Include credential helper binaries in Docker image for crane

google / go-containerregistry

Go library and CLIs for working with container registries

Apache License 2.0

3.03k stars 517 forks source link

Include credential helper binaries in Docker image for crane #731

Open Tommyf opened 4 years ago

Tommyf commented 4 years ago

It would greatly ease using crane in a CI/CD pipeline if it was able to make use of the credential helpers mentioned in https://github.com/google/go-containerregistry/tree/master/pkg/authn

As it stands, you need to use another method to get the login credentials into the running container. Not a hard problem to solve, but not as elegant as using credential helpers, which is the recommended way anyway.

Kaniko bundles the common helpers (AWS, GCP) in, so it seems feasible to bundle them in to the official Crane docker image too.

jonjohnsonjr commented 4 years ago

That's an interesting idea. I'd be somewhat reluctant to maintain that kind of thing, since I don't have any personal interest in running stuff on AWS or Azure... I also don't want to bloat the image with unused credential helpers if we can avoid it.

If you're running on GCP, the gcrane version might work for you.

Ideally, we could reuse kaniko's work and just rebase our images onto their "credential helper" image.

I also don't love the idea of implicitly endorsing just AWS/GCP/Azure by having only support for their credential helpers, when there are so many other registries.

Tommyf commented 4 years ago

I understand not wanting to bloat. Is it possible to have some tag that includes credential helpers? Or does that also get too ugly to maintain?

I'm actually running on AWS. Otherwise, yeah, I would likely use the gcrane version.

Do the myriad of other registries also have credential helper tools? It's my understanding that these helpers exist for the cloud provider registries as they are primarily used when running somewhere with instance metadata exposed. That would narrow it down to just the bigger cloud provider hosted registries surely? Maybe that is still a big list...

rcollette commented 3 years ago

I'm piggy backing off of Kaniko this way.

FROM golang:1.15-alpine as build
RUN apk --no-cache add git && \
    CGO_ENABLED=0 GOOS=linux go get -u -ldflags '-extldflags "-static" -w -s' github.com/google/go-containerregistry/cmd/crane

FROM gcr.io/kaniko-project/executor:debug
COPY --from=build /go/bin/crane /usr/local/bin/crane
ENTRYPOINT [""]

(credit to Victor Noel here https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4712)

I added the necessary credential helper entries in /kaniko/.docker/config.json If I go into the /kaniko directory, the crane commands work from there.

github-actions[bot] commented 3 years ago

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

timwsuqld commented 3 years ago

/remove-lifecycle stale

sachin2411 commented 11 months ago

Hello I am struggling to retag image built using kaniko in ECR using credential helper inside crane container.Issue I face 401 not authorized .Any leads would be appreciated

sbp-bvanb commented 6 days ago

Could someone indicate what is the current status of this?