Error checking push permissions when using kaniko to build an image with a tag name containing `/`

SchroedingersCat · November 1, 2023, 11:21am

I’m using kaniko to build a docker image and upload it to my self-hosted GitLab’s registry. This works fine, but as soon as I’m pushing a tag containing the character /, like ubuntu-20-04/2023-11-01, the process fails very early with the following error:

error checking push permissions – make sure you entered the correct tag name, and that you are authenticated correctly, and try again: getting tag for destination: repository can only contain the characters abcdefghijklmnopqrstuvwxyz0123456789_-./: software/docker-image-tests:ubuntu-20-04/2023-11-01

The GitLab instance is on v16.5.0 on Ubuntu Server 22.04 and the runner is on v16.4.1 on Arch Linux.

The .gitlab-ci.yml looks like this:

build:
  stage: build
  tags:
    - linux-x64
  image:
    name: gcr.io/kaniko-project/executor:v1.14.0-debug
    entrypoint: [""]
  variables:
    IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
  script:
    - /kaniko/executor
      --context "${CI_PROJECT_DIR}"
      --dockerfile "${CI_PROJECT_DIR}/Dockerfile"
      --destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}"

When pushing the tag ubuntu-20-04-2023-11-01, the image is built correctly. So it’s clearly related to the character / in the tag name. However, the error message itself states that this character is allowed to use, so this is rather confusing.

Any ideas?

balonik · November 2, 2023, 2:23pm

/ is not valid character in tag. You are misreading the message, it says the repository can only contain such characters, not tag.

From Docker documentation:

The tag must be valid ASCII and can contain lowercase and uppercase letters, digits, underscores, periods, and hyphens. It cannot start with a period or hyphen and must be no longer than 128 characters.

SchroedingersCat · November 2, 2023, 2:35pm

I see, thanks a lot!

kil · November 5, 2023, 1:16pm

build:
  stage: build
  tags:
    - linux-x64
  image:
    name: gcr.io/kaniko-project/executor:v1.14.0-debug
    entrypoint: [""]
  variables:
    IMAGE_TAG: $CI_REGISTRY_IMAGE:${CI_COMMIT_REF_SLUG//\//-}
  script:
    - /kaniko/executor
      --context "${CI_PROJECT_DIR}"
      --dockerfile "${CI_PROJECT_DIR}/Dockerfile"
      --destination "$IMAGE_TAG"

In the IMAGE_TAG line, ${CI_COMMIT_REF_SLUG//\//-} uses shell parameter expansion to replace all occurrences of / with -. This change ensures that your tag will not contain the slash character, which should resolve the error you’re encountering.

SchroedingersCat · November 8, 2023, 10:23am

With these changes, the image builds successfully but it doesn’t show up in the image registry due to the change in the line --destination. Where did the image go after building and is there a way to get the image into the registry?