v1.6.4 third/plugin-drone-kaniko:v1.6.3 third/plugin-drone-kaniko:v1.6.2 third/plugin-drone-kaniko:v1.6.1 third/plugin-drone-kaniko:v1.6.0 third/plugin-drone-kaniko:v1.5.1 third/plugin-drone-kaniko:v1.5.0 third/plugin-drone-kaniko:v1.4.5 third/plugin-drone-kaniko:v1.4.4 third/plugin-drone-kaniko:v1.4.3 third/plugin-drone-kaniko:v1.4.2 third/plugin-drone-kaniko:v1.4.1 third/plugin-drone-kaniko:v1.4.0 third/plugin-drone-kaniko:v1.3.1 third/plugin-drone-kaniko:v1.3.0 third/plugin-drone-kaniko:v1.2.0 third/plugin-drone-kaniko:v1.1.2 third/plugin-drone-kaniko:v1.1.1 third/plugin-drone-kaniko:v1.1.0 third/plugin-drone-kaniko:v1.0.0

96 Commits
fix_manifest_spec ... CI-17517

Author SHA1 Message Date
Ompragash Viswanathan 37e1e60f00 GAR authentication setup and remove redundant logging statements 2025-05-13 16:59:16 +05:30
Ompragash Viswanathan eee08bbac3 Add robust GAR authentication with Docker config and crane options 2025-05-13 16:20:21 +05:30
Ompragash Viswanathan 4c65ff4509 Refactor GAR authentication and crane push to use Application Default Credentials 2025-05-13 13:46:08 +05:30
Ompragash Viswanathan ef62817264 Add push-only support to Kaniko-GAR 2025-05-12 20:24:42 +05:30
OP (oppenheimer) a091f2ad04 ECR auth for push-only operation + code refactoring (#144) 2025-04-25 18:11:30 +05:30
OP (oppenheimer) af2add0aa5 Update pipeline drone-kaniko-harness (#143) 2025-04-09 19:24:48 +05:30
OP (oppenheimer) 58bd727c07 feat: [CI-16588]: Add support to PLUGIN_TAR_PATH, PLUGIN_SOURCE_TAR_PATH and PLUGIN_PUSH_ONLY to kaniko-ecr (#141) 
* Add support for tar-path, source-tar-path and push-only operations

* Updated cmd/kaniko-ecr/main.go

* Updated cmd/kaniko-ecr/main.go

* Update cmd/kaniko-ecr/main.go
 2025-03-24 21:31:18 +05:30
ci-reporunner a73b8ee28d Update pipeline drone-kaniko-harness (#142) 
Co-authored-by: ompragash.viswanathan@harness.io <ompragash.viswanathan@harness.io>
 2025-03-20 19:10:13 +05:30
OP (oppenheimer) b826c7f408 feat: [CI-16392]: Authenticate And Pull Private Base Images when NO_PUSH is enabled (#140) 2025-03-06 20:32:35 +05:30
ci-reporunner e56198f84c Create pipeline drone-kaniko-harness (#136) 2025-03-04 19:18:44 +05:30
Devansh Mathur d6153866df feat: [CI-16330]: Adding default OutputFile as DRONE_OUTPUT. (#139) 
* Adding default OutputFile as DRONE_OUTPUT.

* Removing if checks and optimizing setting up of default OutputFile as DRONE_OUTPUT.
 2025-03-03 18:05:21 +05:30
OP (oppenheimer) 30e1ea9fd8 Update main.go (#138) 2025-02-07 14:28:32 +05:30
OP (oppenheimer) 0fb726616e feat: [CI-16193]: Support multiple ignore paths (#137) 
* add new input ignore_paths to accept multiple values

* Support new input ignore_paths to all the supported versions of Kaniko
 2025-02-07 11:46:23 +05:30
OP (oppenheimer) 334f6191d1 Add Push-only support to Kaniko (Docker) (#135) 2024-12-20 11:17:28 +05:30
sahithibanda01 a3af953651 fix: [CI-14845]: support for build args which has comma seperated values (#133) 2024-11-29 13:12:39 +05:30
Anshika Anand e6ab8aa3c0 feat:[CI-15236]: Added IMAGE_TAR_PATH as output variable for the plugin. (#132) 
* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Test commit.

* feat:[CI-15236]: Test commit.

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin.

* feat:[CI-15236]: Directory check and UTs.

* Update pkg/output/output.go

* feat:[CI-15236]: fixes

* feat:[CI-15236]: Test fixes - removed root

* feat:[CI-15236]: Test fixes - removed root

* feat:[CI-15236]: Test fixes - removed root

* feat:[CI-15236]: If tarPath directory no present it will create it.

* feat:[CI-15236]: If tarPath directory no present it will create it.

* feat:[CI-15236]: fixes

* Update kaniko.go

removed as getTarPath is only called when tarPath isn't empty

---------

Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>
 2024-11-28 18:31:10 +05:30
Abhay 113a61b0e1 feat: [Ci-14242]: add oidc support for ecr (#131) 
* feat: [Ci-14242]: add oidc support for ecr

* fix: [CI-14242]: error handling for oidc kakniko-ecr
 2024-10-17 01:51:09 +05:30
rahkumar56 982c141391 feat: [CI-13961]: Upgraded gcr.io/kaniko-project/executor version to v1.23.2. (#125) 2024-09-09 11:23:40 +05:30
Aishwarya Lad f41d7cb836 upgrade kaniko version for chmod on ADD and COPY (#121) 2024-07-10 19:44:09 +05:30
rahkumar56 a71177d4b4 fix: [CI-13178]: Upgrade go version with minor version to 1.22.4 (#120) 2024-07-10 16:06:42 +05:30
rahkumar56 5582e3ed7c feat: [CI-13178]: GO version upgrade from 1.22.0 to 1.22.4. (#119) 2024-07-03 12:30:41 +05:30
Hemanth Mantri 4c0f781999 [CI-13182]: Use snapshot-mode instead of snapshotMode (#118) 
The kaniko flag `snapshotMode` is deprecated in favor of `snapshot-mode`. The default value of `snapshot-mode` is `full`. As a result, the `optimize` flag set in Harness CI's `BuildAndPushToDocker` steps doesn't behave as expected because the `full` mode triggers a full filesystem scan which is slow. The `optimize` flag in Harness translates to `snapshot-mode=redo` which means only filesystem deltas are compared which is much faster. 

This change fixes the flag name being sent to Kaniko executor. I verified that the executor present in the current version already supports this flag as shown below:

```
hemanthkumarmantri@Hemanth Kumar harness-core % docker run -it --entrypoint /kaniko/executor plugins/kaniko:1.8.10 --help | grep snapshot-mode
      --snapshot-mode string                      Change the file attributes inspected during snapshotting (default "full")
      --snapshotMode string                       This flag is deprecated. Please use '--snapshot-mode'.
```
 2024-07-01 14:06:19 -07:00
Abhay 20525e5403 feat: [CI-10849]: add git-leaks support (#113) 
* feat: [CI-10849]: add git-leaks support

* correct reference
 2024-05-10 12:38:31 +01:00
Aishwarya Lad 04885c8ec8 fix tests (#117) 2024-05-01 15:14:04 -04:00
Aishwarya Lad e4a0486a6e modify base image registry variable (#116) 
* modify base image registry variable

* adding instead of modifying

* adding instead of modifying
 2024-04-29 14:26:31 -04:00
Aishwarya Lad 7b442a53ff Modify docker config to add base connector (#115) 
* add config for base connector

* fix permissions code

* add gar step support

* add gar step support

* reformat code, add support for gar and acr

* remove logs

* address review comments

* delete bin file
 2024-04-26 15:54:08 -04:00
Abhay f224543240 fix: [CI-11358]: fix kaniko executor Vulnerabilities (#114) 2024-03-20 12:57:59 +05:30
rahkumar56 910bcb89c2 Update GO Version to latest version in all the files (#112) 2024-03-05 23:15:25 +05:30
Soumyajit Das 44ccf5a7c6 fix: [CI-10165]: Add additional kaniko args (#102) 
* fix: [CI-10165]: Add additional kaniko args

* fix: [CI-10165]: support additional kaniko args

* fix: [CI-10165]: Add bool parse logic
 2024-02-06 15:22:31 +05:30
Rojan Dinc f8c678fcde Revert "fix: [CI-10165]: support additional kaniko args from PLUGIN_ env vars (#93)" (#99) 
This reverts commit 20c593c3e7.
 2024-01-30 21:33:04 +05:30
Soumyajit Das 20c593c3e7 fix: [CI-10165]: support additional kaniko args from PLUGIN_ env vars (#93) 2024-01-30 12:31:18 +05:30
Vistaar Juneja c2f00d6d86 follow next link for azure subscriptions API (#94) 2024-01-25 09:35:14 +00:00
Soumyajit Das 467287429a fix: [CI-10908]: added kaniko 1.19.2 suport for dockerignore (#92) 2024-01-12 16:17:51 +05:30
Vistaar Juneja 65cd3884f1 add validations on response from /subscriptions API in ACR (#91) 2024-01-10 10:48:31 +00:00
Eoin McAfee 5df1d55e7f Split out gcr and gar (#88) 
* seperate out gcr and gar
 2023-11-23 09:26:55 +00:00
Abhay 3181dc066f [fix]: [ci-9254]: go version upgrade to 1.21 (#86) 2023-09-13 14:55:14 +05:30
Aman Singh a26a84a1fe Revert "fix: [CI-8113]: added kaniko 1.9.2 support (#83)" (#84) 
This reverts commit cd3745b3ca.
 2023-06-01 10:28:40 +05:30
Aman Singh cd3745b3ca fix: [CI-8113]: added kaniko 1.9.2 support (#83) 
* fix: [CI-8113]: added kaniko 1.9.2 support

* fix: [CI-8113]: added kaniko 1.9.2 support
 2023-05-24 15:52:18 +05:30
Dan Home 13a217a4af ECR: Add assume-role support for create-repository, *-policy (#79) 
* ECR: Add assume-role support for create-repository, *-policy

* Rearrange imports
 2023-05-19 16:55:09 +01:00
Aman Singh 481ee9f624 incremented-drone-version (#82) 2023-05-17 13:06:17 +05:30
Karl Trygve Kalleberg 0dee97e338 Expose tar_path command line option from Kaniko (#78) 2023-04-03 09:47:53 +01:00
Raghav ed6f3c5bf4 Add output variable support (#77) 
* add digest as output variable for kaniko plugin
 2023-03-16 10:03:59 +00:00
Raghav 4893b5b945 add support for docker complaint registries for base image (#74) 2023-02-23 11:38:53 +05:30
Soumyajit Das 447ee28867 fix: [CI-6505]: Upgrade kanoko version for all (#71) 2023-01-17 13:00:11 +05:30
Soumyajit Das 9c90e58a2d fix: [CI-6412]: Error message Refinement (#70) 2023-01-04 11:13:01 +05:30
Shubham Agrawal d998c00a4b Add v1.9.1 kaniko image support (#69) 2022-12-02 15:43:35 +05:30
Aman Singh 2f55e25020 Merge pull request #68 from drone/aman/rename-config 
fixed config-name for PLUGIN_CONFIG
 2022-11-10 12:28:26 +05:30
Aman Singh f3544ce6ee renamed docker config 2022-11-09 18:02:22 +05:30
Aman Singh e4cd992d8d renamed docker config 2022-11-08 16:21:45 +05:30
Aman Singh d457df687d renamed docker config 2022-11-08 15:05:26 +05:30
Aman Singh 4820b6af00 renamed docker config 2022-11-08 15:01:52 +05:30
Aman Singh 3717723366 fixed config-name for PLUGIN_CONFIG 2022-11-08 12:32:12 +05:30
Aman Singh be3bf8ad1e Merge pull request #67 from drone/aman/fix-config 
added config for providing docker config
 2022-11-07 17:12:56 +05:30
Aman Singh 15255d3520 added comments 2022-11-07 17:07:26 +05:30
Aman Singh 6ba0eb58c3 added config for providing docker config 2022-11-07 14:21:40 +05:30
Aman Singh 17e907c7cf Merge pull request #66 from drone/aman/fix-docker-plugin 
Added option to use overriden docker config
 2022-11-04 19:57:58 +05:30
Aman Singh 190fbefe91 config override 2022-11-04 19:50:04 +05:30
Aman Singh 48f6e72954 config override 2022-11-04 19:49:25 +05:30
Aman Singh 1bee1629c2 added option to use overriden docker config 2022-11-04 19:48:03 +05:30
Kyle Lemons 2d0315e6bb Add beta testcase for clarity, coverage, and regression prevention (#64) 2022-11-03 19:05:06 +05:30
Aman Singh 34cfbdfbd5 Merge pull request #65 from aman-harness/aman/acr-artifact 
fixed public url in code for acr
 2022-11-03 16:53:33 +05:30
Aman Singh d11c254840 fixed test 2022-11-02 17:12:34 +05:30
Aman Singh 7d751135b1 fixed url 2022-11-02 16:20:54 +05:30
Aman Singh 54f2fe097a fixed url 2022-11-02 16:17:23 +05:30
Aman Singh 9c899979ff fixed url 2022-11-02 16:09:57 +05:30
Aman Singh 6ac1efad25 fixed url 2022-11-02 15:58:40 +05:30
Aman Singh 128a2d77c0 fixed minor changes 2022-11-02 12:36:19 +05:30
Aman Singh 69e789b294 removed prints statements 2022-11-02 12:23:26 +05:30
Aman Singh 000711c7f1 fixed public url in code for acr 2022-11-02 11:50:39 +05:30
Jamie Li 864a7e5319 Fix manifest of ACR (#62) 2022-08-18 11:52:19 +05:30
Jamie Li 1c34458f6c Add arm stage as a depends_on for manifest stages (#61) 2022-08-17 11:54:11 +05:30
Jamie Li 725950ee02 Fix acr manifest template (#60) 2022-08-17 11:24:31 +05:30
Jamie Li 97a3f33180 Add arm image build (#59) 2022-08-16 11:20:49 +05:30
Aman Singh 33e44ca23a Merge pull request #58 from drone/aman-fix-acr 
Fix cert not working in ACR
 2022-08-03 15:06:01 +05:30
Aman Singh 1409e80406 addressed comments 2022-08-03 13:14:03 +05:30
Aman Singh 97ecf9b992 addressed comments 2022-08-03 13:09:41 +05:30
Aman Singh 0ae1cbc382 addressed comments 2022-08-03 13:07:49 +05:30
Aman Singh fe57a616ed addressed comments 2022-08-03 13:07:27 +05:30
Aman Singh 4da1f904b0 Update README.md 2022-08-03 12:56:58 +05:30
Aman Singh eaeab5fddb updated .gitignore 2022-08-03 12:54:53 +05:30
Aman Singh 546dc21a7e removed fmt.print 2022-08-03 12:53:16 +05:30
Aman Singh d0df077e6e fix cert issue in acr images 2022-08-03 12:50:10 +05:30
Aman Singh d96c3d05e8 fixed acr 2022-08-02 09:26:23 +05:30
Aman Singh 23b0ed0baa Added acr integration (#57) 2022-08-01 21:38:36 +05:30
Shubham Agrawal 34f3316a65 ECR fix for 1.8.1 kaniko version (#53) 2022-07-12 13:44:47 +05:30
Shubham Agrawal 56b0e6a779 Fix bugs in assume role support (#56) 2022-07-12 13:22:11 +05:30
Shubham Agrawal f1cb9b2c41 Add support for assume role to ECR (#55) 
* Add support for assume role to ECR

* fix errors

* fix UTs

* fix format
 2022-07-12 11:49:47 +05:30
Raghav c7770b6668 golang image upgrade to 1.18 (#54) 2022-07-08 12:36:10 +05:30
Shubham Agrawal adee644baf Publish kaniko 1.8.1 version images (#52) 2022-04-12 23:21:29 +05:30
TP Honey f5669f55eb Merge pull request #51 from aman-harness/patch-1 
Upgraded golang version to 1.17.8
 2022-04-12 16:36:19 +01:00
Aman Singh 984d34fe9f Upgraded golang version to 1.17.8 2022-04-12 20:41:54 +05:30
Peter Novotnak 89b4f6b0c9 Skip unused stages flag (#49) 
* skip unused stages flag

* re-add smithy
 2022-04-09 10:57:17 +05:30
Shubham Agrawal c39a1155b5 Making prepend of registry url to repo name optional (#48) 2022-04-05 14:39:12 +05:30
ymage ea64d40995 Remove prepending of v1RegistryURL to the repo (#47) 
* Default registry value is not  but v1RegistryURL

