Building containers with Kaniko and Tekton with no access to secrets or storage
--
Recently I was switching our build system from using Img to using Kaniko as the container build tool. Kaniko seemed to work a lot better with the restrictions in our internal environments and is actively maintained.
Where to begin?
Firstly I would suggest learning about Kaniko from some useful sources including the GitHub repository and the Tekton Task Hub. These all provide a great starting point.
I got a basic image building without too much hassle, but as soon as I needed to use credentials to log into container registries, I wanted to validate and handle the varying ways our users provided parameters and provide feedback when needed.
Considering we don’t have access to create secrets in this environment I also need to create the necessary authentication files in the container at run time.
This led me to sit back and ask how else can I approach this? How can I validate the parameters and inject credentials without mounting a secret?
The options
There were two options that I could think of;
- Create a Dockerfile based on
FROM gcr.io/kaniko-project/executor:latest. Whilst this option provides a great amount of control and flexibility, it would require me to maintain a Docker image and keep it in sync with the latest changes. Surely there is a middle ground! - Use the Script block as part of a Tekton Task based on a GitLab Kaniko article. This allows us to wrap the Kaniko command with a shell script to set up our requirements and all of this can be stored as part of our Tekton Task.
The solution
Implementing option 2 above, there are a couple of things to note
A. Base Container
Kaniko provides a debug version of the executor which includes a busybox version of bash. You will need to switch to this image FROM gcr.io/kaniko-project/executor:debug as well as changing the shebang/interpreter to #!/busybox/sh
B. Create the shell script
The following script optionally turns Tekton Parameters into the required Docker credential file /kaniko/.docker/config.json and handles validation as well as manipulation of the parameters provided.
{
"auths": {
"registry:port": {
"username": "xxxxxxxxxxxxxxx",
"password": "xxxxxxxxxxxxxxx",
}
}
}C. Create Tekon Task
Create the Task using the Shell script
Show your support
Thanks for reading! If you made it this far, show your support if this helped you:
- 💬 Follow me on Twitter
- 🙏 Join my opensource project and help contribute
