Building containers with Kaniko and Tekton with no access to secrets or storage
Recently I was switching our build system from using Img to using Kaniko as the container build tool. Kaniko seemed to work a lot better with the restrictions in our internal environments and is actively maintained.
Where to begin?
Firstly I would suggest learning about Kaniko from some useful sources including the GitHub repository and the Tekton Task Hub. These all provide a great starting point.
I got a basic image building without too much hassle, but as soon as I needed to use credentials to log into container registries, I wanted to validate and handle the varying ways our users provided parameters and provide feedback when needed.
Considering we don’t have access to create secrets in this environment I also need to create the necessary authentication files in the container at run time.
This led me to sit back and ask how else can I approach this? How can I validate the parameters and inject credentials without mounting a secret?
There were two options that I could think of;
- Create a Dockerfile based on
FROM gcr.io/kaniko-project/executor:latest. Whilst this option provides a great amount of control and flexibility, it would require me to maintain a Docker image and keep it in sync with the latest changes. Surely there is a middle ground!
- Use the Script block as part of a Tekton Task based on a GitLab Kaniko article. This allows us to wrap the Kaniko command with a shell script to set up our requirements and all of this can be stored as part of our Tekton Task.
Implementing option 2 above, there are a couple of things to note
A. Base Container
Kaniko provides a debug version of the executor which includes a busybox version of bash. You will need to switch to this image
FROM gcr.io/kaniko-project/executor:debug as well as changing the shebang/interpreter to
B. Create the shell script
The following script optionally turns Tekton Parameters into the required Docker credential file
/kaniko/.docker/config.json and handles validation as well as manipulation of the parameters provided.
C. Create Tekon Task
Create the Task using the Shell script