* Handle test (not sure about its relevancy

Co-authored-by: Ymage <heltem+git@o2php.com>
 2022-04-04 10:58:10 +05:30
Shubham Agrawal 0cd3e162fa Remove auto tagging for version 1.8 (#46) 2022-03-31 16:24:40 +05:30
Shubham Agrawal f492271f45 Fix manifest yml (#45) 2022-03-31 15:39:44 +05:30
64 changed files with 5390 additions and 405 deletions
Expand all files Collapse all files
.drone.yml
+288 -19
View File
@@ -1,10 +1,17 @@
kind: pipeline
type: docker
type: vm
name: default
pool:
use: ubuntu
platform:
os: linux
arch: amd64
steps:
- name: build
image: golang:1.17.7
image: golang:1.22.4
commands:
- go test ./...
- sh scripts/build.sh
@@ -43,6 +50,23 @@ steps:
exclude:
- pull_request
- name: gar
image: plugins/docker
settings:
repo: plugins/kaniko-gar
auto_tag: true
auto_tag_suffix: linux-amd64
daemon_off: false
dockerfile: docker/gar/Dockerfile.linux.amd64
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: ecr
image: plugins/docker
settings:
@@ -60,14 +84,31 @@ steps:
exclude:
- pull_request
- name: docker-kaniko-v1-8
- name: acr
image: plugins/docker
settings:
repo: plugins/kaniko-acr
auto_tag: true
auto_tag_suffix: linux-amd64
daemon_off: false
dockerfile: docker/acr/Dockerfile.linux.amd64
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: docker-kaniko-v1-9
image: plugins/docker
settings:
repo: plugins/kaniko
auto_tag: true
auto_tag_suffix: linux-amd64-kaniko1.8.0
auto_tag_suffix: linux-amd64-kaniko1.9.1
daemon_off: false
dockerfile: docker/docker/Dockerfile.linux.amd64.kaniko1.8.0
dockerfile: docker/docker/Dockerfile.linux.amd64.kaniko1.9.1
username:
from_secret: docker_username
password:
@@ -77,14 +118,14 @@ steps:
exclude:
- pull_request
- name: gcr-kaniko-v1-8
- name: gcr-kaniko-v1-9
image: plugins/docker
settings:
repo: plugins/kaniko-gcr
auto_tag: true
auto_tag_suffix: linux-amd64-kaniko1.8.0
auto_tag_suffix: linux-amd64-kaniko1.9.1
daemon_off: false
dockerfile: docker/gcr/Dockerfile.linux.amd64.kaniko1.8.0
dockerfile: docker/gcr/Dockerfile.linux.amd64.kaniko1.9.1
username:
from_secret: docker_username
password:
@@ -94,14 +135,31 @@ steps:
exclude:
- pull_request
- name: ecr-kaniko-v1-8
- name: gar-kaniko-v1-9
image: plugins/docker
settings:
repo: plugins/kaniko-gar
auto_tag: true
auto_tag_suffix: linux-amd64-kaniko1.9.1
daemon_off: false
dockerfile: docker/gar/Dockerfile.linux.amd64.kaniko1.9.1
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: ecr-kaniko-v1-9
image: plugins/docker
settings:
repo: plugins/kaniko-ecr
auto_tag: true
auto_tag_suffix: linux-amd64-kaniko1.8.0
auto_tag_suffix: linux-amd64-kaniko1.9.1
daemon_off: false
dockerfile: docker/ecr/Dockerfile.linux.amd64.kaniko1.8.0
dockerfile: docker/ecr/Dockerfile.linux.amd64.kaniko1.9.1
username:
from_secret: docker_username
password:
@@ -112,9 +170,179 @@ steps:
- pull_request
---
kind: pipeline
type: docker
type: vm
name: arm
pool:
use: ubuntu_arm64
steps:
- name: build
image: golang:1.22.4
commands:
- go test ./...
- sh scripts/build.sh
- name: docker
image: plugins/docker
settings:
repo: plugins/kaniko
auto_tag: true
auto_tag_suffix: linux-arm64
daemon_off: false
dockerfile: docker/docker/Dockerfile.linux.arm64
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: gcr
image: plugins/docker
settings:
repo: plugins/kaniko-gcr
auto_tag: true
auto_tag_suffix: linux-arm64
daemon_off: false
dockerfile: docker/gcr/Dockerfile.linux.arm64
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: gar
image: plugins/docker
settings:
repo: plugins/kaniko-gar
auto_tag: true
auto_tag_suffix: linux-arm64
daemon_off: false
dockerfile: docker/gar/Dockerfile.linux.arm64
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: ecr
image: plugins/docker
settings:
repo: plugins/kaniko-ecr
auto_tag: true
auto_tag_suffix: linux-arm64
daemon_off: false
dockerfile: docker/ecr/Dockerfile.linux.arm64
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: acr
image: plugins/docker
settings:
repo: plugins/kaniko-acr
auto_tag: true
auto_tag_suffix: linux-arm64
daemon_off: false
dockerfile: docker/acr/Dockerfile.linux.arm64
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: docker-kaniko-v1-9
image: plugins/docker
settings:
repo: plugins/kaniko
auto_tag: true
auto_tag_suffix: linux-arm64-kaniko1.9.1
daemon_off: false
dockerfile: docker/docker/Dockerfile.linux.arm64.kaniko1.9.1
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: gcr-kaniko-v1-9
image: plugins/docker
settings:
repo: plugins/kaniko-gcr
auto_tag: true
auto_tag_suffix: linux-arm64-kaniko1.9.1
daemon_off: false
dockerfile: docker/gcr/Dockerfile.linux.arm64.kaniko1.9.1
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: gar-kaniko-v1-9
image: plugins/docker
settings:
repo: plugins/kaniko-gar
auto_tag: true
auto_tag_suffix: linux-arm64-kaniko1.9.1
daemon_off: false
dockerfile: docker/gar/Dockerfile.linux.arm64.kaniko1.9.1
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
- name: ecr-kaniko-v1-9
image: plugins/docker
settings:
repo: plugins/kaniko-ecr
auto_tag: true
auto_tag_suffix: linux-arm64-kaniko1.9.1
daemon_off: false
dockerfile: docker/ecr/Dockerfile.linux.arm64.kaniko1.9.1
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- pull_request
---
kind: pipeline
type: vm
name: notifications-docker
pool:
use: ubuntu
platform:
os: linux
arch: amd64
@@ -144,6 +372,30 @@ steps:
username:
from_secret: docker_username
- name: manifest-gar
pull: always
image: plugins/manifest
settings:
auto_tag: true
ignore_missing: true
password:
from_secret: docker_password
spec: docker/gar/manifest.tmpl
username:
from_secret: docker_username
- name: manifest-acr
pull: always
image: plugins/manifest
settings:
auto_tag: true
ignore_missing: true
password:
from_secret: docker_password
spec: docker/acr/manifest.tmpl
username:
from_secret: docker_username
- name: manifest-ecr
pull: always
image: plugins/manifest
@@ -163,12 +415,16 @@ trigger:
depends_on:
- default
- arm
---
kind: pipeline
type: docker
type: vm
name: notifications-docker-kaniko1-8
pool:
use: ubuntu
platform:
os: linux
arch: amd64
@@ -178,11 +434,11 @@ steps:
pull: always
image: plugins/manifest
settings:
auto_tag: true
auto_tag: false
ignore_missing: true
password:
from_secret: docker_password
spec: docker/docker/manifest-kaniko1.8.0.tmpl
spec: docker/docker/manifest-kaniko1.9.1.tmpl
username:
from_secret: docker_username
@@ -190,11 +446,23 @@ steps:
pull: always
image: plugins/manifest
settings:
auto_tag: true
auto_tag: false
ignore_missing: true
password:
from_secret: docker_password
spec: docker/gcr/manifest-kaniko1.8.0.tmpl
spec: docker/gcr/manifest-kaniko1.9.1.tmpl
username:
from_secret: docker_username
- name: manifest-gar
pull: always
image: plugins/manifest
settings:
auto_tag: false
ignore_missing: true
password:
from_secret: docker_password
spec: docker/gar/manifest-kaniko1.9.1.tmpl
username:
from_secret: docker_username
@@ -202,11 +470,11 @@ steps:
pull: always
image: plugins/manifest
settings:
auto_tag: true
auto_tag: false
ignore_missing: true
password:
from_secret: docker_password
spec: docker/ecr/manifest-kaniko1.8.0.tmpl
spec: docker/ecr/manifest-kaniko1.9.1.tmpl
username:
from_secret: docker_username
@@ -217,3 +485,4 @@ trigger:
depends_on:
- default
- arm
.gitignore
+1
View File
@@ -2,3 +2,4 @@ release
coverage.out
vendor
.idea
.vscode
.harness/eventPR.yaml
+14
View File
@@ -0,0 +1,14 @@
inputSet:
name: event-PR
identifier: eventPR
orgIdentifier: default
projectIdentifier: Drone_Plugins
pipeline:
identifier: dronekanikoharness
properties:
ci:
codebase:
build:
type: PR
spec:
number: <+trigger.prNumber>
.harness/eventPush.yaml
+14
View File
@@ -0,0 +1,14 @@
inputSet:
name: event-Push
identifier: eventPush
orgIdentifier: default
projectIdentifier: Drone_Plugins
pipeline:
identifier: dronekanikoharness
properties:
ci:
codebase:
build:
type: branch
spec:
branch: <+trigger.branch>
.harness/eventTag.yaml
+14
View File
@@ -0,0 +1,14 @@
inputSet:
name: event-Tag
identifier: eventTag
orgIdentifier: default
projectIdentifier: Drone_Plugins
pipeline:
identifier: dronekanikoharness
properties:
ci:
codebase:
build:
type: tag
spec:
tag: <+trigger.tag>
.harness/harness.yaml
+656
View File
@@ -0,0 +1,656 @@
pipeline:
name: drone-kaniko-harness
identifier: dronekanikoharness
projectIdentifier: Drone_Plugins
orgIdentifier: default
tags: {}
properties:
ci:
codebase:
connectorRef: GitHub_Drone_Org
repoName: drone-kaniko
build: <+input>
sparseCheckout: []
stages:
- parallel:
- stage:
name: linux-amd64
identifier: linuxamd64
description: ""
type: CI
spec:
cloneCodebase: true
caching:
enabled: false
paths: []
platform:
os: Linux
arch: Amd64
runtime:
type: Cloud
spec: {}
execution:
steps:
- step:
type: Run
name: Build Binary
identifier: Build
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: golang:1.22.4
shell: Sh
command: |-
go test ./...
sh scripts/build.sh
- parallel:
- step:
type: Plugin
name: BuildAndPushDockerTag
identifier: BuildAndPushDockerTag
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
auto_tag: "true"
auto_tag_suffix: linux-amd64
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
- "-acr"
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gcr"
repo: acr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-gar"
repo: acr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
- image: "-ecr"
repo: acr
- image: "-acr"
repo: docker
- image: "-acr"
repo: gcr
- image: "-acr"
repo: gar
- image: "-acr"
repo: ecr
nodeName: _<+matrix.repo>
- step:
type: Plugin
name: BuildAndPushDockerTag_Kaniko
identifier: BuildAndPushDockerTag_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
auto_tag: "true"
auto_tag_suffix: linux-amd64-kaniko1.9.1
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
nodeName: <+matrix.repo>
- parallel:
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch
identifier: BuildAndPushDockerBranch
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-amd64
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
- "-acr"
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gcr"
repo: acr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-gar"
repo: acr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
- image: "-ecr"
repo: acr
- image: "-acr"
repo: docker
- image: "-acr"
repo: gcr
- image: "-acr"
repo: gar
- image: "-acr"
repo: ecr
nodeName: <+matrix.repo>
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch_Kaniko
identifier: BuildAndPushDockerBranch_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-amd64-kaniko1.9.1
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
nodeName: _<+matrix.repo>
when:
pipelineStatus: Success
- stage:
name: linux-arm64
identifier: linuxarm64
description: ""
type: CI
spec:
cloneCodebase: true
caching:
enabled: false
paths: []
platform:
os: Linux
arch: Arm64
runtime:
type: Cloud
spec: {}
execution:
steps:
- step:
type: Run
name: Build Binary
identifier: Build_and_Test
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: golang:1.22.4
shell: Sh
command: |-
go test ./...
sh scripts/build.sh
- parallel:
- step:
type: Plugin
name: BuildAndPushDockerTag
identifier: BuildAndPushDockerTag
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
auto_tag: "true"
auto_tag_suffix: linux-arm64
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
- "-acr"
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gcr"
repo: acr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-gar"
repo: acr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
- image: "-ecr"
repo: acr
- image: "-acr"
repo: docker
- image: "-acr"
repo: gcr
- image: "-acr"
repo: gar
- image: "-acr"
repo: ecr
nodeName: _<+matrix.repo>
- step:
type: Plugin
name: BuildAndPushDockerTag_Kaniko
identifier: BuildAndPushDockerTag_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/docker
settings:
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
repo: plugins/kaniko<+matrix.image>
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
auto_tag: "true"
auto_tag_suffix: linux-arm64-kaniko1.9.1
daemon_off: "false"
when:
stageStatus: Success
condition: <+codebase.build.type> == "tag"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
nodeName: _<+matrix.repo>
- parallel:
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch
identifier: BuildAndPushDockerBranch
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-arm64
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
- "-acr"
repo:
- docker
- gcr
- gar
- ecr
- acr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: ""
repo: acr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gcr"
repo: acr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-gar"
repo: acr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
- image: "-ecr"
repo: acr
- image: "-acr"
repo: docker
- image: "-acr"
repo: gcr
- image: "-acr"
repo: gar
- image: "-acr"
repo: ecr
nodeName: <+matrix.repo>
- step:
type: BuildAndPushDockerRegistry
name: BuildAndPushDockerBranch_Kaniko
identifier: BuildAndPushDockerBranch_Kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
repo: plugins/kaniko<+matrix.image>
tags:
- linux-arm64-kaniko1.9.1
caching: false
dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch"
strategy:
matrix:
image:
- ""
- "-gcr"
- "-gar"
- "-ecr"
repo:
- docker
- gcr
- gar
- ecr
exclude:
- image: ""
repo: gcr
- image: ""
repo: gar
- image: ""
repo: ecr
- image: "-gcr"
repo: docker
- image: "-gcr"
repo: gar
- image: "-gcr"
repo: ecr
- image: "-gar"
repo: docker
- image: "-gar"
repo: gcr
- image: "-gar"
repo: ecr
- image: "-ecr"
repo: docker
- image: "-ecr"
repo: gcr
- image: "-ecr"
repo: gar
nodeName: _<+matrix.repo>
when:
pipelineStatus: Success
- stage:
name: Manifest
identifier: Manifest
description: ""
type: CI
spec:
cloneCodebase: true
caching:
enabled: false
paths: []
platform:
os: Linux
arch: Amd64
runtime:
type: Cloud
spec: {}
execution:
steps:
- parallel:
- step:
type: Plugin
name: Manifest
identifier: Manifest
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/manifest
settings:
auto_tag: "true"
spec: docker/<+matrix.repo>/manifest.tmpl
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
ignore_missing: "true"
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch" || <+codebase.build.type> == "tag"
strategy:
matrix:
repo:
- docker
- gcr
- gar
- ecr
- acr
nodeName: manifest_<+matrix.repo>
- step:
type: Plugin
name: Manifest_kaniko191
identifier: Manifest_kaniko
spec:
connectorRef: Plugins_Docker_Hub_Connector
image: plugins/manifest
settings:
auto_tag: "false"
spec: docker/<+matrix.repo>/manifest-kaniko1.9.1.tmpl
username: drone
password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
ignore_missing: "true"
when:
stageStatus: Success
condition: <+codebase.build.type> == "branch" || <+codebase.build.type> == "tag"
strategy:
matrix:
repo:
- docker
- gcr
- gar
- ecr
nodeName: manifest_<+matrix.repo>
when:
pipelineStatus: Success
allowStageExecutions: true
README.md
+47 -1
View File
@@ -2,6 +2,15 @@
Drone kaniko plugin uses [kaniko](https://github.com/GoogleContainerTools/kaniko) to build and publish Docker images to a container registry.
Plugin images are published with 1.6.0 as well as 1.9.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.9.1` uses 1.9.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gcr images as well.
Run the following script to install git-leaks support to this repo.
```
chmod +x ./git-hooks/install.sh
./git-hooks/install.sh
```
## Build
Build the binaries with the following commands:
@@ -15,6 +24,7 @@ export GO111MODULE=on
go build -v -a -tags netgo -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
go build -v -a -tags netgo -o release/linux/amd64/kaniko-gcr ./cmd/kaniko-gcr
go build -v -a -tags netgo -o release/linux/amd64/kaniko-ecr ./cmd/kaniko-ecr
go build -v -a -tags netgo -o release/linux/amd64/kaniko-acr ./cmd/kaniko-acr
```
## Docker
@@ -27,6 +37,11 @@ docker build \
--label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
--file docker/docker/Dockerfile.linux.amd64 --tag plugins/kaniko .
docker build \
--label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
--label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
--file docker/acr/Dockerfile.linux.amd64 --tag plugins/kaniko-acr .
docker build \
--label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
--label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
@@ -39,6 +54,33 @@ docker build \
```
## Usage
### Operation Modes
Default Mode (Build and Push):
When neither `no_push` nor `push_only` is provided. Plugin builds and pushes the Docker image to a container registry.
Build-Only Mode (no-push):
When `no_push` is true and `destination_tar_path` is defined.
Plugin performs only the image build operation and saves the resulting image tarball to the specified `destination_tar_path`
It does not push the image to any registry.
Push-Only Mode (push-only):
When `push_only` is true and `source_tar_path` is defined.
Plugin loads an existing image tarball from the specified `source_tar_path`
and pushes the loaded image to a Container Registry.
It skips the build process.
### Mutually Exclusive Inputs
If both `no_push` and `push_only` inputs are provided, the plugin will:
Terminate the operation and
throw an error with the message: "Inputs no-push and push-only cannot be used together. Please define only one."
### Manual Tagging
```console
@@ -65,6 +107,7 @@ docker run --rm \
-w /drone \
plugins/kaniko:linux-amd64
```
would both be equivalent to
```
@@ -74,7 +117,7 @@ PLUGIN_TAGS=1,1.2,1.2.3,latest
This allows for passing `$DRONE_TAG` directly as a tag for repos that use [semver](https://semver.org) tags.
To avoid confusion between repo tags and image tags, `PLUGIN_EXPAND_TAG` also recognizes a semantic version
without the `v` prefix. As such, the following is also equivalent to the above:
without the `v` prefix. As such, the following is also equivalent to the above:
```console
docker run --rm \
@@ -86,6 +129,7 @@ docker run --rm \
```
### Auto Tagging
The [auto tag feature](https://plugins.drone.io/drone-plugins/drone-docker) of docker plugin is also supported.
When auto tagging is enabled, if any of the case is matched below, a docker build will be pushed with auto generated tags. Otherwise the docker build will be skipped.
@@ -107,6 +151,7 @@ docker run --rm \
```
Tags to push:
- 1.2.3
- 1.2
- 1
@@ -127,4 +172,5 @@ docker run --rm \
```
Tags to push:
- latest
cmd/kaniko-acr/main.go
+706
View File
@@ -0,0 +1,706 @@
package main
import (
"context"
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"os"
"strings"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
)
const (
clientIdEnv string = "AZURE_CLIENT_ID"
clientSecretKeyEnv string = "AZURE_CLIENT_SECRET"
dockerConfigPath string = "/kaniko/.docker"
tenantKeyEnv string = "AZURE_TENANT_ID"
certPathEnv string = "AZURE_CLIENT_CERTIFICATE_PATH"
defaultDigestFile string = "/kaniko/digest-file"
finalUrl string = "https://portal.azure.com/#view/Microsoft_Azure_ContainerRegistries/TagMetadataBlade/registryId/"
)
var (
ACRCertPath = "/kaniko/acr-cert.pem"
pluginVersion = "unknown"
username = "00000000-0000-0000-0000-000000000000"
maxPageCount = 1000 // maximum count of pages to cycle through before we break out
)
func main() {
// TODO Add the env file functionality
app := cli.NewApp()
app.Name = "kaniko docker plugin"
app.Usage = "kaniko docker plugin"
app.Action = run
app.Version = pluginVersion
app.Flags = []cli.Flag{
cli.StringFlag{
Name: "dockerfile",
Usage: "build dockerfile",
Value: "Dockerfile",
EnvVar: "PLUGIN_DOCKERFILE",
},
cli.StringFlag{
Name: "context",
Usage: "build context",
Value: ".",
EnvVar: "PLUGIN_CONTEXT",
},
cli.StringFlag{
Name: "drone-commit-ref",
Usage: "git commit ref passed by Drone",
EnvVar: "DRONE_COMMIT_REF",
},
cli.StringFlag{
Name: "drone-repo-branch",
Usage: "git repository default branch passed by Drone",
EnvVar: "DRONE_REPO_BRANCH",
},
cli.StringSliceFlag{
Name: "tags",
Usage: "build tags",
Value: &cli.StringSlice{"latest"},
EnvVar: "PLUGIN_TAGS",
FilePath: ".tags",
},
cli.BoolFlag{
Name: "expand-tag",
Usage: "enable for semver tagging",
EnvVar: "PLUGIN_EXPAND_TAG",
},
cli.BoolFlag{
Name: "auto-tag",
Usage: "enable auto generation of build tags",
EnvVar: "PLUGIN_AUTO_TAG",
},
cli.StringFlag{
Name: "auto-tag-suffix",
Usage: "the suffix of auto build tags",
EnvVar: "PLUGIN_AUTO_TAG_SUFFIX",
},
cli.StringSliceFlag{
Name: "args",
Usage: "build args",
EnvVar: "PLUGIN_BUILD_ARGS",
},
cli.StringFlag{
Name: "target",
Usage: "build target",
EnvVar: "PLUGIN_TARGET",
},
cli.StringFlag{
Name: "repo",
Usage: "docker repository",
EnvVar: "PLUGIN_REPO",
},
cli.BoolFlag{
Name: "create-repository",
Usage: "create ACR repository",
EnvVar: "PLUGIN_CREATE_REPOSITORY",
},
cli.StringSliceFlag{
Name: "custom-labels",
Usage: "additional k=v labels",
EnvVar: "PLUGIN_CUSTOM_LABELS",
},
cli.StringFlag{
Name: "registry",
Usage: "ACR registry",
EnvVar: "PLUGIN_REGISTRY",
},
cli.StringFlag{
Name: "base-image-registry",
Usage: "Docker registry for base image",
EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
},
cli.StringFlag{
Name: "base-image-username",
Usage: "Docker username for base image registry",
EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
},
cli.StringFlag{
Name: "base-image-password",
Usage: "Docker password for base image registry",
EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
},
cli.StringSliceFlag{
Name: "registry-mirrors",
Usage: "docker registry mirrors",
EnvVar: "PLUGIN_REGISTRY_MIRRORS",
},
cli.StringFlag{
Name: "client-secret",
Usage: "Azure client secret",
EnvVar: "CLIENT_SECRET",
},
cli.StringFlag{
Name: "client-cert",
Usage: "Azure client certificate encoded in base64 format",
EnvVar: "CLIENT_CERTIFICATE",
},
cli.StringFlag{
Name: "tenant-id",
Usage: "Azure Tenant Id",
EnvVar: "TENANT_ID",
},
cli.StringFlag{
Name: "subscription-id",
Usage: "Azure Subscription Id",
EnvVar: "SUBSCRIPTION_ID",
},
cli.StringFlag{
Name: "client-id",
Usage: "Azure Client Id",
EnvVar: "CLIENT_ID",
},
cli.StringFlag{
Name: "snapshot-mode",
Usage: "Specify one of full, redo or time as snapshot mode",
EnvVar: "PLUGIN_SNAPSHOT_MODE",
},
cli.StringFlag{
Name: "lifecycle-policy",
Usage: "Path to lifecycle policy file",
EnvVar: "PLUGIN_LIFECYCLE_POLICY",
},
cli.StringFlag{
Name: "repository-policy",
Usage: "Path to repository policy file",
EnvVar: "PLUGIN_REPOSITORY_POLICY",
},
cli.BoolFlag{
Name: "enable-cache",
Usage: "Set this flag to opt into caching with kaniko",
EnvVar: "PLUGIN_ENABLE_CACHE",
},
cli.StringFlag{
Name: "cache-repo",
Usage: "Remote repository that will be used to store cached layers. Cache repo should be present in specified registry. enable-cache needs to be set to use this flag",
EnvVar: "PLUGIN_CACHE_REPO",
},
cli.IntFlag{
Name: "cache-ttl",
Usage: "Cache timeout in hours. Defaults to two weeks.",
EnvVar: "PLUGIN_CACHE_TTL",
},
cli.StringFlag{
Name: "artifact-file",
Usage: "Artifact file location that will be generated by the plugin. This file will include information of docker images that are uploaded by the plugin.",
EnvVar: "PLUGIN_ARTIFACT_FILE",
},
cli.BoolFlag{
Name: "no-push",
Usage: "Set this flag if you only want to build the image, without pushing to a registry",
EnvVar: "PLUGIN_NO_PUSH",
},
cli.StringFlag{
Name: "verbosity",
Usage: "Set this flag with value as oneof <panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
EnvVar: "PLUGIN_VERBOSITY",
},
cli.StringFlag{
Name: "platform",
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
Usage: "build only used stages",
EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
},
cli.StringFlag{
Name: "cache-dir",
Usage: "Set this flag to specify a local directory cache for base images",
EnvVar: "PLUGIN_CACHE_DIR",
