Open in app

Sign in

Write

Sign in

Kaniko and Tekton Tasks

Building containers with Kaniko and Tekton with no access to secrets or storage

Tyson Lawrie

--

Recently I was switching our build system from using Img to using Kaniko as the container build tool. Kaniko seemed to work a lot better with the restrictions in our internal environments and is actively maintained.

Where to begin?

Firstly I would suggest learning about Kaniko from some useful sources including the GitHub repository and the Tekton Task Hub. These all provide a great starting point.

I got a basic image building without too much hassle, but as soon as I needed to use credentials to log into container registries, I wanted to validate and handle the varying ways our users provided parameters and provide feedback when needed.

Considering we don’t have access to create secrets in this environment I also need to create the necessary authentication files in the container at run time.

This led me to sit back and ask how else can I approach this? How can I validate the parameters and inject credentials without mounting a secret?

The options

There were two options that I could think of;

  1. Create a Dockerfile based on FROM gcr.io/kaniko-project/executor:latest. Whilst this option provides a great amount of control and flexibility, it would require me to maintain a Docker image and keep it in sync with the latest changes. Surely there is a middle ground!
  2. Use the Script block as part of a Tekton Task based on a GitLab Kaniko article. This allows us to wrap the Kaniko command with a shell script to set up our requirements and all of this can be stored as part of our Tekton Task.

The solution

Implementing option 2 above, there are a couple of things to note

A. Base Container

Kaniko provides a debug version of the executor which includes a busybox version of bash. You will need to switch to this image FROM gcr.io/kaniko-project/executor:debug as well as changing the shebang/interpreter to #!/busybox/sh

B. Create the shell script

The following script optionally turns Tekton Parameters into the required Docker credential file /kaniko/.docker/config.json and handles validation as well as manipulation of the parameters provided.

{
	"auths": {
		"registry:port": {
			"username": "xxxxxxxxxxxxxxx",
			"password": "xxxxxxxxxxxxxxx",
		}
	}
}

C. Create Tekon Task

Create the Task using the Shell script

Show your support

Thanks for reading! If you made it this far, show your support if this helped you:
- 💬 Follow me on Twitter
- 🙏 Join my opensource project and help contribute

Tekton
Kaniko
Cicd
Automation

--

--

Tyson Lawrie

Written by Tyson Lawrie

A software engineer and automation enthusiast, made in Australia, Ex New Yorker. Building flowabl.io and userprofiles.io. Maintaining useboomerang.io

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams