Add push-only support to Kaniko-GAR

2026-06-16 14:49:02 +08:00 · 2025-05-12 20:24:42 +05:30
2 changed files with 8 additions and 63 deletions
@@ -37,7 +37,7 @@ pipeline:
                      identifier: Build
                      spec:
                        connectorRef: Plugins_Docker_Hub_Connector
-                        image: golang:1.23.0
+                        image: golang:1.22.4
                        shell: Sh
                        command: |-
                          go test ./...
@@ -322,7 +322,7 @@ pipeline:
                      identifier: Build_and_Test
                      spec:
                        connectorRef: Plugins_Docker_Hub_Connector
-                        image: golang:1.23.0
+                        image: golang:1.22.4
                        shell: Sh
                        command: |-
                          go test ./...
@@ -1,12 +1,9 @@
 package main

 import (
-	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
-	"path/filepath"

 	"github.com/joho/godotenv"
 	"github.com/pkg/errors"
@@ -16,7 +13,6 @@ import (
 	kaniko "github.com/drone/drone-kaniko"
 	"github.com/drone/drone-kaniko/pkg/artifact"
 	"github.com/drone/drone-kaniko/pkg/docker"
-	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/crane"
 )

@@ -507,70 +503,19 @@ func handlePushOnly(c *cli.Context) error {
 		return fmt.Errorf("repository and registry must be specified for push-only operation")
 	}

-	// Authentication options for crane
-	var opts []crane.Option
-
 	// Setup GAR authentication
 	jsonKey := c.String("json-key")
+	var opts []crane.Option
+
+	// Configure GAR authentication if JSON key is provided
 	if jsonKey != "" {
 		if err := setupGARAuth(jsonKey); err != nil {
 			return err
 		}

-		logrus.Info("Setting up authentication for GAR")
-
-		// Create Docker config directory if it doesn't exist
-		dockerConfigDir := "/kaniko/.docker"
-		if err := os.MkdirAll(dockerConfigDir, 0755); err != nil {
-			return fmt.Errorf("failed to create Docker config directory: %v", err)
-		}
-
-		// Generate a Docker config with GAR auth
-		type DockerAuth struct {
-			Username string `json:"username"`
-			Password string `json:"password"`
-			Auth     string `json:"auth"`
-		}
-
-		type DockerConfig struct {
-			Auths map[string]DockerAuth `json:"auths"`
-		}
-
-		// Create proper Auth field (base64 encoded username:password)
-		username := "_json_key"
-		authString := base64.StdEncoding.EncodeToString([]byte(username + ":" + jsonKey))
-
-		// Use _json_key as username and the key content as password for GAR
-		config := DockerConfig{
-			Auths: map[string]DockerAuth{
-				registry: {
-					Username: username,
-					Password: jsonKey,
-					Auth:     authString,
-				},
-			},
-		}
-
-		// Write the Docker config
-		configBytes, err := json.Marshal(config)
-		if err != nil {
-			return fmt.Errorf("failed to marshal Docker config: %v", err)
-		}
-
-		dockerConfigPath := filepath.Join(dockerConfigDir, "config.json")
-		if err := ioutil.WriteFile(dockerConfigPath, configBytes, 0644); err != nil {
-			return fmt.Errorf("failed to write Docker config: %v", err)
-		}
-
-		// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
-		if err := os.Setenv("DOCKER_CONFIG", dockerConfigDir); err != nil {
-			return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
-		}
-
-		// Set up crane to use basic auth with docker config
-		opts = append(opts, crane.WithAuthFromKeychain(authn.DefaultKeychain))
-	} else {
-		logrus.Warn("No JSON key provided, authentication may fail if not running with workload identity")
+		// When using GAR with a service account key, the GOOGLE_APPLICATION_CREDENTIALS
+		// environment variable is set, which crane will automatically use
+		logrus.Info("Using Google Application Credentials for authentication")
 	}

 	// Load the image from the tarball