},
cli.BoolFlag{
Name: "cache-copy-layers",
Usage: "Enable or disable copying layers from the cache.",
EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
},
cli.BoolFlag{
Name: "cache-run-layers",
Usage: "Enable or disable running layers from the cache.",
EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
},
cli.BoolFlag{
Name: "cleanup",
Usage: "Enable or disable cleanup of temporary files.",
EnvVar: "PLUGIN_CLEANUP",
},
cli.BoolFlag{
Name: "compressed-caching",
Usage: "Enable or disable compressed caching.",
EnvVar: "PLUGIN_COMPRESSED_CACHING",
},
cli.StringFlag{
Name: "context-sub-path",
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
EnvVar: "PLUGIN_FORCE",
},
cli.StringSliceFlag{
Name: "image-name-with-digest-file",
Usage: "Write image name with digest to a file.",
EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
},
cli.StringFlag{
Name: "image-name-tag-with-digest-file",
Usage: "Write image name with tag and digest to a file.",
EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
},
cli.BoolFlag{
Name: "insecure",
Usage: "Allow connecting to registries without TLS.",
EnvVar: "PLUGIN_INSECURE",
},
cli.BoolFlag{
Name: "insecure-pull",
Usage: "Allow insecure pulls from the registry.",
EnvVar: "PLUGIN_INSECURE_PULL",
},
cli.StringFlag{
Name: "insecure-registry",
Usage: "Use plain HTTP for registry communication.",
EnvVar: "PLUGIN_INSECURE_REGISTRY",
},
cli.StringFlag{
Name: "log-format",
Usage: "Set the log format for build output.",
EnvVar: "PLUGIN_LOG_FORMAT",
},
cli.BoolFlag{
Name: "log-timestamp",
Usage: "Show timestamps in build output.",
EnvVar: "PLUGIN_LOG_TIMESTAMP",
},
cli.StringFlag{
Name: "oci-layout-path",
Usage: "Directory to store OCI layout.",
EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
},
cli.IntFlag{
Name: "push-retry",
Usage: "Number of times to retry pushing an image.",
EnvVar: "PLUGIN_PUSH_RETRY",
},
cli.StringFlag{
Name: "registry-certificate",
Usage: "Path to a file containing a registry certificate.",
EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
},
cli.StringFlag{
Name: "registry-client-cert",
Usage: "Path to a file containing a registry client certificate.",
EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
},
cli.BoolFlag{
Name: "skip-default-registry-fallback",
Usage: "Skip Docker Hub and default registry fallback.",
EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
},
cli.BoolFlag{
Name: "reproducible",
Usage: "Create a reproducible image.",
EnvVar: "PLUGIN_REPRODUCIBLE",
},
cli.BoolFlag{
Name: "single-snapshot",
Usage: "Only create a single snapshot of the image.",
EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
},
cli.BoolFlag{
Name: "skip-push-permission-check",
Usage: "Skip permission check when pushing.",
EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
},
cli.BoolFlag{
Name: "skip-tls-verify-pull",
Usage: "Skip TLS verification when pulling.",
EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
},
cli.BoolFlag{
Name: "skip-tls-verify-registry",
Usage: "Skip TLS verification when connecting to a registry.",
EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
},
cli.BoolFlag{
Name: "use-new-run",
Usage: "Skip TLS verification when connecting to a registry.",
EnvVar: "PLUGIN_USE_NEW_RUN",
},
cli.BoolFlag{
Name: "ignore-var-run",
Usage: "Ignore the /var/run directory during build.",
EnvVar: "PLUGIN_IGNORE_VAR_RUN",
},
cli.StringFlag{
Name: "ignore-path",
Usage: "Path to ignore during the build.",
EnvVar: "PLUGIN_IGNORE_PATH",
},
cli.IntFlag{
Name: "image-fs-extract-retry",
Usage: "Number of retries for extracting filesystem layers.",
EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
},
cli.IntFlag{
Name: "image-download-retry",
Usage: "Number of retries for downloading base images.",
EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
},
}
if err := app.Run(os.Args); err != nil {
logrus.Fatal(err)
}
}
func run(c *cli.Context) error {
registry := c.String("registry")
noPush := c.Bool("no-push")
publicUrl, err := setupAuth(
c.String("tenant-id"),
c.String("client-id"),
c.String("client-cert"),
c.String("client-secret"),
c.String("subscription-id"),
registry,
c.String("base-image-username"),
c.String("base-image-password"),
c.String("base-image-registry"),
noPush,
)
if err != nil {
return err
}
plugin := kaniko.Plugin{
Build: kaniko.Build{
DroneCommitRef: c.String("drone-commit-ref"),
DroneRepoBranch: c.String("drone-repo-branch"),
Dockerfile: c.String("dockerfile"),
Context: c.String("context"),
Tags: c.StringSlice("tags"),
AutoTag: c.Bool("auto-tag"),
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
Target: c.String("target"),
Repo: c.String("repo"),
Mirrors: c.StringSlice("registry-mirrors"),
Labels: c.StringSlice("custom-labels"),
SnapshotMode: c.String("snapshot-mode"),
EnableCache: c.Bool("enable-cache"),
CacheRepo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
CacheTTL: c.Int("cache-ttl"),
DigestFile: defaultDigestFile,
NoPush: noPush,
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
Insecure: c.Bool("insecure"),
InsecurePull: c.Bool("insecure-pull"),
InsecureRegistry: c.String("insecure-registry"),
Label: c.String("label"),
LogFormat: c.String("log-format"),
LogTimestamp: c.Bool("log-timestamp"),
OCILayoutPath: c.String("oci-layout-path"),
PushRetry: c.Int("push-retry"),
RegistryCertificate: c.String("registry-certificate"),
RegistryClientCert: c.String("registry-client-cert"),
SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
Reproducible: c.Bool("reproducible"),
SingleSnapshot: c.Bool("single-snapshot"),
SkipTLSVerify: c.Bool("skip-tls-verify"),
SkipPushPermissionCheck: c.Bool("skip-push-permission-check"),
SkipTLSVerifyPull: c.Bool("skip-tls-verify-pull"),
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
},
Artifact: kaniko.Artifact{
Tags: c.StringSlice("tags"),
Repo: c.String("repo"),
Registry: publicUrl, // this is public url on which the artifact can be seen
ArtifactFile: c.String("artifact-file"),
RegistryType: artifact.Docker,
},
}
if c.IsSet("compressed-caching") {
flag := c.Bool("compressed-caching")
plugin.Build.CompressedCaching = &flag
}
if c.IsSet("ignore-var-run") {
flag := c.Bool("ignore-var-run")
plugin.Build.IgnoreVarRun = &flag
}
return plugin.Exec()
}
func setupAuth(tenantId, clientId, cert,
clientSecret, subscriptionId, registry, dockerUsername, dockerPassword, dockerRegistry string, noPush bool) (string, error) {
if registry == "" {
return "", fmt.Errorf("registry must be specified")
}
// case of client secret or cert based auth
if clientId != "" {
// only setup auth when pushing or credentials are defined
token, publicUrl, err := getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
if err != nil {
if noPush {
logrus.Warnf("NO_PUSH mode: failed to fetch ACR Token: %v", err)
return "", nil
}
return "", errors.Wrap(err, "failed to fetch ACR Token")
}
// setup docker config for azure registry and base image docker registry
if err := setDockerAuth(username, token, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
if noPush {
logrus.Warnf("NO_PUSH mode: failed to create docker config: %v", err)
return "", nil
}
return "", errors.Wrap(err, "failed to create docker config")
}
return publicUrl, nil
} else {
if noPush {
return "", nil
}
return "", fmt.Errorf("managed authentication is not supported")
}
}
func getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry string) (string, string, error) {
if tenantId == "" {
return "", "", fmt.Errorf("tenantId can't be empty for AAD authentication")
}
if clientId == "" {
return "", "", fmt.Errorf("clientId can't be empty for AAD authentication")
}
if clientSecret == "" && cert == "" {
return "", "", fmt.Errorf("one of client secret or cert should be defined")
}
// in case of authentication via cert
if cert != "" {
err := setupACRCert(cert)
if err != nil {
errors.Wrap(err, "failed to push setup cert file")
}
}
if err := os.Setenv(clientIdEnv, clientId); err != nil {
return "", "", errors.Wrap(err, "failed to set env variable client Id")
}
if err := os.Setenv(clientSecretKeyEnv, clientSecret); err != nil {
return "", "", errors.Wrap(err, "failed to set env variable client secret")
}
if err := os.Setenv(tenantKeyEnv, tenantId); err != nil {
return "", "", errors.Wrap(err, "failed to set env variable tenant Id")
}
if err := os.Setenv(certPathEnv, ACRCertPath); err != nil {
return "", "", errors.Wrap(err, "failed to set env variable cert path")
}
env, err := azidentity.NewEnvironmentCredential(nil)
if err != nil {
return "", "", errors.Wrap(err, "failed to get env credentials from azure")
}
policy := policy.TokenRequestOptions{
Scopes: []string{"https://management.azure.com/.default"},
}
os.Unsetenv(clientIdEnv)
os.Unsetenv(clientSecretKeyEnv)
os.Unsetenv(tenantKeyEnv)
os.Unsetenv(certPathEnv)
azToken, err := env.GetToken(context.Background(), policy)
if err != nil {
return "", "", errors.Wrap(err, "failed to fetch access token")
}
publicUrl, err := getPublicUrl(azToken.Token, registry, subscriptionId)
if err != nil {
// execution should not fail because of this error.
fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
}
ACRToken, err := fetchACRToken(tenantId, azToken.Token, registry)
if err != nil {
return "", "", errors.Wrap(err, "failed to fetch ACR token")
}
return ACRToken, publicUrl, nil
}
func fetchACRToken(tenantId, token, registry string) (string, error) {
formData := url.Values{
"grant_type": {"access_token"},
"service": {registry},
"tenant": {tenantId},
"access_token": {token},
}
jsonResponse, err := http.PostForm(fmt.Sprintf("https://%s/oauth2/exchange", registry), formData)
if err != nil {
return "", errors.Wrap(err, "failed to fetch ACR token")
}
var response map[string]interface{}
err = json.NewDecoder(jsonResponse.Body).Decode(&response)
if err != nil {
return "", errors.Wrap(err, "failed to decode oauth exchange response")
}
if x, found := response["refresh_token"]; found {
s, ok := x.(string)
if !ok {
errors.New("failed to cast refresh token from acr")
} else {
return s, nil
}
} else {
return "", errors.Wrap(err, "refresh token not found in response of oauth exchange call")
}
return "", errors.New("failed to get refresh token from acr")
}
func setupACRCert(cert string) error {
decoded, err := base64.StdEncoding.DecodeString(cert)
if err != nil {
return errors.Wrap(err, "failed to base64 decode ACR certificate")
}
err = ioutil.WriteFile(ACRCertPath, []byte(decoded), 0644)
if err != nil {
return errors.Wrap(err, "failed to write ACR certificate")
}
return nil
}
func getPublicUrl(token, registryUrl, subscriptionId string) (string, error) {
// for backward compatibilty, if the subscription id is not defined, do not fail step.
if len(subscriptionId) == 0 {
return "", nil
}
registry := strings.Split(registryUrl, ".")[0]
baseURL := "https://management.azure.com/subscriptions/" +
subscriptionId + "/resources?$filter=resourceType%20eq%20'Microsoft.ContainerRegistry/registries'%20and%20name%20eq%20'" +
registry + "'&api-version=2021-04-01&$select=id"
method := "GET"
client := &http.Client{}
cnt := 0
for {
// this is just in case we end up cycling through nextLink's infinitely.
// this should not happen - added as a precaution.
if cnt > maxPageCount {
break
}
cnt++
req, err := http.NewRequest(method, baseURL, nil)
if err != nil {
return "", errors.Wrap(err, "failed to create request for getting container registry setting")
}
req.Header.Add("Authorization", "Bearer "+token)
res, err := client.Do(req)
if err != nil {
return "", errors.Wrap(err, "failed to send request for getting container registry setting")
}
defer res.Body.Close()
var response strct
err = json.NewDecoder(res.Body).Decode(&response)
if err != nil {
return "", errors.Wrap(err, "failed to send request for getting container registry setting")
}
if len(response.Value) > 0 {
if response.Value[0].ID == "" { // should not happen
return "", errors.New("received empty registry ID from /subscriptions API")
}
return finalUrl + encodeParam(response.Value[0].ID), nil
}
if response.NextLink == "" {
// No more pages, break the loop
break
}
baseURL = response.NextLink
}
return "", errors.New("did not receive any registry information from /subscriptions API")
}
func setDockerAuth(username, password, registry, dockerUsername, dockerPassword, dockerRegistry string) error {
dockerConfig := docker.NewConfig()
pushToRegistryCreds := docker.RegistryCredentials{
Registry: registry,
Username: username,
Password: password,
}
pullFromRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
Username: dockerUsername,
Password: dockerPassword,
}
credentials := []docker.RegistryCredentials{pushToRegistryCreds, pullFromRegistryCreds}
return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
}
func encodeParam(s string) string {
return url.QueryEscape(s)
}
type strct struct {
Value []struct {
ID string `json:"id"`
} `json:"value"`
NextLink string `json:"nextLink"` // for pagination
}
cmd/kaniko-acr/main_test.go
+156
View File
@@ -0,0 +1,156 @@
package main
import (
"encoding/base64"
"encoding/json"
"io/ioutil"
"os"
"path/filepath"
"testing"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/stretchr/testify/assert"
)
const (
v2RegistryURL string = "https://index.docker.io/v2/" // v2 registry is not supported
)
func TestCreateDockerConfigWithBaseRegistry(t *testing.T) {
username := "user1"
password := "pass1"
registry := "azurecr.io"
dockerUsername := "dockeruser"
dockerPassword := "dockerpass"
dockerRegistry := "https://index.docker.io/v1/"
privateRegistry := "privateDockerRegistry"
privateRegistryUsername := "priaveUsername"
privateRegistryPassword := "privatePassword"
credentials := []docker.RegistryCredentials{
{
Registry: registry,
Username: username,
Password: password,
},
{
Registry: dockerRegistry,
Username: dockerUsername,
Password: dockerPassword,
},
{
Registry: privateRegistry,
Username: privateRegistryUsername,
Password: privateRegistryPassword,
},
}
tempDir, err := ioutil.TempDir("", "docker-config-test")
assert.NoError(t, err)
defer os.RemoveAll(tempDir)
config := docker.NewConfig()
err = config.CreateDockerConfig(credentials, tempDir)
assert.NoError(t, err)
expectedAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(username + ":" + password))}
assert.Equal(t, expectedAuth, config.Auths[registry])
expectedDockerAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(dockerUsername + ":" + dockerPassword))}
assert.Equal(t, expectedDockerAuth, config.Auths[dockerRegistry])
configPath := filepath.Join(tempDir, "config.json")
data, err := ioutil.ReadFile(configPath)
assert.NoError(t, err)
var configFromFile docker.Config
err = json.Unmarshal(data, &configFromFile)
assert.NoError(t, err)
assert.Equal(t, config.Auths, configFromFile.Auths)
err = config.CreateDockerConfig([]docker.RegistryCredentials{
{
Registry: registry,
Username: "",
Password: password,
},
}, tempDir)
assert.EqualError(t, err, "Username must be specified for registry: "+registry)
err = config.CreateDockerConfig([]docker.RegistryCredentials{
{
Registry: registry,
Username: username,
Password: "",
},
}, tempDir)
assert.EqualError(t, err, "Password must be specified for registry: "+registry)
// v1 registry but without username password
err = config.CreateDockerConfig([]docker.RegistryCredentials{
{
Registry: registry,
Username: username,
Password: password,
},
{
Registry: dockerRegistry,
Username: "",
Password: "",
},
}, tempDir)
assert.EqualError(t, err, "Username must be specified for registry: "+dockerRegistry)
// private base registry without username/password
err = config.CreateDockerConfig([]docker.RegistryCredentials{
{
Registry: privateRegistry,
Username: "",
Password: "",
},
}, tempDir)
assert.EqualError(t, err, "Username must be specified for registry: "+privateRegistry)
}
func TestCreateDockerConfigWithoutBaseRegistry(t *testing.T) {
username := "user1"
password := "pass1"
registry := "azurecr.io"
credentials := []docker.RegistryCredentials{
{
Registry: registry,
Username: username,
Password: password,
},
}
// Create a temporary directory
tempDir, err := ioutil.TempDir("", "docker-config-test")
assert.NoError(t, err)
defer os.RemoveAll(tempDir)
config := docker.NewConfig()
err = config.CreateDockerConfig(credentials, tempDir)
assert.NoError(t, err)
expectedAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(username + ":" + password))}
assert.Equal(t, expectedAuth, config.Auths[registry])
// Check the contents of the config.json file
configPath := filepath.Join(tempDir, "config.json")
data, err := ioutil.ReadFile(configPath)
assert.NoError(t, err)
var configFromFile docker.Config
err = json.Unmarshal(data, &configFromFile)
assert.NoError(t, err)
assert.Equal(t, config.Auths, configFromFile.Auths)
// Check if the public Docker Hub auth is not set
_, exists := config.Auths[""]
assert.False(t, exists)
}
cmd/kaniko-docker/main.go
+316 -66
View File
@@ -1,9 +1,6 @@
package main
import (
"encoding/base64"
"fmt"
"io/ioutil"
"os"
"strings"
@@ -14,6 +11,7 @@ import (
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
)
const (
@@ -21,9 +19,7 @@ const (
dockerPath string = "/kaniko/.docker"
dockerConfigPath string = "/kaniko/.docker/config.json"
v1RegistryURL string = "https://index.docker.io/v1/" // Default registry
v2RegistryURL string = "https://index.docker.io/v2/" // v2 registry is not supported
v2HubRegistryURL string = "https://registry.hub.docker.com/v2/"
v1RegistryURL string = "https://index.docker.io/v1/" // Default registry
defaultDigestFile string = "/kaniko/digest-file"
)
@@ -75,6 +71,11 @@ func main() {
EnvVar: "PLUGIN_TAGS",
FilePath: ".tags",
},
cli.BoolFlag{
Name: "expand-repo",
Usage: "Prepends the registry url to the repo if registry url is not specified in repo name",
EnvVar: "PLUGIN_EXPAND_REPO",
},
cli.BoolFlag{
Name: "expand-tag",
Usage: "enable for semver tagging",
@@ -85,6 +86,11 @@ func main() {
Usage: "enable auto generation of build tags",
EnvVar: "PLUGIN_AUTO_TAG",
},
cli.StringFlag{
Name: "dockerconfig",
Usage: "docker json dockerconfig",
EnvVar: "PLUGIN_CONFIG",
},
cli.StringFlag{
Name: "auto-tag-suffix",
Usage: "the suffix of auto build tags",
@@ -112,10 +118,15 @@ func main() {
},
cli.StringFlag{
Name: "registry",
Usage: "docker registry",
Usage: "docker registry of registry to push image to",
Value: v1RegistryURL,
EnvVar: "PLUGIN_REGISTRY",
},
cli.StringFlag{
Name: "base-image-registry",
Usage: "Docker registry for base image",
EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
},
cli.StringSliceFlag{
Name: "registry-mirrors",
Usage: "docker registry mirrors",
@@ -123,14 +134,24 @@ func main() {
},
cli.StringFlag{
Name: "username",
Usage: "docker username",
Usage: "docker username of registry to push image to",
EnvVar: "PLUGIN_USERNAME",
},
cli.StringFlag{
Name: "base-image-username",
Usage: "Docker username for base image registry",
EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
},
cli.StringFlag{
Name: "password",
Usage: "docker password",
Usage: "docker password of registry to push image to",
EnvVar: "PLUGIN_PASSWORD",
},
cli.StringFlag{
Name: "base-image-password",
Usage: "Docker password for base image registry",
EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
},
cli.BoolFlag{
Name: "skip-tls-verify",
Usage: "Skip registry tls verify",
@@ -166,6 +187,11 @@ func main() {
Usage: "Set this flag if you only want to build the image, without pushing to a registry",
EnvVar: "PLUGIN_NO_PUSH",
},
cli.StringFlag{
Name: "tar-path",
Usage: "Set this flag to save the image as a tarball at path",
EnvVar: "PLUGIN_TAR_PATH, PLUGIN_DESTINATION_TAR_PATH",
},
cli.StringFlag{
Name: "verbosity",
Usage: "Set this flag with value as oneof <panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
@@ -176,6 +202,182 @@ func main() {
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
Usage: "build only used stages",
EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
},
cli.StringFlag{
Name: "output-file",
Usage: "Output file location that will be generated by the plugin. This file will include information of the output that are exported by the plugin.",
EnvVar: "DRONE_OUTPUT",
},
cli.StringFlag{
Name: "cache-dir",
Usage: "Set this flag to specify a local directory cache for base images",
EnvVar: "PLUGIN_CACHE_DIR",
},
cli.BoolFlag{
Name: "cache-copy-layers",
Usage: "Enable or disable copying layers from the cache.",
EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
},
cli.BoolFlag{
Name: "cache-run-layers",
Usage: "Enable or disable running layers from the cache.",
EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
},
cli.BoolFlag{
Name: "cleanup",
Usage: "Enable or disable cleanup of temporary files.",
EnvVar: "PLUGIN_CLEANUP",
},
cli.BoolFlag{
Name: "compressed-caching",
Usage: "Enable or disable compressed caching.",
EnvVar: "PLUGIN_COMPRESSED_CACHING",
},
cli.StringFlag{
Name: "context-sub-path",
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
EnvVar: "PLUGIN_FORCE",
},
cli.StringFlag{
Name: "image-name-with-digest-file",
Usage: "Write image name with digest to a file.",
EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
},
cli.StringFlag{
Name: "image-name-tag-with-digest-file",
Usage: "Write image name with tag and digest to a file.",
EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
},
cli.BoolFlag{
Name: "insecure",
Usage: "Allow connecting to registries without TLS.",
EnvVar: "PLUGIN_INSECURE",
},
cli.BoolFlag{
Name: "insecure-pull",
Usage: "Allow insecure pulls from the registry.",
EnvVar: "PLUGIN_INSECURE_PULL",
},
cli.StringFlag{
Name: "insecure-registry",
Usage: "Use plain HTTP for registry communication.",
EnvVar: "PLUGIN_INSECURE_REGISTRY",
},
cli.StringFlag{
Name: "log-format",
Usage: "Set the log format for build output.",
EnvVar: "PLUGIN_LOG_FORMAT",
},
cli.BoolFlag{
Name: "log-timestamp",
Usage: "Show timestamps in build output.",
EnvVar: "PLUGIN_LOG_TIMESTAMP",
},
cli.StringFlag{
Name: "oci-layout-path",
Usage: "Directory to store OCI layout.",
EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
},
cli.IntFlag{
Name: "push-retry",
Usage: "Number of times to retry pushing an image.",
EnvVar: "PLUGIN_PUSH_RETRY",
},
cli.StringFlag{
Name: "registry-certificate",
Usage: "Path to a file containing a registry certificate.",
EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
},
cli.StringFlag{
Name: "registry-client-cert",
Usage: "Path to a file containing a registry client certificate.",
EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
},
cli.BoolFlag{
Name: "skip-default-registry-fallback",
Usage: "Skip Docker Hub and default registry fallback.",
EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
},
cli.BoolFlag{
Name: "reproducible",
Usage: "Create a reproducible image.",
EnvVar: "PLUGIN_REPRODUCIBLE",
},
cli.BoolFlag{
Name: "single-snapshot",
Usage: "Only create a single snapshot of the image.",
EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
},
cli.BoolFlag{
Name: "skip-push-permission-check",
Usage: "Skip permission check when pushing.",
EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
},
cli.BoolFlag{
Name: "skip-tls-verify-pull",
Usage: "Skip TLS verification when pulling.",
EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
},
cli.BoolFlag{
Name: "skip-tls-verify-registry",
Usage: "Skip TLS verification when connecting to a registry.",
EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
},
cli.BoolFlag{
Name: "use-new-run",
Usage: "Skip TLS verification when connecting to a registry.",
EnvVar: "PLUGIN_USE_NEW_RUN",
},
cli.BoolFlag{
Name: "ignore-var-run",
Usage: "Ignore the /var/run directory during build.",
EnvVar: "PLUGIN_IGNORE_VAR_RUN",
