Kaniko fails to authenticate to gitlab.com registry

neuware · November 17, 2020, 7:41am

Hi there.

I’m currently having trouble using kaniko to push my docker image to this project’s docker registry.

As you can see on this merge request, I’ve been trying to introduce a “publish” step in my CI that reproduces almost exactly the doc for using kaniko with gitlab-CI, the only difference is that I’m fetching my binary as an artifact from a previous step, and that my dockerfile is located at $CI_PROJECT_DIR/docker/Dockerfile :

publish:
  stage: publish
  needs:
    - job: build
      artifacts: true
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    - mkdir -p /kaniko/.docker
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/docker/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA

Whatever I try to do, I’m always getting an authentication error:

error checking push permissions -- make sure you entered the correct tag name, 
and that you are authenticated correctly, and try again: 
checking push permission for "registry.gitlab.com/neuware/xkcd-bot:f4137e95": 
POST https://registry.gitlab.com/v2/neuware/xkcd-bot/blobs/uploads/: 
UNAUTHORIZED: authentication required; 
[map[Action:pull Class: Name:neuware/xkcd-bot Type:repository] map[Action:push Class: Name:neuware/xkcd-bot Type:repository]]

Is there something broken with the current kaniko release, or the doc, or gitlab’s registry, or am I missing something obvious?

neuware · November 21, 2020, 2:01pm

I tried multiple things to reproduce this issue, including building and pushing the same image, using the same version of kaniko executor on my laptop, and I didn’t get any error.

I tried replacing the docker configuration (/kaniko/.docker/config.json) with the auth information I’m using on my laptop : it just won’t work in the CI. I’m always getting this “unauthorized” error message no matter what.

geneerik · January 19, 2021, 6:07pm

I had this working in my pipeline with this setup. it stopped working. Seems kaniko no longer allows username/password directly in the .docker/config.json file. It must not use the base64 encoded value of those combined. gitlab registry works like dockerhub. Here is the kaniko info on auth for dockerhub:

github.com

GoogleContainerTools/kaniko/blob/master/README.md#pushing-to-docker-hub

# kaniko - Build Images In Kubernetes

`NOTE: kaniko is not an officially supported Google product`

[![Build Status](https://travis-ci.com/GoogleContainerTools/kaniko.svg?branch=master)](https://travis-ci.com/GoogleContainerTools/kaniko) [![Go Report Card](https://goreportcard.com/badge/github.com/GoogleContainerTools/kaniko)](https://goreportcard.com/report/github.com/GoogleContainerTools/kaniko)

![kaniko logo](logo/Kaniko-Logo.png)

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.

kaniko doesn't depend on a Docker daemon and executes each command within a Dockerfile completely in userspace.
This enables building container images in environments that can't easily or securely run a Docker daemon, such as a standard Kubernetes cluster.

kaniko is meant to be run as an image: `gcr.io/kaniko-project/executor`. We do **not** recommend running the kaniko executor binary in another image, as it might not work.

We'd love to hear from you!  Join us on [#kaniko Kubernetes Slack](https://kubernetes.slack.com/messages/CQDCHGX7Y/)

:mega: **Please fill out our [quick 5-question survey](https://forms.gle/HhZGEM33x4FUz9Qa6)** so that we can learn how satisfied you are with kaniko, and what improvements we should make. Thank you! :dancers:

This file has been truncated. show original

so it seems Building images with kaniko and GitLab CI/CD | GitLab is a little out of date. As soon as I updated this to base64 auth value, it started working again. heres my line for making the .docker/config.json:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)\"}}}" > /kaniko/.docker/config.json