},
cli.StringFlag{
Name: "ignore-path",
Usage: "Path to ignore during the build.",
EnvVar: "PLUGIN_IGNORE_PATH",
},
cli.StringSliceFlag{
Name: "ignore-paths",
Usage: "Path to ignore during the build.",
EnvVar: "PLUGIN_IGNORE_PATHS",
},
cli.IntFlag{
Name: "image-fs-extract-retry",
Usage: "Number of retries for extracting filesystem layers.",
EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
},
cli.IntFlag{
Name: "image-download-retry",
Usage: "Number of retries for downloading base images.",
EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
},
cli.StringFlag{
Name: "source-tar-path",
Usage: "Set this flag for the source tarball during push operations.",
EnvVar: "PLUGIN_SOURCE_TAR_PATH",
},
cli.BoolFlag{
Name: "push-only",
Usage: "Specify if the operation is push-only",
EnvVar: "PLUGIN_PUSH_ONLY",
},
}
if err := app.Run(os.Args); err != nil {
@@ -186,85 +388,133 @@ func main() {
func run(c *cli.Context) error {
username := c.String("username")
noPush := c.Bool("no-push")
// only setup auth when pushing or credentials are defined
if !noPush || username != "" {
if err := createDockerCfgFile(username, c.String("password"), c.String("registry")); err != nil {
configOverride := c.String("dockerconfig")
// if configOverride is provided, use this directly to write to docker config file
if len(configOverride) > 0 {
if err := docker.WriteDockerConfig([]byte(configOverride), dockerPath); err != nil {
return err
}
} else if !noPush || username != "" {
// setup auth when pushing/pulling or credentials are defined and docker config override is false
err := setDockerAuth(
c.String("username"),
c.String("password"),
c.String("registry"),
c.String("base-image-username"),
c.String("base-image-password"),
c.String("base-image-registry"),
)
if err != nil {
return errors.Wrap(err, "failed to create docker config")
}
}
plugin := kaniko.Plugin{
Build: kaniko.Build{
DroneCommitRef: c.String("drone-commit-ref"),
DroneRepoBranch: c.String("drone-repo-branch"),
Dockerfile: c.String("dockerfile"),
Context: c.String("context"),
Tags: c.StringSlice("tags"),
AutoTag: c.Bool("auto-tag"),
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
Target: c.String("target"),
Repo: buildRepo(c.String("registry"), c.String("repo")),
Mirrors: c.StringSlice("registry-mirrors"),
Labels: c.StringSlice("custom-labels"),
SkipTlsVerify: c.Bool("skip-tls-verify"),
SnapshotMode: c.String("snapshot-mode"),
EnableCache: c.Bool("enable-cache"),
CacheRepo: buildRepo(c.String("registry"), c.String("cache-repo")),
CacheTTL: c.Int("cache-ttl"),
DigestFile: defaultDigestFile,
NoPush: noPush,
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
DroneCommitRef: c.String("drone-commit-ref"),
DroneRepoBranch: c.String("drone-repo-branch"),
Dockerfile: c.String("dockerfile"),
Context: c.String("context"),
Tags: c.StringSlice("tags"),
AutoTag: c.Bool("auto-tag"),
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
Target: c.String("target"),
Repo: buildRepo(c.String("registry"), c.String("repo"), c.Bool("expand-repo")),
Mirrors: c.StringSlice("registry-mirrors"),
Labels: c.StringSlice("custom-labels"),
SkipTlsVerify: c.Bool("skip-tls-verify"),
SnapshotMode: c.String("snapshot-mode"),
EnableCache: c.Bool("enable-cache"),
CacheRepo: buildRepo(c.String("registry"), c.String("cache-repo"), c.Bool("expand-repo")),
CacheTTL: c.Int("cache-ttl"),
DigestFile: defaultDigestFile,
NoPush: noPush,
TarPath: c.String("tar-path"),
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
PushOnly: c.Bool("push-only"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
Insecure: c.Bool("insecure"),
InsecurePull: c.Bool("insecure-pull"),
InsecureRegistry: c.String("insecure-registry"),
Label: c.String("label"),
LogFormat: c.String("log-format"),
LogTimestamp: c.Bool("log-timestamp"),
OCILayoutPath: c.String("oci-layout-path"),
PushRetry: c.Int("push-retry"),
RegistryCertificate: c.String("registry-certificate"),
RegistryClientCert: c.String("registry-client-cert"),
SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
Reproducible: c.Bool("reproducible"),
SingleSnapshot: c.Bool("single-snapshot"),
SkipTLSVerify: c.Bool("skip-tls-verify"),
SkipPushPermissionCheck: c.Bool("skip-push-permission-check"),
SkipTLSVerifyPull: c.Bool("skip-tls-verify-pull"),
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
SourceTarPath: c.String("source-tar-path"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
},
Artifact: kaniko.Artifact{
Tags: c.StringSlice("tags"),
Repo: buildRepo(c.String("registry"), c.String("repo")),
Repo: buildRepo(c.String("registry"), c.String("repo"), c.Bool("expand-repo")),
Registry: c.String("registry"),
ArtifactFile: c.String("artifact-file"),
RegistryType: artifact.Docker,
},
Output: kaniko.Output{
OutputFile: c.String("output-file"),
},
}
if c.IsSet("compressed-caching") {
flag := c.Bool("compressed-caching")
plugin.Build.CompressedCaching = &flag
}
if c.IsSet("ignore-var-run") {
flag := c.Bool("ignore-var-run")
plugin.Build.IgnoreVarRun = &flag
}
return plugin.Exec()
}
// Create the docker config file for authentication
func createDockerCfgFile(username, password, registry string) error {
if username == "" {
return fmt.Errorf("Username must be specified")
}
if password == "" {
return fmt.Errorf("Password must be specified")
}
if registry == "" {
return fmt.Errorf("Registry must be specified")
func setDockerAuth(username, password, registry, baseImageUsername, baseImagePassword, baseImageRegistry string) error {
dockerConfig := docker.NewConfig()
pushToRegistryCreds := docker.RegistryCredentials{
Registry: registry,
Username: username,
Password: password,
}
credentials := []docker.RegistryCredentials{pushToRegistryCreds}
if registry == v2RegistryURL || registry == v2HubRegistryURL {
fmt.Println("Docker v2 registry is not supported in kaniko. Refer issue: https://github.com/GoogleContainerTools/kaniko/issues/1209")
fmt.Printf("Using v1 registry instead: %s\n", v1RegistryURL)
registry = v1RegistryURL
if baseImageRegistry != "" {
pullFromRegistryCreds := docker.RegistryCredentials{
Registry: baseImageRegistry,
Username: baseImageUsername,
Password: baseImagePassword,
}
credentials = append(credentials, pullFromRegistryCreds)
}
err := os.MkdirAll(dockerPath, 0600)
if err != nil {
return errors.Wrap(err, fmt.Sprintf("failed to create %s directory", dockerPath))
}
authBytes := []byte(fmt.Sprintf("%s:%s", username, password))
encodedString := base64.StdEncoding.EncodeToString(authBytes)
jsonBytes := []byte(fmt.Sprintf(`{"auths": {"%s": {"auth": "%s"}}}`, registry, encodedString))
err = ioutil.WriteFile(dockerConfigPath, jsonBytes, 0644)
if err != nil {
return errors.Wrap(err, "failed to create docker config file")
}
return nil
// Creates docker config for both the regustries used for authentication
return dockerConfig.CreateDockerConfig(credentials, dockerPath)
}
func buildRepo(registry, repo string) string {
if registry == "" {
func buildRepo(registry, repo string, expandRepo bool) string {
if !expandRepo || registry == "" || registry == v1RegistryURL {
// No custom registry, just return the repo name
return repo
}
cmd/kaniko-docker/main_test.go
+88 -2
View File
@@ -1,6 +1,12 @@
package main
import "testing"
import (
"io/ioutil"
"os"
"testing"
"github.com/drone/drone-kaniko/pkg/docker"
)
func Test_buildRepo(t *testing.T) {
tests := []struct {
@@ -29,9 +35,89 @@ func Test_buildRepo(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := buildRepo(tt.registry, tt.repo); got != tt.want {
if got := buildRepo(tt.registry, tt.repo, true); got != tt.want {
t.Errorf("buildRepo(%q, %q) = %v, want %v", tt.registry, tt.repo, got, tt.want)
}
})
}
}
func TestCreateDockerConfig(t *testing.T) {
config := docker.NewConfig()
tempDir, err := ioutil.TempDir("", "docker-config-test")
if err != nil {
t.Fatalf("Failed to create temporary directory: %v", err)
}
defer os.RemoveAll(tempDir)
tests := []struct {
name string
credentials []docker.RegistryCredentials
wantErr bool
}{
{
name: "valid credentials",
credentials: []docker.RegistryCredentials{
{
Registry: "https://index.docker.io/v1/",
Username: "testuser",
Password: "testpassword",
},
},
wantErr: false,
},
{
name: "v2 registry",
credentials: []docker.RegistryCredentials{
{
Registry: "https://index.docker.io/v2/",
Username: "testuser",
Password: "testpassword",
},
},
wantErr: false,
},
{
name: "docker registry credentials",
credentials: []docker.RegistryCredentials{
{
Registry: "https://index.docker.io/v1/",
Username: "testuser",
Password: "testpassword",
},
{
Registry: "https://docker.io",
Username: "dockeruser",
Password: "dockerpassword",
},
},
wantErr: false,
},
{
name: "empty docker registry",
credentials: []docker.RegistryCredentials{
{
Registry: "https://index.docker.io/v1/",
Username: "testuser",
Password: "testpassword",
},
{
Registry: "https://docker.io",
Username: "dockeruser",
Password: "",
},
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := config.CreateDockerConfig(tt.credentials, tempDir)
if (err != nil) != tt.wantErr {
t.Errorf("CreateDockerConfig() error = %v, wantErr %v", err, tt.wantErr)
return
}
})
}
}
cmd/kaniko-ecr/custom_string_slice.go
+33
View File
@@ -0,0 +1,33 @@
package main
import (
"strings"
)
// CustomStringSliceFlag is like a regular StringSlice flag but with
// semicolon as a delimiter
type CustomStringSliceFlag struct {
Value []string
}
func (f *CustomStringSliceFlag) GetValue() []string {
if f.Value == nil {
return make([]string, 0)
}
return f.Value
}
func (f *CustomStringSliceFlag) String() string {
if f.Value == nil {
return ""
}
return strings.Join(f.Value, ";")
}
func (f *CustomStringSliceFlag) Set(v string) error {
for _, s := range strings.Split(v, ";") {
s = strings.TrimSpace(s)
f.Value = append(f.Value, s)
}
return nil
}
cmd/kaniko-ecr/main.go
+693 -104
View File
@@ -2,37 +2,52 @@ package main
import (
"context"
"encoding/json"
"encoding/base64"
"fmt"
"io/ioutil"
"os"
"strings"
"time"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/ecr"
"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
awsv1 "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
ecrpublicv1 "github.com/aws/aws-sdk-go/service/ecrpublic"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/aws/smithy-go"
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/hashicorp/go-version"
"github.com/joho/godotenv"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/crane"
)
const (
accessKeyEnv string = "AWS_ACCESS_KEY_ID"
dockerConfigPath string = "/kaniko/.docker"
secretKeyEnv string = "AWS_SECRET_ACCESS_KEY"
dockerConfigPath string = "/kaniko/.docker/config.json"
ecrPublicDomain string = "public.ecr.aws"
kanikoVersionEnv string = "KANIKO_VERSION"
sessionKeyEnv string = "AWS_SESSION_TOKEN"
defaultDigestFile string = "/kaniko/digest-file"
oneDotEightVersion string = "1.8.0"
defaultDigestFile string = "/kaniko/digest-file"
)
var (
version = "unknown"
pluginVersion = "unknown"
)
func main() {
@@ -47,7 +62,7 @@ func main() {
app.Name = "kaniko docker plugin"
app.Usage = "kaniko docker plugin"
app.Action = run
app.Version = version
app.Version = pluginVersion
app.Flags = []cli.Flag{
cli.StringFlag{
Name: "dockerfile",
@@ -55,15 +70,20 @@ func main() {
Value: "Dockerfile",
EnvVar: "PLUGIN_DOCKERFILE",
},
cli.StringFlag{
Name: "docker-registry",
Usage: "Docker registry for base image",
EnvVar: "PLUGIN_DOCKER_REGISTRY,DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY",
},
cli.StringFlag{
Name: "docker-username",
Usage: "docker username",
EnvVar: "PLUGIN_USERNAME,DOCKER_USERNAME",
Usage: "Docker username for base image registry",
EnvVar: "PLUGIN_USERNAME,PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
},
cli.StringFlag{
Name: "docker-password",
Usage: "docker password",
EnvVar: "PLUGIN_PASSWORD,DOCKER_PASSWORD",
Usage: "Docker password for base image registry",
EnvVar: "PLUGIN_PASSWORD,PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
},
cli.StringFlag{
Name: "context",
@@ -108,6 +128,17 @@ func main() {
Usage: "build args",
EnvVar: "PLUGIN_BUILD_ARGS",
},
cli.GenericFlag{
Name: "args-new",
Usage: "build args new",
EnvVar: "PLUGIN_BUILD_ARGS_NEW",
Value: new(CustomStringSliceFlag),
},
cli.BoolFlag{
Name: "plugin-multiple-build-agrs",
Usage: "plugin multiple build agrs",
EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
},
cli.StringFlag{
Name: "target",
Usage: "build target",
@@ -154,6 +185,16 @@ func main() {
Usage: "ECR secret key",
EnvVar: "PLUGIN_SECRET_KEY",
},
cli.StringFlag{
Name: "assume-role",
Usage: "Assume a role",
EnvVar: "PLUGIN_ASSUME_ROLE",
},
cli.StringFlag{
Name: "external-id",
Usage: "Used along with assume role to assume a role",
EnvVar: "PLUGIN_EXTERNAL_ID",
},
cli.StringFlag{
Name: "snapshot-mode",
Usage: "Specify one of full, redo or time as snapshot mode",
@@ -204,6 +245,182 @@ func main() {
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
Usage: "build only used stages",
EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
},
cli.StringFlag{
Name: "cache-dir",
Usage: "Set this flag to specify a local directory cache for base images",
EnvVar: "PLUGIN_CACHE_DIR",
},
cli.BoolFlag{
Name: "cache-copy-layers",
Usage: "Enable or disable copying layers from the cache.",
EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
},
cli.BoolFlag{
Name: "cache-run-layers",
Usage: "Enable or disable running layers from the cache.",
EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
},
cli.BoolFlag{
Name: "cleanup",
Usage: "Enable or disable cleanup of temporary files.",
EnvVar: "PLUGIN_CLEANUP",
},
cli.BoolFlag{
Name: "compressed-caching",
Usage: "Enable or disable compressed caching.",
EnvVar: "PLUGIN_COMPRESSED_CACHING",
},
cli.StringFlag{
Name: "context-sub-path",
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
EnvVar: "PLUGIN_FORCE",
},
cli.StringFlag{
Name: "image-name-with-digest-file",
Usage: "Write image name with digest to a file.",
EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
},
cli.StringFlag{
Name: "image-name-tag-with-digest-file",
Usage: "Write image name with tag and digest to a file.",
EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
},
cli.BoolFlag{
Name: "insecure",
Usage: "Allow connecting to registries without TLS.",
EnvVar: "PLUGIN_INSECURE",
},
cli.BoolFlag{
Name: "insecure-pull",
Usage: "Allow insecure pulls from the registry.",
EnvVar: "PLUGIN_INSECURE_PULL",
},
cli.StringFlag{
Name: "insecure-registry",
Usage: "Use plain HTTP for registry communication.",
EnvVar: "PLUGIN_INSECURE_REGISTRY",
},
cli.StringFlag{
Name: "log-format",
Usage: "Set the log format for build output.",
EnvVar: "PLUGIN_LOG_FORMAT",
},
cli.BoolFlag{
Name: "log-timestamp",
Usage: "Show timestamps in build output.",
EnvVar: "PLUGIN_LOG_TIMESTAMP",
},
cli.StringFlag{
Name: "oci-layout-path",
Usage: "Directory to store OCI layout.",
EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
},
cli.IntFlag{
Name: "push-retry",
Usage: "Number of times to retry pushing an image.",
EnvVar: "PLUGIN_PUSH_RETRY",
},
cli.StringFlag{
Name: "registry-certificate",
Usage: "Path to a file containing a registry certificate.",
EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
},
cli.StringFlag{
Name: "registry-client-cert",
Usage: "Path to a file containing a registry client certificate.",
EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
},
cli.BoolFlag{
Name: "skip-default-registry-fallback",
Usage: "Skip Docker Hub and default registry fallback.",
EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
},
cli.BoolFlag{
Name: "reproducible",
Usage: "Create a reproducible image.",
EnvVar: "PLUGIN_REPRODUCIBLE",
},
cli.BoolFlag{
Name: "single-snapshot",
Usage: "Only create a single snapshot of the image.",
EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
},
cli.BoolFlag{
Name: "skip-push-permission-check",
Usage: "Skip permission check when pushing.",
EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
},
cli.BoolFlag{
Name: "skip-tls-verify-pull",
Usage: "Skip TLS verification when pulling.",
EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
},
cli.BoolFlag{
Name: "skip-tls-verify-registry",
Usage: "Skip TLS verification when connecting to a registry.",
EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
},
cli.BoolFlag{
Name: "use-new-run",
Usage: "Skip TLS verification when connecting to a registry.",
EnvVar: "PLUGIN_USE_NEW_RUN",
},
cli.BoolFlag{
Name: "ignore-var-run",
Usage: "Ignore the /var/run directory during build.",
EnvVar: "PLUGIN_IGNORE_VAR_RUN",
},
cli.StringFlag{
Name: "ignore-path",
Usage: "Path to ignore during the build.",
EnvVar: "PLUGIN_IGNORE_PATH",
},
cli.IntFlag{
Name: "image-fs-extract-retry",
Usage: "Number of retries for extracting filesystem layers.",
EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
},
cli.IntFlag{
Name: "image-download-retry",
Usage: "Number of retries for downloading base images.",
EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
},
cli.StringFlag{
Name: "oidc-token-id",
Usage: "OIDC token for assuming role via web identity",
EnvVar: "PLUGIN_OIDC_TOKEN_ID",
},
cli.StringFlag{
Name: "tar-path",
Usage: "Set this flag to save the image as a tarball at path",
EnvVar: "PLUGIN_TAR_PATH, PLUGIN_DESTINATION_TAR_PATH",
},
cli.StringFlag{
Name: "source-tar-path",
Usage: "Set this flag for the source tarball during push operations.",
EnvVar: "PLUGIN_SOURCE_TAR_PATH",
},
cli.BoolFlag{
Name: "push-only",
Usage: "Specify if the operation is push-only",
EnvVar: "PLUGIN_PUSH_ONLY",
},
}
if err := app.Run(os.Args); err != nil {
@@ -216,31 +433,42 @@ func run(c *cli.Context) error {
registry := c.String("registry")
region := c.String("region")
noPush := c.Bool("no-push")
pushOnly := c.Bool("push-only")
assumeRole := c.String("assume-role")
externalId := c.String("external-id")
oidcToken := c.String("oidc-token-id")
dockerConfig, err := createDockerConfig(
// Validate flags
if noPush && pushOnly {
return fmt.Errorf("no-push and push-only flags cannot be used together")
}
// Handle push-only operation
if pushOnly {
return handlePushOnly(c)
}
// setup docker config for azure registry and base image docker registry
err := setDockerAuth(
c.String("docker-registry"),
c.String("docker-username"),
c.String("docker-password"),
c.String("access-key"),
c.String("secret-key"),
registry,
assumeRole,
externalId,
region,
noPush,
oidcToken,
)
if err != nil {
return err
}
jsonBytes, err := json.Marshal(dockerConfig)
if err != nil {
return err
}
if err := ioutil.WriteFile(dockerConfigPath, jsonBytes, 0644); err != nil {
return err
return errors.Wrap(err, "failed to create docker config")
}
// only create repository when pushing and create-repository is true
if !noPush && c.Bool("create-repository") {
if err := createRepository(region, repo, registry); err != nil {
if err := createRepository(region, repo, registry, assumeRole, externalId); err != nil {
return err
}
}
@@ -250,7 +478,7 @@ func run(c *cli.Context) error {
if err != nil {
logrus.Fatal(err)
}
if err := uploadLifeCyclePolicy(region, repo, string(contents)); err != nil {
if err := uploadLifeCyclePolicy(region, repo, string(contents), assumeRole, externalId); err != nil {
logrus.Fatal(fmt.Sprintf("error uploading ECR lifecycle policy: %v", err))
}
}
@@ -260,34 +488,71 @@ func run(c *cli.Context) error {
if err != nil {
logrus.Fatal(err)
}
if err := uploadRepositoryPolicy(region, repo, registry, string(contents)); err != nil {
if err := uploadRepositoryPolicy(region, repo, registry, string(contents), assumeRole, externalId); err != nil {
logrus.Fatal(fmt.Sprintf("error uploading ECR lifecycle policy: %v", err))
}
}
plugin := kaniko.Plugin{
Build: kaniko.Build{
DroneCommitRef: c.String("drone-commit-ref"),
DroneRepoBranch: c.String("drone-repo-branch"),
Dockerfile: c.String("dockerfile"),
Context: c.String("context"),
Tags: c.StringSlice("tags"),
AutoTag: c.Bool("auto-tag"),
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
Target: c.String("target"),
Repo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
Mirrors: c.StringSlice("registry-mirrors"),
Labels: c.StringSlice("custom-labels"),
SnapshotMode: c.String("snapshot-mode"),
EnableCache: c.Bool("enable-cache"),
CacheRepo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
CacheTTL: c.Int("cache-ttl"),
DigestFile: defaultDigestFile,
NoPush: noPush,
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
DroneCommitRef: c.String("drone-commit-ref"),
DroneRepoBranch: c.String("drone-repo-branch"),
Dockerfile: c.String("dockerfile"),
Context: c.String("context"),
Tags: c.StringSlice("tags"),
AutoTag: c.Bool("auto-tag"),
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
ArgsNew: c.Generic("args-new").(*CustomStringSliceFlag).GetValue(),
IsMultipleBuildArgs: c.Bool("plugin-multiple-build-agrs"),
Target: c.String("target"),
Repo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
Mirrors: c.StringSlice("registry-mirrors"),
Labels: c.StringSlice("custom-labels"),
SnapshotMode: c.String("snapshot-mode"),
EnableCache: c.Bool("enable-cache"),
CacheRepo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
CacheTTL: c.Int("cache-ttl"),
DigestFile: defaultDigestFile,
NoPush: noPush,
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
Insecure: c.Bool("insecure"),
InsecurePull: c.Bool("insecure-pull"),
InsecureRegistry: c.String("insecure-registry"),
Label: c.String("label"),
LogFormat: c.String("log-format"),
LogTimestamp: c.Bool("log-timestamp"),
OCILayoutPath: c.String("oci-layout-path"),
PushRetry: c.Int("push-retry"),
RegistryCertificate: c.String("registry-certificate"),
RegistryClientCert: c.String("registry-client-cert"),
SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
Reproducible: c.Bool("reproducible"),
SingleSnapshot: c.Bool("single-snapshot"),
SkipTLSVerify: c.Bool("skip-tls-verify"),
SkipPushPermissionCheck: c.Bool("skip-push-permission-check"),
SkipTLSVerifyPull: c.Bool("skip-tls-verify-pull"),
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
TarPath: c.String("tar-path"),
SourceTarPath: c.String("source-tar-path"),
PushOnly: c.Bool("push-only"),
},
Artifact: kaniko.Artifact{
Tags: c.StringSlice("tags"),
@@ -297,43 +562,91 @@ func run(c *cli.Context) error {
RegistryType: artifact.ECR,
},
}
if c.IsSet("compressed-caching") {
flag := c.Bool("compressed-caching")
plugin.Build.CompressedCaching = &flag
}
if c.IsSet("ignore-var-run") {
flag := c.Bool("ignore-var-run")
plugin.Build.IgnoreVarRun = &flag
}
return plugin.Exec()
}
func createDockerConfig(dockerUsername, dockerPassword, accessKey, secretKey, registry string, noPush bool) (*docker.Config, error) {
func setDockerAuth(dockerRegistry, dockerUsername, dockerPassword, accessKey, secretKey,
registry, assumeRole, externalId, region string, noPush bool, oidcToken string) error {
dockerConfig := docker.NewConfig()
if dockerUsername != "" {
dockerConfig.SetAuth(docker.RegistryV1, dockerUsername, dockerPassword)
credentials := []docker.RegistryCredentials{}
// set docker credentials for base image registry
if dockerRegistry != "" {
pullFromRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
Username: dockerUsername,
Password: dockerPassword,
}
credentials = append(credentials, pullFromRegistryCreds)
}
// only setup auth when pushing or credentials are defined
if !noPush || accessKey != "" {
if assumeRole != "" && oidcToken != "" {
oidcAccessKey, oidcSecretKey, oidcSessionKey, err := getOidcCreds(oidcToken, assumeRole)
if err != nil {
return err
}
_ = os.Setenv(accessKeyEnv, oidcAccessKey)
_ = os.Setenv(secretKeyEnv, oidcSecretKey)
_ = os.Setenv(sessionKeyEnv, oidcSessionKey)
// kaniko-executor >=1.8.0 does not require additional cred helper logic for ECR,
// as it discovers ECR repositories automatically and acts accordingly.
if isKanikoVersionBelowOneDotEight(os.Getenv(kanikoVersionEnv)) {
dockerConfig.SetCredHelper(ecrPublicDomain, "ecr-login")
dockerConfig.SetCredHelper(registry, "ecr-login")
}
} else if assumeRole != "" {
var err error
username, password, registry, err := getAssumeRoleCreds(region, assumeRole, externalId, "")
if err != nil {
return err
}
pushToRegistryCreds := docker.RegistryCredentials{
Registry: registry,
Username: username,
Password: password,
}
credentials = append(credentials, pushToRegistryCreds)
} else if !noPush || accessKey != "" {
// only setup auth when pushing or credentials are defined
if registry == "" {
return nil, fmt.Errorf("registry must be specified")
return fmt.Errorf("registry must be specified")
}
// If IAM role is used, access key & secret key are not required
if accessKey != "" && secretKey != "" {
err := os.Setenv(accessKeyEnv, accessKey)
if err != nil {
return nil, errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", accessKeyEnv))
return errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", accessKeyEnv))
}
err = os.Setenv(secretKeyEnv, secretKey)
if err != nil {
return nil, errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", secretKeyEnv))
return errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", secretKeyEnv))
}
}
dockerConfig.SetCredHelper(ecrPublicDomain, "ecr-login")
dockerConfig.SetCredHelper(registry, "ecr-login")
// kaniko-executor >=1.8.0 does not require additional cred helper logic for ECR,
// as it discovers ECR repositories automatically and acts accordingly.
if isKanikoVersionBelowOneDotEight(os.Getenv(kanikoVersionEnv)) {
dockerConfig.SetCredHelper(ecrPublicDomain, "ecr-login")
dockerConfig.SetCredHelper(registry, "ecr-login")
}
}
return dockerConfig, nil
return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
}
func createRepository(region, repo, registry string) error {
func createRepository(region, repo, registry, assumeRole, externalId string) error {
if registry == "" {
return fmt.Errorf("registry must be specified")
}
@@ -342,22 +655,29 @@ func createRepository(region, repo, registry string) error {
return fmt.Errorf("repo must be specified")
}
cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
if err != nil {
return errors.Wrap(err, "failed to load aws config")
}
var createErr error
//create public repo
//if registry string starts with public domain (ex: public.ecr.aws/example-registry)
if isRegistryPublic(registry) {
svc := ecrpublic.NewFromConfig(cfg)
_, createErr = svc.CreateRepository(context.TODO(), &ecrpublic.CreateRepositoryInput{RepositoryName: &repo})
//create private repo
if assumeRole != "" {
if isRegistryPublic(registry) {
_, createErr = getAssumeRoleEcrPublicSvc(region, assumeRole, externalId).CreateRepository(&ecrpublicv1.CreateRepositoryInput{RepositoryName: &repo})
} else {
_, createErr = getAssumeRoleEcrSvc(region, assumeRole, externalId).CreateRepository(&ecrv1.CreateRepositoryInput{RepositoryName: &repo})
}
} else {
svc := ecr.NewFromConfig(cfg)
_, createErr = svc.CreateRepository(context.TODO(), &ecr.CreateRepositoryInput{RepositoryName: &repo})
cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
if err != nil {
return errors.Wrap(err, "failed to load aws config")
}
//create public repo
//if registry string starts with public domain (ex: public.ecr.aws/example-registry)
if isRegistryPublic(registry) {
svc := ecrpublic.NewFromConfig(cfg)
_, createErr = svc.CreateRepository(context.TODO(), &ecrpublic.CreateRepositoryInput{RepositoryName: &repo})
//create private repo
} else {
svc := ecr.NewFromConfig(cfg)
_, createErr = svc.CreateRepository(context.TODO(), &ecr.CreateRepositoryInput{RepositoryName: &repo})
}
}
var apiError smithy.APIError
@@ -368,51 +688,320 @@ func createRepository(region, repo, registry string) error {
return nil
}
func uploadLifeCyclePolicy(region, repo, lifecyclePolicy string) (err error) {
cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
if err != nil {
return errors.Wrap(err, "failed to load aws config")
}
func uploadLifeCyclePolicy(region, repo, lifecyclePolicy, assumeRole, externalId string) (err error) {
if assumeRole != "" {
input := &ecrv1.PutLifecyclePolicyInput{
LifecyclePolicyText: aws.String(lifecyclePolicy),
RepositoryName: aws.String(repo),
}
_, err = getAssumeRoleEcrSvc(region, assumeRole, externalId).PutLifecyclePolicy(input)
} else {
cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
if err != nil {
return errors.Wrap(err, "failed to load aws config")
}
svc := ecr.NewFromConfig(cfg)
svc := ecr.NewFromConfig(cfg)
input := &ecr.PutLifecyclePolicyInput{
LifecyclePolicyText: aws.String(lifecyclePolicy),
RepositoryName: aws.String(repo),
input := &ecr.PutLifecyclePolicyInput{
LifecyclePolicyText: aws.String(lifecyclePolicy),
RepositoryName: aws.String(repo),
}
_, err = svc.PutLifecyclePolicy(context.TODO(), input)
}
_, err = svc.PutLifecyclePolicy(context.TODO(), input)
return err
}
func uploadRepositoryPolicy(region, repo, registry, repositoryPolicy string) (err error) {
cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
if err != nil {
return errors.Wrap(err, "failed to load aws config")
}
if isRegistryPublic(registry) {
svc := ecrpublic.NewFromConfig(cfg)
input := &ecrpublic.SetRepositoryPolicyInput{
PolicyText: aws.String(repositoryPolicy),
RepositoryName: aws.String(repo),
func uploadRepositoryPolicy(region, repo, registry, repositoryPolicy, assumeRole, externalId string) (err error) {
if assumeRole != "" {
if isRegistryPublic(registry) {
input := &ecrpublicv1.SetRepositoryPolicyInput{
PolicyText: aws.String(repositoryPolicy),
RepositoryName: aws.String(repo),
}
_, err = getAssumeRoleEcrPublicSvc(region, assumeRole, externalId).SetRepositoryPolicy(input)
} else {
input := &ecrv1.SetRepositoryPolicyInput{
PolicyText: aws.String(repositoryPolicy),
RepositoryName: aws.String(repo),
}
_, err = getAssumeRoleEcrSvc(region, assumeRole, externalId).SetRepositoryPolicy(input)
}
_, err = svc.SetRepositoryPolicy(context.TODO(), input)
} else {
svc := ecr.NewFromConfig(cfg)
input := &ecr.SetRepositoryPolicyInput{
PolicyText: aws.String(repositoryPolicy),
RepositoryName: aws.String(repo),
cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
if err != nil {
return errors.Wrap(err, "failed to load aws config")
}
if isRegistryPublic(registry) {
svc := ecrpublic.NewFromConfig(cfg)
input := &ecrpublic.SetRepositoryPolicyInput{
PolicyText: aws.String(repositoryPolicy),
RepositoryName: aws.String(repo),
}
_, err = svc.SetRepositoryPolicy(context.TODO(), input)
} else {
svc := ecr.NewFromConfig(cfg)
input := &ecr.SetRepositoryPolicyInput{
PolicyText: aws.String(repositoryPolicy),
RepositoryName: aws.String(repo),
}
_, err = svc.SetRepositoryPolicy(context.TODO(), input)
}
_, err = svc.SetRepositoryPolicy(context.TODO(), input)
}
return err
}
func getAssumeRoleCreds(region, roleArn, externalId, roleSessionName string) (string, string, string, error) {
sess, err := session.NewSession(&awsv1.Config{Region: &region})
if err != nil {
return "", "", "", errors.Wrap(err, "failed to create aws session")
}
svc := ecrv1.New(sess, &awsv1.Config{
Credentials: stscreds.NewCredentials(sess, roleArn, func(p *stscreds.AssumeRoleProvider) {
if externalId != "" {
p.ExternalID = &externalId
}
}),
})
username, password, registry, err := getAuthInfo(svc)
if err != nil {
return "", "", "", errors.Wrap(err, "failed to get ECR auth: no basic auth credentials")
}
return username, password, registry, nil
}
func getAuthInfo(svc *ecrv1.ECR) (username, password, registry string, err error) {
var result *ecrv1.GetAuthorizationTokenOutput
var decoded []byte
result, err = svc.GetAuthorizationToken(&ecrv1.GetAuthorizationTokenInput{})
if err != nil {
return
}
auth := result.AuthorizationData[0]
token := *auth.AuthorizationToken
decoded, err = base64.StdEncoding.DecodeString(token)
if err != nil {
return
}
registry = strings.TrimPrefix(*auth.ProxyEndpoint, "https://")
creds := strings.Split(string(decoded), ":")
username = creds[0]
password = creds[1]
return
}
func getAssumeRoleEcrSvc(region, assumeRole, externalId string) *ecrv1.ECR {
sess, err := session.NewSession(&awsv1.Config{Region: &region})
if err != nil {
logrus.Fatal(err, "failed to create aws session")
}
return ecrv1.New(sess, &awsv1.Config{
Credentials: stscreds.NewCredentials(sess, assumeRole, func(p *stscreds.AssumeRoleProvider) {
if externalId != "" {
p.ExternalID = &externalId
}
}),
})
}
func getAssumeRoleEcrPublicSvc(region, assumeRole, externalId string) *ecrpublicv1.ECRPublic {
sess, err := session.NewSession(&awsv1.Config{Region: &region})
if err != nil {
logrus.Fatal(err, "failed to create aws session")
}
return ecrpublicv1.New(sess, &awsv1.Config{
Credentials: stscreds.NewCredentials(sess, assumeRole, func(p *stscreds.AssumeRoleProvider) {
if externalId != "" {
p.ExternalID = &externalId
}
}),
})
}
func isRegistryPublic(registry string) bool {
return strings.HasPrefix(registry, ecrPublicDomain)
}
func isKanikoVersionBelowOneDotEight(v string) bool {
currVer, err := version.NewVersion(v)
if err != nil {
return true
}
oneEightVer, err := version.NewVersion(oneDotEightVersion)
if err != nil {
return true
}
return currVer.LessThan(oneEightVer)
}
func getOidcCreds(oidcToken, assumeRole string) (string, string, string, error) {
// Create a new session
sess, err := session.NewSession()
if err != nil {
return "", "", "", fmt.Errorf("failed to create AWS session: %w", err)
}
// Create a new STS client
svc := sts.New(sess)
// Prepare the input parameters for the STS call
duration := int64(time.Hour / time.Second)
input := &sts.AssumeRoleWithWebIdentityInput{
RoleArn: aws.String(assumeRole),
RoleSessionName: aws.String("kaniko-ecr-oidc"),
WebIdentityToken: aws.String(oidcToken),
DurationSeconds: aws.Int64(duration),
}
// Call the AssumeRoleWithWebIdentity function
result, err := svc.AssumeRoleWithWebIdentity(input)
if err != nil {
return "", "", "", fmt.Errorf("failed to assume role with web identity: %w", err)
}
// Check if credentials exist in the result
if result.Credentials == nil {
return "", "", "", errors.New("no credentials returned by AssumeRoleWithWebIdentity")
}
// Return the credentials
return *result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken, nil
}
func createECRSession(region, accessKey, secretKey, sessionToken string) *ecrv1.ECR {
sess := session.Must(session.NewSession(&awsv1.Config{
Region: awsv1.String(region),
Credentials: credentials.NewStaticCredentials(
accessKey,
secretKey,
sessionToken,
),
}))
return ecrv1.New(sess)
}
func getECRCredentials(region, registry, assumeRole, externalId, accessKey, secretKey, oidcToken string) (string, string, error) {
if assumeRole != "" && oidcToken != "" {
// For OIDC auth with assume role
awsAccessKey, awsSecretKey, awsSessionToken, err := getOidcCreds(oidcToken, assumeRole)
if err != nil {
return "", "", fmt.Errorf("failed to get OIDC credentials: %w", err)
}
// Create ECR session and get auth info
svc := createECRSession(region, awsAccessKey, awsSecretKey, awsSessionToken)
username, password, _, err := getAuthInfo(svc)
if err != nil {
return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
}
return username, password, nil
} else if assumeRole != "" {
// For assume role auth
username, password, _, err := getAssumeRoleCreds(region, assumeRole, externalId, "")
if err != nil {
return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
}
return username, password, nil
} else if accessKey != "" && secretKey != "" {
// For direct credentials
sess := session.Must(session.NewSession(&awsv1.Config{
Region: awsv1.String(region),
Credentials: credentials.NewStaticCredentials(
accessKey,
secretKey,
"",
),
}))
svc := ecrv1.New(sess)
username, password, _, err := getAuthInfo(svc)
if err != nil {
return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
}
return username, password, nil
} else {
// For IAM role auth (default credentials)
sess := session.Must(session.NewSession(&awsv1.Config{
Region: awsv1.String(region),
}))
svc := ecrv1.New(sess)
username, password, _, err := getAuthInfo(svc)
if err != nil {
return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
}
return username, password, nil
}
}
func handlePushOnly(c *cli.Context) error {
sourceTarPath := c.String("source-tar-path")
if sourceTarPath == "" {
return fmt.Errorf("source_tar_path is required when push_only is set")
}
if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
}
repo := c.String("repo")
registry := c.String("registry")
if repo == "" || registry == "" {
return fmt.Errorf("repository and registry must be specified for push-only operation")
}
// Load the image from the tarball
img, err := crane.Load(sourceTarPath)
if err != nil {
return fmt.Errorf("failed to load image from tarball: %v", err)
}
// Get ECR credentials using the common function
username, password, err := getECRCredentials(
c.String("region"),
registry,
c.String("assume-role"),
c.String("external-id"),
c.String("access-key"),
c.String("secret-key"),
c.String("oidc-token-id"),
)
if err != nil {
return err
}
// Setup crane auth
opts := []crane.Option{
crane.WithAuth(&authn.Basic{
Username: username,
Password: password,
}),
}
// Push for each tag
tags := c.StringSlice("tags")
if len(tags) == 0 {
tags = []string{"latest"}
}
for _, tag := range tags {
dest := fmt.Sprintf("%s/%s:%s", registry, repo, tag)
if err := crane.Push(img, dest, opts...); err != nil {
return fmt.Errorf("failed to push image to %s: %v", dest, err)
}
fmt.Printf("Successfully pushed image to %s\n", dest)
}
return nil
}
cmd/kaniko-ecr/main_test.go
+34 -20
View File
@@ -1,31 +1,45 @@
package main
import (
"reflect"
"encoding/base64"
"io/ioutil"
"os"
"testing"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/stretchr/testify/assert"
)
func TestCreateDockerConfig(t *testing.T) {
got, err := createDockerConfig(
"docker-username",
"docker-password",
"access-key",
"secret-key",
"ecr-registry",
false,
)
if err != nil {
t.Error("failed to create docker config")
func TestCreateDockerConfigForECRWithBaseRegistry(t *testing.T) {
accessKey := "access-key"
secretKey := "secret-key"
ecrRegistry := "ecr-registry"
dockerUsername := "dockeruser"
dockerPassword := "dockerpass"
dockerRegistry := "https://index.docker.io/v1/"
tempDir, err := ioutil.TempDir("", "docker-config-test")
assert.NoError(t, err)
defer os.RemoveAll(tempDir)
config := docker.NewConfig()
pullFromRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
Username: dockerUsername,
Password: dockerPassword,
}
credentials := []docker.RegistryCredentials{
{Registry: ecrRegistry, Username: accessKey, Password: secretKey},
pullFromRegistryCreds,
}
want := docker.NewConfig()
want.SetAuth(docker.RegistryV1, "docker-username", "docker-password")
want.SetCredHelper(docker.RegistryECRPublic, "ecr-login")
want.SetCredHelper("ecr-registry", "ecr-login")
err = config.CreateDockerConfig(credentials, tempDir)
assert.NoError(t, err)
if !reflect.DeepEqual(want, got) {
t.Errorf("not equal:\n want: %#v\n got: %#v", want, got)
}
}
expectedECRAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(accessKey + ":" + secretKey))}
assert.Equal(t, expectedECRAuth, config.Auths[ecrRegistry])
expectedDockerAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(dockerUsername + ":" + dockerPassword))}
assert.Equal(t, expectedDockerAuth, config.Auths[dockerRegistry])
}
cmd/kaniko-gar/main.go
+601
View File
@@ -0,0 +1,601 @@
package main
import (
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"github.com/joho/godotenv"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/crane"
)
const (
dockerConfigPath string = "/kaniko/.docker"
// GAR JSON key file path
garKeyPath string = "/kaniko/config.json"
garEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
defaultDigestFile string = "/kaniko/digest-file"
)
var (
version = "unknown"
)
func main() {
// Load env-file if it exists first
if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
if err := godotenv.Load(env); err != nil {
logrus.Fatal(err)
}
}
app := cli.NewApp()
app.Name = "kaniko gar plugin"
app.Usage = "kaniko gar plugin"
app.Action = run
app.Version = version
app.Flags = []cli.Flag{
cli.StringFlag{
Name: "dockerfile",
Usage: "build dockerfile",
Value: "Dockerfile",
EnvVar: "PLUGIN_DOCKERFILE",
},
cli.StringFlag{
Name: "context",
Usage: "build context",
Value: ".",
EnvVar: "PLUGIN_CONTEXT",
},
cli.StringFlag{
Name: "drone-commit-ref",
Usage: "git commit ref passed by Drone",
EnvVar: "DRONE_COMMIT_REF",
},
cli.StringFlag{
Name: "drone-repo-branch",
Usage: "git repository default branch passed by Drone",
EnvVar: "DRONE_REPO_BRANCH",
},
cli.StringSliceFlag{
Name: "tags",
Usage: "build tags",
Value: &cli.StringSlice{"latest"},
EnvVar: "PLUGIN_TAGS",
FilePath: ".tags",
},
cli.BoolFlag{
Name: "expand-tag",
Usage: "enable for semver tagging",
EnvVar: "PLUGIN_EXPAND_TAG",
},
cli.BoolFlag{
Name: "auto-tag",
Usage: "enable auto generation of build tags",
EnvVar: "PLUGIN_AUTO_TAG",
},
cli.StringFlag{
Name: "auto-tag-suffix",
Usage: "the suffix of auto build tags",
EnvVar: "PLUGIN_AUTO_TAG_SUFFIX",
},
cli.StringSliceFlag{
Name: "args",
Usage: "build args",
EnvVar: "PLUGIN_BUILD_ARGS",
},
cli.StringFlag{
Name: "target",
Usage: "build target",
EnvVar: "PLUGIN_TARGET",
},
cli.StringFlag{
Name: "repo",
Usage: "gar repository",
EnvVar: "PLUGIN_REPO",
},
cli.StringSliceFlag{
Name: "custom-labels",
Usage: "additional k=v labels",
EnvVar: "PLUGIN_CUSTOM_LABELS",
},
cli.StringFlag{
Name: "registry",
Usage: "gar registry",
EnvVar: "PLUGIN_REGISTRY",
},
cli.StringFlag{
Name: "base-image-username",
Usage: "Docker username for base image registry",
EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
},
cli.StringFlag{
Name: "base-image-password",
Usage: "Docker password for base image registry",
EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
},
cli.StringFlag{
Name: "base-image-registry",
Usage: "Docker registry for base image registry",
EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
},
cli.StringSliceFlag{
Name: "registry-mirrors",
Usage: "docker registry mirrors",
EnvVar: "PLUGIN_REGISTRY_MIRRORS",
},
cli.StringFlag{
Name: "json-key",
Usage: "docker username",
EnvVar: "PLUGIN_JSON_KEY",
},
cli.StringFlag{
Name: "snapshot-mode",
Usage: "Specify one of full, redo or time as snapshot mode",
EnvVar: "PLUGIN_SNAPSHOT_MODE",
},
cli.BoolFlag{
Name: "enable-cache",
Usage: "Set this flag to opt into caching with kaniko",
EnvVar: "PLUGIN_ENABLE_CACHE",
},
cli.StringFlag{
Name: "cache-repo",
Usage: "Remote repository that will be used to store cached layers. Cache repo should be present in specified registry. enable-cache needs to be set to use this flag",
EnvVar: "PLUGIN_CACHE_REPO",
},
cli.IntFlag{
Name: "cache-ttl",
Usage: "Cache timeout in hours. Defaults to two weeks.",
EnvVar: "PLUGIN_CACHE_TTL",
},
cli.StringFlag{
Name: "artifact-file",
Usage: "Artifact file location that will be generated by the plugin. This file will include information of docker images that are uploaded by the plugin.",
EnvVar: "PLUGIN_ARTIFACT_FILE",
},
cli.BoolFlag{
Name: "no-push",
Usage: "Set this flag if you only want to build the image, without pushing to a registry",
EnvVar: "PLUGIN_NO_PUSH",
},
cli.BoolFlag{
Name: "push-only",
Usage: "Set this flag if you only want to push a pre-built image from a tarball",
EnvVar: "PLUGIN_PUSH_ONLY",
},
cli.StringFlag{
Name: "source-tar-path",
Usage: "Path to the local tarball to be pushed when push-only is set",
EnvVar: "PLUGIN_SOURCE_TAR_PATH",
},
cli.StringFlag{
Name: "tar-path",
Usage: "Set this flag to save the image as a tarball at path",
EnvVar: "PLUGIN_TAR_PATH,PLUGIN_DESTINATION_TAR_PATH",
},
cli.StringFlag{
Name: "verbosity",
Usage: "Set this flag as --verbosity=<panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
EnvVar: "PLUGIN_VERBOSITY",
},
cli.StringFlag{
Name: "platform",
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
Usage: "build only used stages",
EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
},
cli.StringFlag{
Name: "cache-dir",
Usage: "Set this flag to specify a local directory cache for base images",
EnvVar: "PLUGIN_CACHE_DIR",
},
cli.BoolFlag{
Name: "cache-copy-layers",
Usage: "Enable or disable copying layers from the cache.",
EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
},
cli.BoolFlag{
Name: "cache-run-layers",
Usage: "Enable or disable running layers from the cache.",
EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
},
cli.BoolFlag{
Name: "cleanup",
Usage: "Enable or disable cleanup of temporary files.",
EnvVar: "PLUGIN_CLEANUP",
},
cli.BoolFlag{
Name: "compressed-caching",
Usage: "Enable or disable compressed caching.",
EnvVar: "PLUGIN_COMPRESSED_CACHING",
},
cli.StringFlag{
Name: "context-sub-path",
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
EnvVar: "PLUGIN_FORCE",
},
cli.StringFlag{
Name: "image-name-with-digest-file",
Usage: "Write image name with digest to a file.",
EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
},
cli.StringFlag{
Name: "image-name-tag-with-digest-file",
Usage: "Write image name with tag and digest to a file.",
EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
},
cli.BoolFlag{
Name: "insecure",
Usage: "Allow connecting to registries without TLS.",
EnvVar: "PLUGIN_INSECURE",
},
cli.BoolFlag{
Name: "insecure-pull",
Usage: "Allow insecure pulls from the registry.",
EnvVar: "PLUGIN_INSECURE_PULL",
},
cli.StringFlag{
Name: "insecure-registry",
Usage: "Use plain HTTP for registry communication.",
EnvVar: "PLUGIN_INSECURE_REGISTRY",
},
cli.StringFlag{
Name: "log-format",
Usage: "Set the log format for build output.",
EnvVar: "PLUGIN_LOG_FORMAT",
},
cli.BoolFlag{
Name: "log-timestamp",
Usage: "Show timestamps in build output.",
EnvVar: "PLUGIN_LOG_TIMESTAMP",
},
cli.StringFlag{
Name: "oci-layout-path",
Usage: "Directory to store OCI layout.",
EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
},
cli.IntFlag{
Name: "push-retry",
Usage: "Number of times to retry pushing an image.",
EnvVar: "PLUGIN_PUSH_RETRY",
},
cli.StringFlag{
Name: "registry-certificate",
Usage: "Path to a file containing a registry certificate.",
EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
},
cli.StringFlag{
Name: "registry-client-cert",
Usage: "Path to a file containing a registry client certificate.",
EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
},
cli.BoolFlag{
Name: "skip-default-registry-fallback",
Usage: "Skip Docker Hub and default registry fallback.",
EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
},
cli.BoolFlag{
Name: "reproducible",
Usage: "Create a reproducible image.",
EnvVar: "PLUGIN_REPRODUCIBLE",
},
cli.BoolFlag{
Name: "single-snapshot",
Usage: "Only create a single snapshot of the image.",
EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
},
cli.BoolFlag{
Name: "skip-push-permission-check",
Usage: "Skip permission check when pushing.",
EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
},
cli.BoolFlag{
Name: "skip-tls-verify-pull",
Usage: "Skip TLS verification when pulling.",
EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
},
cli.BoolFlag{
Name: "skip-tls-verify-registry",
Usage: "Skip TLS verification when connecting to a registry.",
EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
},
cli.BoolFlag{
Name: "use-new-run",
Usage: "Skip TLS verification when connecting to a registry.",
EnvVar: "PLUGIN_USE_NEW_RUN",
},
cli.BoolFlag{
Name: "ignore-var-run",
Usage: "Ignore the /var/run directory during build.",
EnvVar: "PLUGIN_IGNORE_VAR_RUN",
},
cli.StringFlag{
Name: "ignore-path",
Usage: "Path to ignore during the build.",
EnvVar: "PLUGIN_IGNORE_PATH",
},
cli.IntFlag{
Name: "image-fs-extract-retry",
Usage: "Number of retries for extracting filesystem layers.",
EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
},
cli.IntFlag{
Name: "image-download-retry",
Usage: "Number of retries for downloading base images.",
EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
},
}
if err := app.Run(os.Args); err != nil {
logrus.Fatal(err)
}
}
func run(c *cli.Context) error {
// Check if this is a push-only operation
if c.Bool("push-only") {
return handlePushOnly(c)
}
noPush := c.Bool("no-push")
jsonKey := c.String("json-key")
// JSON key may not be set in the following cases:
// 1. Image does not need to be pushed to GAR.
// 2. Workload identity is set on GKE in which pod will inherit the credentials via service account.
if jsonKey != "" {
if err := setupGARAuth(jsonKey); err != nil {
return err
}
// setup docker config only when base image registry is specified
if c.String("base-image-registry") != "" {
if err := setDockerAuth(
c.String("base-image-username"),
c.String("base-image-password"),
c.String("base-image-registry"),
); err != nil {
return errors.Wrap(err, "failed to create docker config")
}
}
}
plugin := kaniko.Plugin{
Build: kaniko.Build{
DroneCommitRef: c.String("drone-commit-ref"),
DroneRepoBranch: c.String("drone-repo-branch"),
Dockerfile: c.String("dockerfile"),
Context: c.String("context"),
Tags: c.StringSlice("tags"),
AutoTag: c.Bool("auto-tag"),
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
Target: c.String("target"),
Repo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
Mirrors: c.StringSlice("registry-mirrors"),
Labels: c.StringSlice("custom-labels"),
SnapshotMode: c.String("snapshot-mode"),
EnableCache: c.Bool("enable-cache"),
CacheRepo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
CacheTTL: c.Int("cache-ttl"),
DigestFile: defaultDigestFile,
NoPush: noPush,
PushOnly: c.Bool("push-only"),
SourceTarPath: c.String("source-tar-path"),
TarPath: c.String("tar-path"),
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
Insecure: c.Bool("insecure"),
InsecurePull: c.Bool("insecure-pull"),
InsecureRegistry: c.String("insecure-registry"),
Label: c.String("label"),
LogFormat: c.String("log-format"),
LogTimestamp: c.Bool("log-timestamp"),
OCILayoutPath: c.String("oci-layout-path"),
PushRetry: c.Int("push-retry"),
RegistryCertificate: c.String("registry-certificate"),
RegistryClientCert: c.String("registry-client-cert"),
SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
Reproducible: c.Bool("reproducible"),
SingleSnapshot: c.Bool("single-snapshot"),
SkipTLSVerify: c.Bool("skip-tls-verify"),
SkipPushPermissionCheck: c.Bool("skip-push-permission-check"),
SkipTLSVerifyPull: c.Bool("skip-tls-verify-pull"),
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
},
Artifact: kaniko.Artifact{
Tags: c.StringSlice("tags"),
Repo: c.String("repo"),
Registry: c.String("registry"),
ArtifactFile: c.String("artifact-file"),
RegistryType: artifact.GAR,
},
}
if c.IsSet("compressed-caching") {
flag := c.Bool("compressed-caching")
plugin.Build.CompressedCaching = &flag
}
if c.IsSet("ignore-var-run") {
flag := c.Bool("ignore-var-run")
plugin.Build.IgnoreVarRun = &flag
}
return plugin.Exec()
}
func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) error {
dockerConfig := docker.NewConfig()
dockerRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
Username: dockerUsername,
Password: dockerPassword,
}
credentials := []docker.RegistryCredentials{dockerRegistryCreds}
return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
}
func setupGARAuth(jsonKey string) error {
err := ioutil.WriteFile(garKeyPath, []byte(jsonKey), 0644)
if err != nil {
return errors.Wrap(err, "failed to write GAR JSON key")
}
err = os.Setenv(garEnvVariable, garKeyPath)
if err != nil {
return errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", garEnvVariable))
}
return nil
}
func handlePushOnly(c *cli.Context) error {
// Validate inputs for push-only operation
sourceTarPath := c.String("source-tar-path")
if sourceTarPath == "" {
return fmt.Errorf("source_tar_path is required when push_only is set")
}
if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
}
repo := c.String("repo")
registry := c.String("registry")
if repo == "" || registry == "" {
return fmt.Errorf("repository and registry must be specified for push-only operation")
}
// Authentication options for crane
var opts []crane.Option
// Setup GAR authentication
jsonKey := c.String("json-key")
if jsonKey != "" {
if err := setupGARAuth(jsonKey); err != nil {
return err
}
logrus.Info("Setting up authentication for GAR")
// Create Docker config directory if it doesn't exist
dockerConfigDir := "/kaniko/.docker"
if err := os.MkdirAll(dockerConfigDir, 0755); err != nil {
return fmt.Errorf("failed to create Docker config directory: %v", err)
}
// Generate a Docker config with GAR auth
type DockerAuth struct {
Username string `json:"username"`
Password string `json:"password"`
Auth string `json:"auth"`
}
type DockerConfig struct {
Auths map[string]DockerAuth `json:"auths"`
}
// Create proper Auth field (base64 encoded username:password)
username := "_json_key"
authString := base64.StdEncoding.EncodeToString([]byte(username + ":" + jsonKey))
// Use _json_key as username and the key content as password for GAR
config := DockerConfig{
Auths: map[string]DockerAuth{
registry: {
Username: username,
Password: jsonKey,
Auth: authString,
},
},
}
// Write the Docker config
configBytes, err := json.Marshal(config)
if err != nil {
return fmt.Errorf("failed to marshal Docker config: %v", err)
}
dockerConfigPath := filepath.Join(dockerConfigDir, "config.json")
if err := ioutil.WriteFile(dockerConfigPath, configBytes, 0644); err != nil {
return fmt.Errorf("failed to write Docker config: %v", err)
}
// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
if err := os.Setenv("DOCKER_CONFIG", dockerConfigDir); err != nil {
return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
}
// Set up crane to use basic auth with docker config
opts = append(opts, crane.WithAuthFromKeychain(authn.DefaultKeychain))
} else {
logrus.Warn("No JSON key provided, authentication may fail if not running with workload identity")
}
// Load the image from the tarball
logrus.Infof("Loading image from tarball: %s", sourceTarPath)
img, err := crane.Load(sourceTarPath)
if err != nil {
return fmt.Errorf("failed to load image from tarball: %v", err)
}
// Push for each tag
tags := c.StringSlice("tags")
if len(tags) == 0 {
tags = []string{"latest"}
}
for _, tag := range tags {
dest := fmt.Sprintf("%s/%s:%s", registry, repo, tag)
logrus.Infof("Pushing image to: %s", dest)
if err := crane.Push(img, dest, opts...); err != nil {
return fmt.Errorf("failed to push image to %s: %v", dest, err)
}
logrus.Infof("Successfully pushed image to %s", dest)
}
return nil
}
cmd/kaniko-gcr/main.go
+259 -24
View File
@@ -12,12 +12,14 @@ import (
kaniko "github.com/drone/drone-kaniko"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/docker"
)
const (
dockerConfigPath string = "/kaniko/.docker"
// GCR JSON key file path
gcrKeyPath string = "/kaniko/config.json"
gcrEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
gcrKeyPath string = "/kaniko/config.json"
gcrEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
defaultDigestFile string = "/kaniko/digest-file"
)
@@ -108,7 +110,22 @@ func main() {
Name: "registry",
Usage: "gcr registry",
Value: "gcr.io",
EnvVar: "PLUGIN_REGISTRY",
EnvVar: "PLUGIN_REGISTRY,BASE_REGISTRY",
},
cli.StringFlag{
Name: "base-image-username",
Usage: "Docker username for base image registry",
EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
},
cli.StringFlag{
Name: "base-image-password",
Usage: "Docker password for base image registry",
EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
},
cli.StringFlag{
Name: "base-image-registry",
Usage: "Docker registry for base image registry",
EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
},
cli.StringSliceFlag{
Name: "registry-mirrors",
@@ -160,6 +177,162 @@ func main() {
Usage: "Allows to build with another default platform than the host, similarly to docker build --platform",
EnvVar: "PLUGIN_PLATFORM",
},
cli.BoolFlag{
Name: "skip-unused-stages",
Usage: "build only used stages",
EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
},
cli.StringFlag{
Name: "cache-dir",
Usage: "Set this flag to specify a local directory cache for base images",
EnvVar: "PLUGIN_CACHE_DIR",
},
cli.BoolFlag{
Name: "cache-copy-layers",
Usage: "Enable or disable copying layers from the cache.",
EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
},
cli.BoolFlag{
Name: "cache-run-layers",
Usage: "Enable or disable running layers from the cache.",
EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
},
cli.BoolFlag{
Name: "cleanup",
Usage: "Enable or disable cleanup of temporary files.",
EnvVar: "PLUGIN_CLEANUP",
},
cli.BoolFlag{
Name: "compressed-caching",
Usage: "Enable or disable compressed caching.",
EnvVar: "PLUGIN_COMPRESSED_CACHING",
},
cli.StringFlag{
Name: "context-sub-path",
Usage: "Sub-path within the context to build.",
EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
},
cli.StringFlag{
Name: "custom-platform",
Usage: "Platform to use for building.",
EnvVar: "PLUGIN_CUSTOM_PLATFORM",
},
cli.BoolFlag{
Name: "force",
Usage: "Force building the image even if it already exists.",
EnvVar: "PLUGIN_FORCE",
},
cli.StringFlag{
Name: "image-name-with-digest-file",
Usage: "Write image name with digest to a file.",
EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
},
cli.StringFlag{
Name: "image-name-tag-with-digest-file",
Usage: "Write image name with tag and digest to a file.",
EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
},
cli.BoolFlag{
Name: "insecure",
Usage: "Allow connecting to registries without TLS.",
EnvVar: "PLUGIN_INSECURE",
},
cli.BoolFlag{
Name: "insecure-pull",
Usage: "Allow insecure pulls from the registry.",
EnvVar: "PLUGIN_INSECURE_PULL",
},
cli.StringFlag{
Name: "insecure-registry",
Usage: "Use plain HTTP for registry communication.",
EnvVar: "PLUGIN_INSECURE_REGISTRY",
},
cli.StringFlag{
Name: "log-format",
Usage: "Set the log format for build output.",
EnvVar: "PLUGIN_LOG_FORMAT",
},
cli.BoolFlag{
Name: "log-timestamp",
Usage: "Show timestamps in build output.",
EnvVar: "PLUGIN_LOG_TIMESTAMP",
},
cli.StringFlag{
Name: "oci-layout-path",
Usage: "Directory to store OCI layout.",
EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
},
cli.IntFlag{
Name: "push-retry",
Usage: "Number of times to retry pushing an image.",
EnvVar: "PLUGIN_PUSH_RETRY",
},
cli.StringFlag{
Name: "registry-certificate",
Usage: "Path to a file containing a registry certificate.",
EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
},
cli.StringFlag{
Name: "registry-client-cert",
Usage: "Path to a file containing a registry client certificate.",
EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
},
cli.BoolFlag{
Name: "skip-default-registry-fallback",
Usage: "Skip Docker Hub and default registry fallback.",
EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
},
cli.BoolFlag{
Name: "reproducible",
Usage: "Create a reproducible image.",
EnvVar: "PLUGIN_REPRODUCIBLE",
},
cli.BoolFlag{
Name: "single-snapshot",
Usage: "Only create a single snapshot of the image.",
EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
},
cli.BoolFlag{
Name: "skip-push-permission-check",
Usage: "Skip permission check when pushing.",
EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
},
cli.BoolFlag{
Name: "skip-tls-verify-pull",
Usage: "Skip TLS verification when pulling.",
EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
},
cli.BoolFlag{
Name: "skip-tls-verify-registry",
Usage: "Skip TLS verification when connecting to a registry.",
EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
},
cli.BoolFlag{
Name: "use-new-run",
Usage: "Skip TLS verification when connecting to a registry.",
EnvVar: "PLUGIN_USE_NEW_RUN",
},
cli.BoolFlag{
Name: "ignore-var-run",
Usage: "Ignore the /var/run directory during build.",
EnvVar: "PLUGIN_IGNORE_VAR_RUN",
},
cli.StringFlag{
Name: "ignore-path",
Usage: "Path to ignore during the build.",
EnvVar: "PLUGIN_IGNORE_PATH",
},
cli.IntFlag{
Name: "image-fs-extract-retry",
Usage: "Number of retries for extracting filesystem layers.",
EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
},
cli.IntFlag{
Name: "image-download-retry",
Usage: "Number of retries for downloading base images.",
EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
},
}
if err := app.Run(os.Args); err != nil {
@@ -178,31 +351,74 @@ func run(c *cli.Context) error {
if err := setupGCRAuth(jsonKey); err != nil {
return err
}
// setup docker config only when base image registry is specified
if c.String("base-image-registry") != ""{
if err := setDockerAuth(
c.String("base-image-username"),
c.String("base-image-password"),
c.String("base-image-registry"),
); err != nil {
return errors.Wrap(err, "failed to create docker config")
}
}
}
plugin := kaniko.Plugin{
Build: kaniko.Build{
DroneCommitRef: c.String("drone-commit-ref"),
DroneRepoBranch: c.String("drone-repo-branch"),
Dockerfile: c.String("dockerfile"),
Context: c.String("context"),
Tags: c.StringSlice("tags"),
AutoTag: c.Bool("auto-tag"),
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
Target: c.String("target"),
Repo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
Mirrors: c.StringSlice("registry-mirrors"),
Labels: c.StringSlice("custom-labels"),
SnapshotMode: c.String("snapshot-mode"),
EnableCache: c.Bool("enable-cache"),
CacheRepo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
CacheTTL: c.Int("cache-ttl"),
DigestFile: defaultDigestFile,
NoPush: noPush,
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
DroneCommitRef: c.String("drone-commit-ref"),
DroneRepoBranch: c.String("drone-repo-branch"),
Dockerfile: c.String("dockerfile"),
Context: c.String("context"),
Tags: c.StringSlice("tags"),
AutoTag: c.Bool("auto-tag"),
AutoTagSuffix: c.String("auto-tag-suffix"),
ExpandTag: c.Bool("expand-tag"),
Args: c.StringSlice("args"),
Target: c.String("target"),
Repo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
Mirrors: c.StringSlice("registry-mirrors"),
Labels: c.StringSlice("custom-labels"),
SnapshotMode: c.String("snapshot-mode"),
EnableCache: c.Bool("enable-cache"),
CacheRepo: fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
CacheTTL: c.Int("cache-ttl"),
DigestFile: defaultDigestFile,
NoPush: noPush,
Verbosity: c.String("verbosity"),
Platform: c.String("platform"),
SkipUnusedStages: c.Bool("skip-unused-stages"),
CacheDir: c.String("cache-dir"),
CacheCopyLayers: c.Bool("cache-copy-layers"),
CacheRunLayers: c.Bool("cache-run-layers"),
Cleanup: c.Bool("cleanup"),
ContextSubPath: c.String("context-sub-path"),
CustomPlatform: c.String("custom-platform"),
Force: c.Bool("force"),
ImageNameWithDigestFile: c.String("image-name-with-digest-file"),
ImageNameTagWithDigestFile: c.String("image-name-tag-with-digest-file"),
Insecure: c.Bool("insecure"),
InsecurePull: c.Bool("insecure-pull"),
InsecureRegistry: c.String("insecure-registry"),
Label: c.String("label"),
LogFormat: c.String("log-format"),
LogTimestamp: c.Bool("log-timestamp"),
OCILayoutPath: c.String("oci-layout-path"),
PushRetry: c.Int("push-retry"),
RegistryCertificate: c.String("registry-certificate"),
RegistryClientCert: c.String("registry-client-cert"),
SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
Reproducible: c.Bool("reproducible"),
SingleSnapshot: c.Bool("single-snapshot"),
SkipTLSVerify: c.Bool("skip-tls-verify"),
SkipPushPermissionCheck: c.Bool("skip-push-permission-check"),
SkipTLSVerifyPull: c.Bool("skip-tls-verify-pull"),
SkipTLSVerifyRegistry: c.Bool("skip-tls-verify-registry"),
UseNewRun: c.Bool("use-new-run"),
IgnorePath: c.String("ignore-path"),
IgnorePaths: c.StringSlice("ignore-paths"),
ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
ImageDownloadRetry: c.Int("image-download-retry"),
},
Artifact: kaniko.Artifact{
Tags: c.StringSlice("tags"),
@@ -212,9 +428,28 @@ func run(c *cli.Context) error {
RegistryType: artifact.GCR,
},
}
if c.IsSet("compressed-caching") {
flag := c.Bool("compressed-caching")
plugin.Build.CompressedCaching = &flag
}
if c.IsSet("ignore-var-run") {
flag := c.Bool("ignore-var-run")
plugin.Build.IgnoreVarRun = &flag
}
return plugin.Exec()
}
func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) (error) {
dockerConfig := docker.NewConfig()
dockerRegistryCreds := docker.RegistryCredentials{
Registry: dockerRegistry,
Username: dockerUsername,
Password: dockerPassword,
}
credentials := []docker.RegistryCredentials{dockerRegistryCreds}
return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
}
func setupGCRAuth(jsonKey string) error {
err := ioutil.WriteFile(gcrKeyPath, []byte(jsonKey), 0644)
if err != nil {
docker/acr/Dockerfile.linux.amd64
+5
View File
@@ -0,0 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
ENV KANIKO_VERSION=1.23.2
ADD release/linux/amd64/kaniko-acr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-acr"]
docker/acr/Dockerfile.linux.arm64
+8
View File
@@ -0,0 +1,8 @@
FROM gcr.io/kaniko-project/executor:v1.23.0
ENV HOME /root
ENV USER root
ENV KANIKO_VERSION=1.23.0
ADD release/linux/arm64/kaniko-acr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-acr"]
docker/acr/manifest.tmpl
+18
View File
@@ -0,0 +1,18 @@
image: plugins/kaniko-acr:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
{{/if}}
manifests:
-
image: plugins/kaniko-acr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
platform:
architecture: amd64
os: linux
-
image: plugins/kaniko-acr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
platform:
architecture: arm64
os: linux
docker/docker/Dockerfile.linux.amd64
+2 -1
View File
@@ -1,4 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.6.0
FROM gcr.io/kaniko-project/executor:v1.23.2
ENV KANIKO_VERSION=1.23.2
ADD release/linux/amd64/kaniko-docker /kaniko/
ENTRYPOINT ["/kaniko/kaniko-docker"]
docker/docker/Dockerfile.linux.amd64.kaniko1.8.0 → docker/docker/Dockerfile.linux.amd64.kaniko1.9.1
+2 -1
View File
@@ -1,4 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.8.0
FROM gcr.io/kaniko-project/executor:v1.9.1
ENV KANIKO_VERSION=1.9.1
ADD release/linux/amd64/kaniko-docker /kaniko/
ENTRYPOINT ["/kaniko/kaniko-docker"]
docker/docker/Dockerfile.linux.arm64
+2 -1
View File
@@ -1,7 +1,8 @@
FROM gcr.io/kaniko-project/executor:arm64-v1.6.0
FROM gcr.io/kaniko-project/executor:v1.23.2
ENV HOME /root
ENV USER root
ENV KANIKO_VERSION=1.23.2
ADD release/linux/arm64/kaniko-docker /kaniko/
ENTRYPOINT ["/kaniko/kaniko-docker"]
docker/docker/Dockerfile.linux.arm64.kaniko1.9.1
+5
View File
@@ -0,0 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.9.1
ENV KANIKO_VERSION=1.9.1
ADD release/linux/arm64/kaniko-docker /kaniko/
ENTRYPOINT ["/kaniko/kaniko-docker"]
docker/docker/manifest-kaniko1.8.0.tmpl → docker/docker/manifest-kaniko1.9.1.tmpl
+7 -2
View File
@@ -1,4 +1,4 @@
image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.8.0{{else}}latest-kaniko1.8.0{{/if}}
image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
@@ -7,7 +7,12 @@ tags:
{{/if}}
manifests:
-
image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.8.0
image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
platform:
architecture: amd64
os: linux
-
image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
platform:
architecture: arm64
os: linux
docker/docker/manifest.tmpl
+5
View File
@@ -11,3 +11,8 @@ manifests:
platform:
architecture: amd64
os: linux
-
image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
platform:
architecture: arm64
os: linux
docker/ecr/Dockerfile.linux.amd64
+2 -1
View File
@@ -1,4 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.6.0
FROM gcr.io/kaniko-project/executor:v1.23.2
ENV KANIKO_VERSION=1.23.2
ADD release/linux/amd64/kaniko-ecr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-ecr"]
docker/ecr/Dockerfile.linux.amd64.kaniko1.8.0 → docker/ecr/Dockerfile.linux.amd64.kaniko1.9.1
+2 -1
View File
@@ -1,4 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.8.0
FROM gcr.io/kaniko-project/executor:v1.9.1
ENV KANIKO_VERSION=1.9.1
ADD release/linux/amd64/kaniko-ecr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-ecr"]
docker/ecr/Dockerfile.linux.arm64
+2 -1
View File
@@ -1,7 +1,8 @@
FROM gcr.io/kaniko-project/executor:arm64-v1.6.0
FROM gcr.io/kaniko-project/executor:v1.23.2
ENV HOME /root
ENV USER root
ENV KANIKO_VERSION=1.23.2
ADD release/linux/arm64/kaniko-ecr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-ecr"]
docker/ecr/Dockerfile.linux.arm64.kaniko1.9.1
+5
View File
@@ -0,0 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.9.1
ENV KANIKO_VERSION=1.9.1
ADD release/linux/arm64/kaniko-ecr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-ecr"]
docker/ecr/manifest-kaniko1.8.0.tmpl
-13
View File
@@ -1,13 +0,0 @@
image: plugins/ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.8.0{{else}}latest-kaniko1.8.0{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
{{/if}}
manifests:
-
image: plugins/ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.8.0
platform:
architecture: amd64
os: linux
docker/ecr/manifest-kaniko1.9.1.tmpl
+18
View File
@@ -0,0 +1,18 @@
image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
{{/if}}
manifests:
-
image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
platform:
architecture: amd64
os: linux
-
image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
platform:
architecture: arm64
os: linux
docker/ecr/manifest.tmpl
+5
View File
@@ -10,4 +10,9 @@ manifests:
image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
platform:
architecture: amd64
os: linux
-
image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
platform:
architecture: arm64
os: linux
docker/gar/Dockerfile.linux.amd64
+5
View File
@@ -0,0 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
ENV KANIKO_VERSION=1.23.2
ADD release/linux/amd64/kaniko-gar /kaniko/
ENTRYPOINT ["/kaniko/kaniko-gar"]
docker/gar/Dockerfile.linux.amd64.kaniko1.9.1
+5
View File
@@ -0,0 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.9.1
ENV KANIKO_VERSION=1.9.1
ADD release/linux/amd64/kaniko-gar /kaniko/
ENTRYPOINT ["/kaniko/kaniko-gar"]
docker/gar/Dockerfile.linux.arm64
+8
View File
@@ -0,0 +1,8 @@
FROM gcr.io/kaniko-project/executor:v1.23.2
ENV HOME /root
ENV USER root
ENV KANIKO_VERSION=1.23.2
ADD release/linux/arm64/kaniko-gar /kaniko/
ENTRYPOINT ["/kaniko/kaniko-gar"]
docker/gar/Dockerfile.linux.arm64.kaniko1.9.1
+5
View File
@@ -0,0 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.9.1
ENV KANIKO_VERSION=1.9.1
ADD release/linux/arm64/kaniko-gar /kaniko/
ENTRYPOINT ["/kaniko/kaniko-gar"]
docker/gar/manifest-kaniko1.9.1.tmpl
+18
View File
@@ -0,0 +1,18 @@
image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
{{/if}}
manifests:
-
image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
platform:
architecture: amd64
os: linux
-
image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
platform:
architecture: arm64
os: linux
docker/gar/manifest.tmpl
+18
View File
@@ -0,0 +1,18 @@
image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
{{/if}}
manifests:
-
image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
platform:
architecture: amd64
os: linux
-
image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
platform:
architecture: arm64
os: linux
docker/gcr/Dockerfile.linux.amd64
+2 -1
View File
@@ -1,4 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.6.0
FROM gcr.io/kaniko-project/executor:v1.23.2
ENV KANIKO_VERSION=1.23.2
ADD release/linux/amd64/kaniko-gcr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-gcr"]
docker/gcr/Dockerfile.linux.amd64.kaniko1.8.0 → docker/gcr/Dockerfile.linux.amd64.kaniko1.9.1
+2 -1
View File
@@ -1,4 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.8.0
FROM gcr.io/kaniko-project/executor:v1.9.1
ENV KANIKO_VERSION=1.9.1
ADD release/linux/amd64/kaniko-gcr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-gcr"]
docker/gcr/Dockerfile.linux.arm64
+2 -1
View File
@@ -1,7 +1,8 @@
FROM gcr.io/kaniko-project/executor:arm64-v1.6.0
FROM gcr.io/kaniko-project/executor:v1.23.2
ENV HOME /root
ENV USER root
ENV KANIKO_VERSION=1.23.2
ADD release/linux/arm64/kaniko-gcr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-gcr"]
docker/gcr/Dockerfile.linux.arm64.kaniko1.9.1
+5
View File
@@ -0,0 +1,5 @@
FROM gcr.io/kaniko-project/executor:v1.9.1
ENV KANIKO_VERSION=1.9.1
ADD release/linux/arm64/kaniko-gcr /kaniko/
ENTRYPOINT ["/kaniko/kaniko-gcr"]
docker/gcr/manifest-kaniko1.8.0.tmpl
-13
View File
@@ -1,13 +0,0 @@
image: plugins/gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.8.0{{else}}latest-kaniko1.8.0{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
{{/if}}
manifests:
-
image: plugins/gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.8.0
platform:
architecture: amd64
os: linux
docker/gcr/manifest-kaniko1.9.1.tmpl
+18
View File
@@ -0,0 +1,18 @@
image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
{{/if}}
manifests:
-
image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
platform:
architecture: amd64
os: linux
-
image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
platform:
architecture: arm64
os: linux
docker/gcr/manifest.tmpl
+5
View File
@@ -11,3 +11,8 @@ manifests:
platform:
architecture: amd64
os: linux
-
image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
platform:
architecture: arm64
os: linux
git-hooks/.gitleaksignore
View File
git-hooks/README.md
+8
View File
@@ -0,0 +1,8 @@
This document explains on how to install certain git hooks globally for all repositories in your machine.
Step 1: git clone https://github.com/drone/drone-kaniko.git
Step 2: cd git-hooks
Step 3: Run install.sh
"install.sh" script will create .git_template in the user directory and will put the git hook and its dependent scripts in it. Along with the .git_template folder, it will add 2 sections "init" and "hooks boolean" in the .gitconfig file in the same user's root directory.
After running "install.sh" if you create/clone a new git repository then all the hooks will get install automatically for the git repository. In case of existing git repository copy the contents of ~/.git_template/hooks into the .git/hooks directory of existing git repository.
git-hooks/hooks/git-leaks-pre-commit.sh
+17
View File
@@ -0,0 +1,17 @@
#!/bin/bash
#Helper script to be used as a pre-commit hook.
echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
GIT_LEAKS_PRE_COMMIT=s$(git config --bool hook.pre-commit.gitleak)
echo "INFO: Scanning Commits information for any GIT LEAKS"
gitleaks protect --staged -v --exit-code=100
STATUS=$?
if [ $STATUS = 100 ]; then
echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
else
exit 0
fi
git-hooks/hooks/git-leaks.sh
+18
View File
@@ -0,0 +1,18 @@
#!/bin/bash
#Helper script to be used as a pre-commit hook.
echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
GIT_LEAKS=$(git config --bool hook.pre-push.gitleaks)
echo "INFO: Scanning Commits information for any GIT LEAKS"
gitleaks detect -s ./ --log-level=debug --log-opts=-1 -v
STATUS=$?
if [ $STATUS != 0 ]; then
echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
exit $STATUS
else
exit 0
fi
git-hooks/hooks/pre-commit
+24
View File
@@ -0,0 +1,24 @@
#!/usr/bin/env bash
GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks-pre-commit.sh"
pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
BASENAME=`basename $0`
if git rev-parse --verify HEAD >/dev/null 2>&1
then
against=HEAD
else
#Initial commit : diff against an empty tree object
against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
fi
GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
if [ "`git config $GIT_LEAKS_PRE_COMMIT`" == "false" ]
then
echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS_PRE_COMMIT '\033[0m'
echo -e '\033[0;34m' checking git leaks ... to enable: '\033[0;37m'git config --add $GIT_LEAKS_PRE_COMMIT true '\033[0m'
else
echo -e '\033[0;34m' checking for git leaks...
[ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
fi
git-hooks/hooks/pre-push
+24
View File
@@ -0,0 +1,24 @@
#!/usr/bin/env bash
GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks.sh"
pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
BASENAME=`basename $0`
if git rev-parse --verify HEAD >/dev/null 2>&1
then
against=HEAD
else
#Initial commit : diff against an empty tree object
against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
fi
GIT_LEAKS=hook.pre-push.gitleaks
if [ "`git config $GIT_LEAKS`" == "false" ]
then
echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS '\033[0m'
echo -e '\033[0;34m' checking git leaks ... to enable: '\033[0;37m'git config --add $GIT_LEAKS true '\033[0m'
else
echo -e '\033[0;34m' checking for git leaks...
[ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
fi
git-hooks/install.sh
Executable
+44
View File
@@ -0,0 +1,44 @@
#!/usr/bin/env bash
#Function to check if package is installed or not
#args: $1: Name of the Package
function check_package_installed() {
LOCAL_PACKAGE_NAME=$1
echo "Checking if $LOCAL_PACKAGE_NAME is installed or not..."
brew list $LOCAL_PACKAGE_NAME
if [ "$?" -eq 1 ];then
echo "Installing $LOCAL_PACKAGE_NAME package..."
brew install $LOCAL_PACKAGE_NAME
fi
}
function create_git_template() {
cd $BASEDIR
mkdir -p ~/.git_template/hooks
git config --global init.templatedir ${GIT_TEMPLATE}
git config --global --add $GIT_LEAKS true
git config --global --add $GIT_LEAKS_PRE_COMMIT true
find hooks/ -type f -exec cp "{}" ~/.git_template/hooks \;
#cp -f hooks/* ~/.git_template/hooks
cat ~/.gitconfig
}
GIT_TEMPLATE="~/.git_template"
GIT_LEAKS=hook.pre-push.gitleaks
GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
pushd `dirname $0` && BASEDIR=$(pwd -L) && popd
echo This script will install hooks that run scripts that could be updated without notice.
while true; do
read -p "Do you wish to install these hooks?" yn
case $yn in
[Yy]* ) check_package_installed "gitleaks";
break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
create_git_template
go.mod
+52 -23
View File
@@ -1,34 +1,63 @@
module github.com/drone/drone-kaniko
require (
github.com/aws/aws-sdk-go-v2 v1.8.1
github.com/aws/aws-sdk-go-v2/config v1.6.1
github.com/aws/aws-sdk-go-v2/service/ecr v1.4.3
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.4.3
github.com/aws/smithy-go v1.7.0
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
github.com/aws/aws-sdk-go v1.44.52
github.com/aws/aws-sdk-go-v2 v1.16.7
github.com/aws/aws-sdk-go-v2/config v1.15.14
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.8
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.8
github.com/aws/smithy-go v1.12.0
github.com/coreos/go-semver v0.3.0
github.com/google/go-cmp v0.5.6
github.com/joho/godotenv v1.3.0
github.com/google/go-cmp v0.6.0
github.com/google/go-containerregistry v0.20.3
github.com/hashicorp/go-version v1.6.0
github.com/joho/godotenv v1.4.0
github.com/pkg/errors v0.9.1
github.com/sirupsen/logrus v1.3.0
github.com/urfave/cli v1.22.2
golang.org/x/mod v0.4.2
github.com/sirupsen/logrus v1.9.3
github.com/stretchr/testify v1.9.0
github.com/urfave/cli v1.22.15
golang.org/x/mod v0.22.0
)
require (
github.com/aws/aws-sdk-go-v2/credentials v1.3.3 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.4.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.2.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.3 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.3.3 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.6.2 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.12.9 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/docker/cli v27.5.0+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.2 // indirect
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/konsorten/go-windows-terminal-sequences v1.0.1 // indirect
github.com/russross/blackfriday/v2 v2.0.1 // indirect
github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 // indirect
golang.org/x/sys v0.0.0-20190412213103-97732733099d // indirect
github.com/klauspost/compress v1.17.11 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0 // indirect
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/vbatts/tar-split v0.11.6 // indirect
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sys v0.29.0 // indirect
golang.org/x/text v0.13.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
go 1.17
go 1.23.0
toolchain go1.23.8
go.sum
+127 -64
View File
@@ -1,80 +1,143 @@
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/aws/aws-sdk-go-v2 v1.8.1 h1:GcFgQl7MsBygmeeqXyV1ivrTEmsVz/rdFJaTcltG9ag=
github.com/aws/aws-sdk-go-v2 v1.8.1/go.mod h1:xEFuWz+3TYdlPRuo+CqATbeDWIWyaT5uAPwPaWtgse0=
github.com/aws/aws-sdk-go-v2/config v1.6.1 h1:qrZINaORyr78syO1zfD4l7r4tZjy0Z1l0sy4jiysyOM=
github.com/aws/aws-sdk-go-v2/config v1.6.1/go.mod h1:t/y3UPu0XEDy0cEw6mvygaBQaPzWiYAxfP2SzgtvclA=
github.com/aws/aws-sdk-go-v2/credentials v1.3.3 h1:A13QPatmUl41SqUfnuT3V0E3XiNGL6qNTOINbE8cZL4=
github.com/aws/aws-sdk-go-v2/credentials v1.3.3/go.mod h1:oVieKMT3m9BSfqhOfuQ+E0j/yN84ZAJ7Qv8Sfume/ak=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.4.1 h1:rc+fRGvlKbeSd9IFhFS1KWBs0XjTkq0CfK5xqyLgIp0=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.4.1/go.mod h1:+GTydg3uHmVlQdkRoetz6VHKbOMEYof70m19IpMLifc=
github.com/aws/aws-sdk-go-v2/internal/ini v1.2.1 h1:IkqRRUZTKaS16P2vpX+FNc2jq3JWa3c478gykQp4ow4=
github.com/aws/aws-sdk-go-v2/internal/ini v1.2.1/go.mod h1:Pv3WenDjI0v2Jl7UaMFIIbPOBbhn33RmmAmGgkXDoqY=
github.com/aws/aws-sdk-go-v2/service/ecr v1.4.3 h1:d356GPVp5MzJ4n/xCBc26wLmRti0DoWO4WzNfxSesrY=
github.com/aws/aws-sdk-go-v2/service/ecr v1.4.3/go.mod h1:HlFOVFXSvCfI2oUmd/Vv1IZKJhEVFQru38BBupEYWxs=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.4.3 h1:EU9GrpMtGLCklSMLjuU6AZGG5wu6aiowxIgbfWwxrgs=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.4.3/go.mod h1:AAI7iB1GPqxjyKHbzLpBJdmH9/dPr34pxeLFdkKsONA=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.3 h1:VxFCgxsqWe7OThOwJ5IpFX3xrObtuIH9Hg/NW7oot1Y=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.3/go.mod h1:7gcsONBmFoCcKrAqrm95trrMd2+C/ReYKP7Vfu8yHHA=
github.com/aws/aws-sdk-go-v2/service/sso v1.3.3 h1:K2gCnGvAASpz+jqP9iyr+F/KNjmTYf8aWOtTQzhmZ5w=
github.com/aws/aws-sdk-go-v2/service/sso v1.3.3/go.mod h1:Jgw5O+SK7MZ2Yi9Yvzb4PggAPYaFSliiQuWR0hNjexk=
github.com/aws/aws-sdk-go-v2/service/sts v1.6.2 h1:l504GWCoQi1Pk68vSUFGLmDIEMzRfVGNgLakDK+Uj58=
github.com/aws/aws-sdk-go-v2/service/sts v1.6.2/go.mod h1:RBhoMJB8yFToaCnbe0jNq5Dcdy0jp6LhHqg55rjClkM=
github.com/aws/smithy-go v1.7.0 h1:+cLHMRrDZvQ4wk+KuQ9yH6eEg6KZEJ9RI2IkDqnygCg=
github.com/aws/smithy-go v1.7.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1 h1:tz19qLF65vuu2ibfTqGVJxG/zZAI27NEIIbvAOQwYbw=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0/go.mod h1:bhXu1AjYL+wutSL/kpSq6s7733q2Rb0yuot9Zgfqa/0=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5xuRL7NZgHameVYF6BurY=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3 h1:TsFCaaF5tR4XN8b4zLVl/J4qMb0nf80Q4CXcpXDNJDY=
github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4=
github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/aws/aws-sdk-go v1.44.52 h1:kHLbYJj59C7VrsLM4gm7pxsvaNIvhXCCIDYEFFoQ+VE=
github.com/aws/aws-sdk-go v1.44.52/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns=
github.com/aws/aws-sdk-go-v2 v1.16.7/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw=
github.com/aws/aws-sdk-go-v2/config v1.15.14 h1:+BqpqlydTq4c2et9Daury7gE+o67P4lbk7eybiCBNc4=
github.com/aws/aws-sdk-go-v2/config v1.15.14/go.mod h1:CQBv+VVv8rR5z2xE+Chdh5m+rFfsqeY4k0veEZeq6QM=
github.com/aws/aws-sdk-go-v2/credentials v1.12.9 h1:DloAJr0/jbvm0iVRFDFh8GlWxrOd9XKyX82U+dfVeZs=
github.com/aws/aws-sdk-go-v2/credentials v1.12.9/go.mod h1:2Vavxl1qqQXJ8MUcQZTsIEW8cwenFCWYXtLRPba3L/o=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8 h1:VfBdn2AxwMbFyJN/lF/xuT3SakomJ86PZu3rCxb5K0s=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8/go.mod h1:oL1Q3KuCq1D4NykQnIvtRiBGLUXhcpY5pl6QZB2XEPU=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 h1:2C0pYHcUBmdzPj+EKNC4qj97oK6yjrUhc1KoSodglvk=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14/go.mod h1:kdjrMwHwrC3+FsKhNcCMJ7tUVj/8uSD5CZXeQ4wV6fM=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 h1:2J+jdlBJWEmTyAwC82Ym68xCykIvnSnIN18b8xHGlcc=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8/go.mod h1:ZIV8GYoC6WLBW5KGs+o4rsc65/ozd+eQ0L31XF5VDwk=
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15 h1:QquxR7NH3ULBsKC+NoTpilzbKKS+5AELfNREInbhvas=
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15/go.mod h1:Tkrthp/0sNBShQQsamR7j/zY4p19tVTAs+nnqhH6R3c=
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.8 h1:wgZo/yeY0f+2RWy2q1rTtZSPMmq37Zy3pY4QypHeurg=
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.8/go.mod h1:ItZADKTnGxqcqXABHyNpoBljQ8ORt4h+D39RToM/3Ds=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.8 h1:uByYzUJNBrI4LN0H+HMA7yrDWQxe2f9cF7ZkiXltXRo=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.8/go.mod h1:nPSH6Ebmb3OkKl7+CLSjx+SMBaoFKbOe9mZhTAd352k=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 h1:oKnAXxSF2FUvfgw8uzU/v9OTYorJJZ8eBmWhr9TWVVQ=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8/go.mod h1:rDVhIMAX9N2r8nWxDUlbubvvaFMnfsm+3jAV7q+rpM4=
github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 h1:760bUnTX/+d693FT6T6Oa7PZHfEQT9XMFZeM5IQIB0A=
github.com/aws/aws-sdk-go-v2/service/sso v1.11.12/go.mod h1:MO4qguFjs3wPGcCSpQ7kOFTwRvb+eu+fn+1vKleGHUk=
github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 h1:yOfILxyjmtr2ubRkRJldlHDFBhf5vw4CzhbwWIBmimQ=
github.com/aws/aws-sdk-go-v2/service/sts v1.16.9/go.mod h1:O1IvkYxr+39hRf960Us6j0x1P8pDqhTX+oXM5kQNl/Y=
github.com/aws/smithy-go v1.12.0 h1:gXpeZel/jPoWQ7OEmLIgCUnhkFftqNfwWUwAHSlp1v0=
github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvDaFkLctbGM=
github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI=
github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=
github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/sirupsen/logrus v1.3.0 h1:hI/7Q+DtNZ2kINb6qt/lS+IyXnHQe9e90POfeewL/ME=
github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo=
github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM=
github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0=
github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs=
github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI=
golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
kaniko.go
+313 -32
View File
@@ -5,38 +5,86 @@ import (
"io/ioutil"
"os"
"os/exec"
"path/filepath"
"strings"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/drone/drone-kaniko/pkg/artifact"
"github.com/drone/drone-kaniko/pkg/output"
"github.com/drone/drone-kaniko/pkg/tagger"
"github.com/google/go-containerregistry/pkg/crane"
"golang.org/x/mod/semver"
)
type (
// Build defines Docker build parameters.
Build struct {
DroneCommitRef string // Drone git commit reference
DroneRepoBranch string // Drone repo branch
Dockerfile string // Docker build Dockerfile
Context string // Docker build context
Tags []string // Docker build tags
AutoTag bool // Set this to auto detect tags from git commits and semver-tagged labels
AutoTagSuffix string // Suffix to append to the auto detect tags
ExpandTag bool // Set this to expand the `Tags` into semver-tagged labels
Args []string // Docker build args
Target string // Docker build target
Repo string // Docker build repository
Mirrors []string // Docker repository mirrors
Labels []string // Label map
SkipTlsVerify bool // Docker skip tls certificate verify for registry
SnapshotMode string // Kaniko snapshot mode
EnableCache bool // Whether to enable kaniko cache
CacheRepo string // Remote repository that will be used to store cached layers
CacheTTL int // Cache timeout in hours
DigestFile string // Digest file location
NoPush bool // Set this flag if you only want to build the image, without pushing to a registry
Verbosity string // Log level
Platform string // Allows to build with another default platform than the host, similarly to docker build --platform
Args []string // Docker build args
ArgsNew []string // docker build args with comma seperated values
AutoTag bool // Set this to auto detect tags from git commits and semver-tagged labels
AutoTagSuffix string // Suffix to append to the auto detect tags
CacheRepo string // Remote repository that will be used to store cached layers
CacheTTL int // Cache timeout in hours
Context string // Docker build context
DigestFile string // Digest file location
Dockerfile string // Docker build Dockerfile
DroneCommitRef string // Drone git commit reference
DroneRepoBranch string // Drone repo branch
EnableCache bool // Whether to enable kaniko cache
ExpandTag bool // Set this to expand the `Tags` into semver-tagged labels
IsMultipleBuildArgs bool // env variable for fallback for docker build args
Labels []string // Label map
Mirrors []string // Docker repository mirrors
NoPush bool // Set this flag if you only want to build the image, without pushing to a registry
Platform string // Allows to build with another default platform than the host, similarly to docker build --platform
PushOnly bool // Specify if the operation is push-only.
Repo string // Docker build repository
SkipTlsVerify bool // Docker skip tls certificate verify for registry
SkipUnusedStages bool // Build only used stages
SnapshotMode string // Kaniko snapshot mode
SourceTarPath string // Path to the local tarball to be pushed
Tags []string // Docker build tags
TarPath string // Set this flag to save the image as a tarball at path
Target string // Docker build target
Verbosity string // Log level
Cache bool // Enable or disable caching during the build process.
CacheDir string // Directory to store cached layers.
CacheCopyLayers bool // Enable or disable copying layers from the cache.
CacheRunLayers bool // Enable or disable running layers from the cache.
Cleanup bool // Enable or disable cleanup of temporary files.
CompressedCaching *bool // Enable or disable compressed caching.
ContextSubPath string // Sub-path within the context to build.
CustomPlatform string // Platform to use for building.
Force bool // Force building the image even if it already exists.
Git bool // Branch to clone if build context is a git repository .
ImageNameWithDigestFile string // Write image name with digest to a file.
ImageNameTagWithDigestFile string // Write image name with tag and digest to a file.
Insecure bool // Allow connecting to registries without TLS.
InsecurePull bool // Allow insecure pulls from the registry.
InsecureRegistry string // Use plain HTTP for registry communication.
Label string // Add metadata to an image.
LogFormat string // Set the log format for build output.
LogTimestamp bool // Show timestamps in build output.
OCILayoutPath string // Directory to store OCI layout.
PushRetry int // Number of times to retry pushing an image.
RegistryCertificate string // Path to a file containing a registry certificate.
RegistryClientCert string // Path to a file containing a registry client certificate.
RegistryMirror string // Mirror for registry pulls.
SkipDefaultRegistryFallback bool // Skip Docker Hub and default registry fallback.
Reproducible bool // Create a reproducible image.
SingleSnapshot bool // Only create a single snapshot of the image.
SkipTLSVerify bool // Skip TLS verification when connecting to the registry.
SkipPushPermissionCheck bool // Skip permission check when pushing.
SkipTLSVerifyPull bool // Skip TLS verification when pulling.
SkipTLSVerifyRegistry bool // Skip TLS verification when connecting to a registry.
UseNewRun bool // Use the new container runtime (`runc`) for builds.
IgnoreVarRun *bool // Ignore `/var/run` when copying from the context.
IgnorePath string // Ignore files matching the specified path pattern.
IgnorePaths []string // Ignore files matching the specified path pattern.
ImageFSExtractRetry int // Number of times to retry extracting the image filesystem.
ImageDownloadRetry int // Number of times to retry downloading layers.
}
// Artifact defines content of artifact file
@@ -48,10 +96,20 @@ type (
ArtifactFile string // Artifact file location
}
// Output defines content of output file
Output struct {
OutputFile string // File where plugin output are saved
}
// Plugin defines the Docker plugin parameters.
Plugin struct {
Build Build // Docker build configuration
Artifact Artifact // Artifact file content
Output Output // Output file content
// parameters for UTs to mock crane functionality
LoadImageFromTarball func(string) (v1.Image, error)
PushImageToRegistry func(v1.Image, string) error
}
)
@@ -122,10 +180,53 @@ func (b Build) AutoTags() (tags []string, err error) {
// Exec executes the plugin step
func (p Plugin) Exec() error {
if p.Build.NoPush && p.Build.PushOnly {
return fmt.Errorf("inputs no-push and push-only cannot be used together. please define only one")
}
if !p.Build.NoPush && p.Build.Repo == "" {
return fmt.Errorf("repository name to publish image must be specified")
}
if p.Build.PushOnly {
// When push-only is set, source_tar_path MUST be provided
if p.Build.SourceTarPath == "" {
return fmt.Errorf("source_tar_path is required when push_only is set. please provide a valid tarball path")
}
if _, err := os.Stat(p.Build.SourceTarPath); os.IsNotExist(err) {
return fmt.Errorf("image tarball does not exist at path: %s", p.Build.SourceTarPath)
}
if p.Build.Repo == "" {
return fmt.Errorf("missing required destination repository for push-only operation")
}
// Load the image from the tarball
img, err := crane.Load(p.Build.SourceTarPath)
if err != nil {
return fmt.Errorf("failed to load image from tarball: %v", err)
}
// If no tags are specified, use 'latest'
tags := p.Build.Tags
for _, tag := range tags {
dest := fmt.Sprintf("%s:%s", p.Build.Repo, tag)
// Push the image to the destination
err := crane.Push(img, dest)
if err != nil {
return fmt.Errorf("failed to push image from tarball [%s] to destination [%s]: %v", p.Build.SourceTarPath, dest, err)
}
fmt.Printf("Successfully pushed image - '%s'\n to %s\n", dest, p.Build.Repo)
}
return nil
}
if _, err := os.Stat(p.Build.Dockerfile); os.IsNotExist(err) {
return fmt.Errorf("dockerfile does not exist at path: %s", p.Build.Dockerfile)
}
@@ -147,17 +248,24 @@ func (p Plugin) Exec() error {
fmt.Sprintf("--context=dir://%s", p.Build.Context),
}
// Set the destination repository
if !p.Build.NoPush {
// Set the destination repository only when we push or save to tarball
if !p.Build.NoPush || p.Build.TarPath != "" {
for _, tag := range tags {
for _, label := range p.Build.labelsForTag(tag) {
cmdArgs = append(cmdArgs, fmt.Sprintf("--destination=%s:%s", p.Build.Repo, label))
}
}
}
// Set the build arguments
for _, arg := range p.Build.Args {
cmdArgs = append(cmdArgs, fmt.Sprintf("--build-arg=%s", arg))
if p.Build.IsMultipleBuildArgs {
for _, arg := range p.Build.ArgsNew {
cmdArgs = append(cmdArgs, "--build-arg", arg)
}
} else {
for _, arg := range p.Build.Args {
cmdArgs = append(cmdArgs, "--build-arg", arg)
}
}
// Set the labels
for _, label := range p.Build.Labels {
@@ -176,7 +284,7 @@ func (p Plugin) Exec() error {
}
if p.Build.SnapshotMode != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--snapshotMode=%s", p.Build.SnapshotMode))
cmdArgs = append(cmdArgs, fmt.Sprintf("--snapshot-mode=%s", p.Build.SnapshotMode))
}
if p.Build.EnableCache {
@@ -207,6 +315,157 @@ func (p Plugin) Exec() error {
cmdArgs = append(cmdArgs, fmt.Sprintf("--customPlatform=%s", p.Build.Platform))
}
if p.Build.SkipUnusedStages {
cmdArgs = append(cmdArgs, "--skip-unused-stages")
}
if p.Build.TarPath != "" {
tarDir := filepath.Dir(p.Build.TarPath)
if _, err := os.Stat(tarDir); os.IsNotExist(err) {
if mkdirErr := os.MkdirAll(tarDir, 0755); mkdirErr != nil {
return fmt.Errorf("failed to create directory for tar path %s: %v", tarDir, mkdirErr)
}
}
cmdArgs = append(cmdArgs, fmt.Sprintf("--tar-path=%s", p.Build.TarPath))
}
if p.Build.CacheCopyLayers {
cmdArgs = append(cmdArgs, "--cache-copy-layers")
}
if p.Build.CacheRunLayers {
cmdArgs = append(cmdArgs, "--cache-run-layers=true")
}
if p.Build.Cleanup {
cmdArgs = append(cmdArgs, "--cleanup=true")
}
if p.Build.CompressedCaching != nil {
if *p.Build.CompressedCaching {
cmdArgs = append(cmdArgs, "--compressed-caching=true")
} else {
cmdArgs = append(cmdArgs, "--compressed-caching=false")
}
}
if p.Build.ContextSubPath != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--context-sub-path=%s", p.Build.ContextSubPath))
}
if p.Build.CustomPlatform != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--custom-platform=%s", p.Build.CustomPlatform))
}
if p.Build.Force {
cmdArgs = append(cmdArgs, "--force")
}
if p.Build.Git {
cmdArgs = append(cmdArgs, "--git")
}
if p.Build.ImageNameWithDigestFile != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--image-name-with-digest-file=%s", p.Build.ImageNameWithDigestFile))
}
if p.Build.ImageNameTagWithDigestFile != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--image-name-tag-with-digest-file=%s", p.Build.ImageNameTagWithDigestFile))
}
if p.Build.Insecure {
cmdArgs = append(cmdArgs, "--insecure")
}
if p.Build.InsecurePull {
cmdArgs = append(cmdArgs, "--insecure-pull")
}
if p.Build.InsecureRegistry != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--insecure-registry=%s", p.Build.InsecureRegistry))
}
if p.Build.LogFormat != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--log-format=%s", p.Build.LogFormat))
}
if p.Build.LogTimestamp {
cmdArgs = append(cmdArgs, "--log-timestamp")
}
if p.Build.OCILayoutPath != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--oci-layout-path=%s", p.Build.OCILayoutPath))
}
if p.Build.PushRetry != 0 {
cmdArgs = append(cmdArgs, fmt.Sprintf("--push-retry=%d", p.Build.PushRetry))
}
if p.Build.RegistryCertificate != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--registry-certificate=%s", p.Build.RegistryCertificate))
}
if p.Build.RegistryClientCert != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--registry-client-cert=%s", p.Build.RegistryClientCert))
}
if p.Build.SkipDefaultRegistryFallback {
cmdArgs = append(cmdArgs, "--skip-default-registry-fallback")
}
if p.Build.Reproducible {
cmdArgs = append(cmdArgs, "--reproducible")
}
if p.Build.SingleSnapshot {
cmdArgs = append(cmdArgs, "--single-snapshot")
}
if p.Build.SkipPushPermissionCheck {
cmdArgs = append(cmdArgs, "--skip-push-permission-check")
}
if p.Build.SkipTLSVerifyPull {
cmdArgs = append(cmdArgs, "--skip-tls-verify-pull")
}
if p.Build.SkipTLSVerifyRegistry {
cmdArgs = append(cmdArgs, "--skip-tls-verify-registry")
}
if p.Build.UseNewRun {
cmdArgs = append(cmdArgs, "--use-new-run")
}
if p.Build.IgnoreVarRun != nil {
if *p.Build.IgnoreVarRun {
cmdArgs = append(cmdArgs, "--ignore-var-run=true")
} else {
cmdArgs = append(cmdArgs, "--ignore-var-run=false")
}
}
if p.Build.IgnorePath != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", p.Build.IgnorePath))
}
if p.Build.IgnorePaths != nil {
for _, path := range p.Build.IgnorePaths {
trimmed := strings.TrimSpace(path)
if trimmed != "" {
cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", trimmed))
}
}
}
if p.Build.ImageFSExtractRetry != 0 {
cmdArgs = append(cmdArgs, fmt.Sprintf("--image-fs-extract-retry=%d", p.Build.ImageFSExtractRetry))
}
if p.Build.ImageDownloadRetry != 0 {
cmdArgs = append(cmdArgs, fmt.Sprintf("--image-download-retry=%d", p.Build.ImageDownloadRetry))
}
cmd := exec.Command("/kaniko/executor", cmdArgs...)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
@@ -218,19 +477,41 @@ func (p Plugin) Exec() error {
}
if p.Build.DigestFile != "" && p.Artifact.ArtifactFile != "" {
content, err := ioutil.ReadFile(p.Build.DigestFile)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to read digest file contents at path: %s with error: %s\n", p.Build.DigestFile, err)
}
err = artifact.WritePluginArtifactFile(p.Artifact.RegistryType, p.Artifact.ArtifactFile, p.Artifact.Registry, p.Artifact.Repo, string(content), p.Artifact.Tags)
err = artifact.WritePluginArtifactFile(p.Artifact.RegistryType, p.Artifact.ArtifactFile, p.Artifact.Registry, p.Artifact.Repo, getDigest(p.Build.DigestFile), p.Artifact.Tags)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to write plugin artifact file at path: %s with error: %s\n", p.Artifact.ArtifactFile, err)
}
}
p.Output.OutputFile = os.Getenv("DRONE_OUTPUT")
var tarPath string
if p.Build.TarPath != "" {
tarPath = getTarPath(p.Build.TarPath)
}
if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile), tarPath); err != nil {
fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
}
return nil
}
func getTarPath(tarPath string) string {
tarDir := filepath.Dir(tarPath)
if _, err := os.Stat(tarDir); err != nil && os.IsNotExist(err) {
fmt.Fprintf(os.Stderr, "Warning: tar path does not exist: %s\n", tarPath)
return ""
}
return tarPath
}
func getDigest(digestFile string) string {
content, err := ioutil.ReadFile(digestFile)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to read digest file contents at path: %s with error: %s\n", digestFile, err)
}
return string(content)
}
// trace writes each command to stdout with the command wrapped in an xml
// tag so that it can be extracted and displayed in the logs.
func trace(cmd *exec.Cmd) {
kaniko_test.go
+314 -1
View File
@@ -1,6 +1,10 @@
package kaniko
import (
"archive/tar"
"fmt"
"os"
"path/filepath"
"testing"
"github.com/google/go-cmp/cmp"
@@ -100,7 +104,16 @@ func TestBuild_AutoTags(t *testing.T) {
},
},
{
name: "tag push",
name: "beta tag push",
repoBranch: "master",
commitRef: "refs/tags/v1.0.0-beta.1",
autoTagSuffix: "",
expectedTags: []string{
"1.0.0-beta.1",
},
},
{
name: "tag push with suffix",
repoBranch: "master",
commitRef: "refs/tags/v1.0.0",
autoTagSuffix: "linux-amd64",
@@ -139,3 +152,303 @@ func TestBuild_AutoTags(t *testing.T) {
}
})
}
func TestTarPathValidation(t *testing.T) {
tests := []struct {
name string
tarPath string
setup func(string) error
cleanup func(string) error
expectSuccess bool
privileged bool
}{
{
name: "valid_path_privileged",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-image-tar")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectSuccess: true,
privileged: true,
},
{
name: "valid_path_unprivileged",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-image-tar")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectSuccess: true,
privileged: false,
},
{
name: "empty_path",
tarPath: "",
setup: func(path string) error { return nil },
cleanup: func(path string) error { return nil },
expectSuccess: false,
privileged: false,
},
{
name: "relative_path_dots",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-image-tar")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectSuccess: true,
privileged: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Skip privileged tests if not running as root
if tt.privileged && os.Getuid() != 0 {
t.Skip("Skipping privileged test as not running as root")
}
if err := tt.setup(tt.tarPath); err != nil {
t.Fatalf("Setup failed: %v", err)
}
defer tt.cleanup(tt.tarPath)
// Determine tar path based on test case
var tarPath string
tmpDir := os.Getenv("DRONE_WORKSPACE")
switch tt.name {
case "valid_path_privileged", "valid_path_unprivileged":
tarPath = filepath.Join(tmpDir, "test", "image.tar")
case "invalid_path_no_permissions":
tarPath = "/test/image.tar"
case "relative_path_dots":
tarPath = filepath.Join("..", "test", "image.tar")
default:
tarPath = tt.tarPath
}
p := Plugin{
Build: Build{
TarPath: tarPath,
},
}
tarDir := filepath.Dir(p.Build.TarPath)
err := os.MkdirAll(tarDir, 0755)
if tt.expectSuccess {
if err != nil {
t.Errorf("Expected directory creation to succeed, got error: %v", err)
}
if _, err := os.Stat(tarDir); err != nil {
t.Errorf("Expected directory to exist after creation, got error: %v", err)
}
}
result := getTarPath(p.Build.TarPath)
if tt.expectSuccess && result == "" {
t.Error("Expected non-empty tar path, got empty string")
}
if !tt.expectSuccess && result != "" {
t.Error("Expected empty tar path, got non-empty string")
}
})
}
}
func TestSourceTarballPush(t *testing.T) {
tests := []struct {
name string
sourceTarPath string
repo string
autoTag bool
tags []string
commitRef string
repoBranch string
expectedError bool
expectedTags []string
mockLoadErr error
mockPushErr error
}{
{
name: "empty_repo_fails",
sourceTarPath: "/path/to/image.tar",
repo: "",
expectedError: true,
},
{
name: "nonexistent_tarball_fails",
sourceTarPath: "/path/that/does/not/exist/image.tar",
repo: "test-repo",
expectedError: true,
},
{
name: "load_image_fails",
sourceTarPath: createTestTarball(t),
repo: "test-repo",
expectedError: true,
mockLoadErr: fmt.Errorf("load failed"),
},
{
name: "push_image_fails",
sourceTarPath: createTestTarball(t),
repo: "test-repo",
expectedError: true,
expectedTags: []string{"latest"},
mockPushErr: fmt.Errorf("push failed"),
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
mockPlugin := Plugin{
Build: Build{
SourceTarPath: tt.sourceTarPath,
Repo: tt.repo,
Tags: tt.tags,
AutoTag: tt.autoTag,
DroneCommitRef: tt.commitRef,
DroneRepoBranch: tt.repoBranch,
},
LoadImageFromTarball: MockCraneLoad(tt.sourceTarPath, tt.mockLoadErr),
PushImageToRegistry: MockCranePush(tt.mockPushErr),
}
err := mockPlugin.Exec()
if tt.expectedError {
if err == nil {
t.Errorf("Expected an error, but got none")
}
} else {
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
}
})
}
}
// Helper function to create a test tarball
func createTestTarball(t *testing.T) string {
// Create a temporary directory for the tarball contents
tmpDir, err := os.MkdirTemp("", "test-tarball-*")
if err != nil {
t.Fatalf("Failed to create temp directory: %v", err)
}
defer os.RemoveAll(tmpDir)
// Create a minimal `manifest.json` file with a valid hash
manifestPath := filepath.Join(tmpDir, "manifest.json")
manifestContent := `[{
"Config": "config.json",
"RepoTags": ["test-repo:latest"],
"Layers": ["layer.tar"]
}]`
err = os.WriteFile(manifestPath, []byte(manifestContent), 0644)
if err != nil {
t.Fatalf("Failed to create manifest.json: %v", err)
}
// Create a valid `config.json` file with a dummy hash
configPath := filepath.Join(tmpDir, "config.json")
configContent := `{
"architecture": "amd64",
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": ["sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]
}
}`
err = os.WriteFile(configPath, []byte(configContent), 0644)
if err != nil {
t.Fatalf("Failed to create config.json: %v", err)
}
// Create a dummy `layer.tar` file
layerPath := filepath.Join(tmpDir, "layer.tar")
layerFile, err := os.Create(layerPath)
if err != nil {
t.Fatalf("Failed to create layer.tar: %v", err)
}
defer layerFile.Close()
_, err = layerFile.Write([]byte("dummy layer content"))
if err != nil {
t.Fatalf("Failed to write to layer.tar: %v", err)
}
// Create a tarball from the temp directory
tarballPath := filepath.Join(os.TempDir(), "test-image.tar")
tarballFile, err := os.Create(tarballPath)
if err != nil {
t.Fatalf("Failed to create tarball: %v", err)
}
defer tarballFile.Close()
tw := tar.NewWriter(tarballFile)
defer tw.Close()
err = filepath.Walk(tmpDir, func(path string, info os.FileInfo, err error) error {
if err != nil {
return err
}
relPath, _ := filepath.Rel(tmpDir, path)
if relPath == "." {
return nil
}
header, err := tar.FileInfoHeader(info, path)
if err != nil {
return err
}
header.Name = relPath
if err := tw.WriteHeader(header); err != nil {
return err
}
if !info.IsDir() {
fileContent, err := os.ReadFile(path)
if err != nil {
return err
}
_, err = tw.Write(fileContent)
if err != nil {
return err
}
}
return nil
})
if err != nil {
t.Fatalf("Failed to write tarball: %v", err)
}
return tarballPath
}
mock_crane.go
+71
View File
@@ -0,0 +1,71 @@
package kaniko
import (
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/types"
)
func MockCraneLoad(path string, loadErr error) func(string) (v1.Image, error) {
return func(inputPath string) (v1.Image, error) {
if loadErr != nil {
return nil, loadErr
}
return &mockImage{}, nil
}
}
func MockCranePush(pushErr error) func(v1.Image, string) error {
return func(img v1.Image, dest string) error {
if pushErr != nil {
return pushErr
}
return nil
}
}
// mockImage is a mock implementation of v1.Image interface
type mockImage struct{}
func (m *mockImage) Size() (int64, error) {
return 0, nil
}
func (m *mockImage) RawConfigFile() ([]byte, error) {
return nil, nil
}
func (m *mockImage) Digest() (v1.Hash, error) {
return v1.Hash{}, nil
}
func (m *mockImage) Manifest() (*v1.Manifest, error) {
return nil, nil
}
func (m *mockImage) RawManifest() ([]byte, error) {
return nil, nil
}
func (m *mockImage) LayerByDigest(hash v1.Hash) (v1.Layer, error) {
return nil, nil
}
func (m *mockImage) LayerByDiffID(hash v1.Hash) (v1.Layer, error) {
return nil, nil
}
func (m *mockImage) Layers() ([]v1.Layer, error) {
return nil, nil
}
func (m *mockImage) MediaType() (types.MediaType, error) {
return "", nil
}
func (m *mockImage) ConfigFile() (*v1.ConfigFile, error) {
return nil, nil
}
func (m *mockImage) ConfigName() (v1.Hash, error) {
return v1.Hash{}, nil
}
pkg/artifact/artifact.go
+1
View File
@@ -20,6 +20,7 @@ const (
Docker RegistryTypeEnum = "Docker"
ECR RegistryTypeEnum = "ECR"
GCR RegistryTypeEnum = "GCR"
GAR RegistryTypeEnum = "GAR"
)
type (
pkg/docker/config.go
+67 -4
View File
@@ -2,7 +2,18 @@ package docker
import (
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"os"
"github.com/pkg/errors"
)
const (
v2HubRegistryURL string = "https://registry.hub.docker.com/v2/"
v1RegistryURL string = "https://index.docker.io/v1/" // Default registry
v2RegistryURL string = "https://index.docker.io/v2/" // v2 registry is not supported
)
type (
@@ -12,19 +23,25 @@ type (
Config struct {
Auths map[string]Auth `json:"auths"`
CredHelpers map[string]string `json:"credHelpers"`
CredHelpers map[string]string `json:"credHelpers,omitempty"`
}
)
type RegistryCredentials struct {
Registry string
Username string
Password string
}
func NewConfig() *Config {
return &Config{
Auths: map[string]Auth{},
CredHelpers: map[string]string{},
Auths: make(map[string]Auth),
CredHelpers: make(map[string]string),
}
}
func (c *Config) SetAuth(registry, username, password string) {
authBytes := []byte(fmt.Sprintf("%s:%s", username, password))
authBytes := []byte(username + ":" + password)
encodedString := base64.StdEncoding.EncodeToString(authBytes)
c.Auths[registry] = Auth{Auth: encodedString}
}
@@ -32,3 +49,49 @@ func (c *Config) SetAuth(registry, username, password string) {
func (c *Config) SetCredHelper(registry, helper string) {
c.CredHelpers[registry] = helper
}
func (c *Config) CreateDockerConfig(credentials []RegistryCredentials, dockerPath string) error {
for _, cred := range credentials {
if cred.Registry != "" {
// update v2 docker registry to v1
if cred.Registry == v2RegistryURL || cred.Registry == v2HubRegistryURL {
fmt.Printf("Docker v2 registry '%s' is not supported in kaniko. Refer issue: https://github.com/GoogleContainerTools/kaniko/issues/1209\n", cred.Registry)
fmt.Printf("Using v1 registry instead: %s\n", v1RegistryURL)
cred.Registry = v1RegistryURL
}
if cred.Username == "" {
return fmt.Errorf("Username must be specified for registry: %s", cred.Registry)
}
if cred.Password == "" {
return fmt.Errorf("Password must be specified for registry: %s", cred.Registry)
}
c.SetAuth(cred.Registry, cred.Username, cred.Password)
}
}
jsonBytes, err := json.Marshal(c)
if err != nil {
return errors.Wrap(err, "failed to serialize docker config json")
}
if err := WriteDockerConfig(jsonBytes, dockerPath); err != nil {
return errors.Wrap(err, fmt.Sprintf("failed to write docker config to path: %s", dockerPath))
}
return nil
}
func WriteDockerConfig(data []byte, path string) (string error) {
err := os.MkdirAll(path, 0600)
if err != nil {
if !os.IsExist(err) {
return errors.Wrap(err, fmt.Sprintf("failed to create %s directory", path))
}
}
filePath := path + "/config.json"
err = ioutil.WriteFile(filePath, data, 0644)
if err != nil {
return errors.Wrap(err, fmt.Sprintf("failed to create docker config file at %s", path))
}
return nil
}
pkg/docker/config_test.go
+38 -8
View File
@@ -2,24 +2,54 @@ package docker
import (
"encoding/json"
"io/ioutil"
"os"
"path/filepath"
"testing"
"github.com/stretchr/testify/assert"
)
func TestConfig(t *testing.T) {
c := NewConfig()
assert.NotNil(t, c.Auths)
assert.NotNil(t, c.CredHelpers)
c.SetAuth(RegistryV1, "test", "password")
expectedAuth := Auth{Auth: "dGVzdDpwYXNzd29yZA=="}
assert.Equal(t, expectedAuth, c.Auths[RegistryV1])
c.SetCredHelper(RegistryECRPublic, "ecr-login")
assert.Equal(t, "ecr-login", c.CredHelpers[RegistryECRPublic])
bytes, err := json.Marshal(c)
if err != nil {
t.Error("json marshal failed")
tempDir, err := ioutil.TempDir("", "docker-config-test")
assert.NoError(t, err)
defer os.RemoveAll(tempDir)
credentials := []RegistryCredentials{
{
Registry: "https://index.docker.io/v1/",
Username: "user1",
Password: "pass1",
},
{
Registry: "gcr.io",
Username: "user2",
Password: "pass2",
},
}
want := `{"auths":{"https://index.docker.io/v1/":{"auth":"dGVzdDpwYXNzd29yZA=="}},"credHelpers":{"public.ecr.aws":"ecr-login"}}`
got := string(bytes)
err = c.CreateDockerConfig(credentials, tempDir)
assert.NoError(t, err)
if want != got {
t.Errorf("unexpected json output:\n want: %s\n got: %s", want, got)
}
configPath := filepath.Join(tempDir, "config.json")
data, err := ioutil.ReadFile(configPath)
assert.NoError(t, err)
var configFromFile Config
err = json.Unmarshal(data, &configFromFile)
assert.NoError(t, err)
assert.Equal(t, c.Auths, configFromFile.Auths)
assert.Equal(t, c.CredHelpers, configFromFile.CredHelpers)
}
pkg/output/output.go
+18
View File
@@ -0,0 +1,18 @@
package output
import (
"github.com/joho/godotenv"
)
func WritePluginOutputFile(outputFilePath, digest string, pluginTarPath string) error {
output := make(map[string]string)
if digest != "" {
output["digest"] = digest
}
if pluginTarPath != "" {
output["IMAGE_TAR_PATH"] = pluginTarPath
}
return godotenv.Write(output, outputFilePath)
}
pkg/output/output_test.go
+145
View File
@@ -0,0 +1,145 @@
package output
import (
"os"
"path/filepath"
"testing"
)
func TestWritePluginOutputFile(t *testing.T) {
tests := []struct {
name string
outputPath string
digest string
tarPath string
setup func(string) error
cleanup func(string) error
expectError bool
privileged bool
}{
{
name: "valid_output_privileged",
outputPath: "",
digest: "sha256:test",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-output")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectError: false,
privileged: true,
},
{
name: "valid_output_unprivileged",
outputPath: "",
digest: "sha256:test",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-output")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectError: false,
privileged: false,
},
{
name: "digest_only",
outputPath: "",
digest: "sha256:test",
tarPath: "",
setup: func(path string) error {
tmpDir, err := os.MkdirTemp("", "test-output")
if err != nil {
return err
}
os.Setenv("DRONE_WORKSPACE", tmpDir)
return nil
},
cleanup: func(path string) error {
tmpDir := os.Getenv("DRONE_WORKSPACE")
os.Unsetenv("DRONE_WORKSPACE")
return os.RemoveAll(tmpDir)
},
expectError: false,
privileged: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Skip privileged tests if not running as root
if tt.privileged && os.Getuid() != 0 {
t.Skip("Skipping privileged test as not running as root")
}
if err := tt.setup(tt.outputPath); err != nil {
t.Fatalf("Setup failed: %v", err)
}
defer tt.cleanup(tt.outputPath)
tmpDir := os.Getenv("DRONE_WORKSPACE")
var outputPath, tarPath string
switch tt.name {
case "valid_output_privileged", "valid_output_unprivileged":
outputPath = filepath.Join(tmpDir, "test", "output.env")
tarPath = filepath.Join(tmpDir, "test", "image.tar")
case "invalid_output_path":
outputPath = filepath.Join("/root", "test", "output.env")
tarPath = filepath.Join("/root", "test", "image.tar")
case "digest_only":
outputPath = filepath.Join(tmpDir, "test", "output.env")
tarPath = ""
}
err := os.MkdirAll(filepath.Dir(outputPath), 0755)
if err != nil {
t.Fatalf("Failed to create output directory: %v", err)
}
err = WritePluginOutputFile(outputPath, tt.digest, tarPath)
if tt.expectError && err == nil {
t.Error("Expected error, got none")
}
if !tt.expectError && err != nil {
t.Errorf("Expected no error, got: %v", err)
}
if !tt.expectError && err == nil {
content, err := os.ReadFile(outputPath)
if err != nil {
t.Fatalf("Failed to read output file: %v", err)
}
if tt.digest != "" && !contains(string(content), tt.digest) {
t.Error("Expected digest in output file")
}
if tarPath != "" && !contains(string(content), tarPath) {
t.Error("Expected tar path in output file")
}
}
})
}
}
func contains(content, substring string) bool {
return len(substring) > 0 && content != "" && content != "\n" && content != "\r\n"
}
scripts/build.sh
+6
View File
@@ -11,13 +11,19 @@ set -x
# linux
GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gcr ./cmd/kaniko-gcr
GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-acr ./cmd/kaniko-acr
GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-ecr ./cmd/kaniko-ecr
GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gar ./cmd/kaniko-gar
GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gcr ./cmd/kaniko-gcr
GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-acr ./cmd/kaniko-acr
GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-ecr ./cmd/kaniko-ecr
GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-docker ./cmd/kaniko-docker
GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gar ./cmd/kaniko-gar
GOOS=linux GOARCH=arm go build -o release/linux/arm/kaniko-gcr ./cmd/kaniko-gcr
GOOS=linux GOARCH=arm go build -o release/linux/arm/kaniko-acr ./cmd/kaniko-acr
GOOS=linux GOARCH=arm go build -o release/linux/arm/kaniko-ecr ./cmd/kaniko-ecr
GOOS=linux GOARCH=arm go build -o release/linux/arm/kaniko-docker ./cmd/kaniko-docker
GOOS=linux GOARCH=arm go build -o release/linux/arm/kaniko-gar ./cmd/kaniko-gar
scripts/docker.sh
+2
View File
@@ -15,10 +15,12 @@ set -x
# build the binary
go build -o release/linux/amd64/kaniko-gcr ./cmd/kaniko-gcr
go build -o release/linux/amd64/kaniko-gar ./cmd/kaniko-gar
go build -o release/linux/amd64/kaniko-ecr ./cmd/kaniko-ecr
go build -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
# build the docker image
docker build -f docker/gcr/Dockerfile.linux.amd64 -t plugins/kaniko-gcr .
docker build -f docker/gar/Dockerfile.linux.amd64 -t plugins/kaniko-gar .
docker build -f docker/ecr/Dockerfile.linux.amd64 -t plugins/kaniko-ecr .
docker build -f docker/docker/Dockerfile.linux.amd64 -t plugins/kaniko .