Merge pull request #1466 from garethjevans/docker-creds

priyawadhwa · web-flow · commit 1310d7d93ad6 · 2019-01-17T11:43:51.000-08:00
feat(docker creds) can mount docker config into kaniko pod
diff --git a/examples/annotated-skaffold.yaml b/examples/annotated-skaffold.yaml
@@ -140,6 +140,9 @@ build:
   #   namespace: default
   #   timeout: 20m
   #   image: defaults to the latest released version of `gcr.io/kaniko-project/executor`
+  #   dockerConfig:
+  #     path: path to the docker config.json
+  #     secretName: docker-cfg
 
 # The deploy section has all the information needed to deploy. Along with build:
 # it is a required section.
diff --git a/integration/examples/annotated-skaffold.yaml b/integration/examples/annotated-skaffold.yaml
@@ -140,6 +140,9 @@ build:
   #   namespace: default
   #   timeout: 20m
   #   image: defaults to the latest released version of `gcr.io/kaniko-project/executor`
+  #   dockerConfig:
+  #     path: path to the docker config.json
+  #     secretName: docker-cfg
 
 # The deploy section has all the information needed to deploy. Along with build:
 # it is a required section.
diff --git a/pkg/skaffold/build/kaniko/kaniko.go b/pkg/skaffold/build/kaniko/kaniko.go
@@ -29,11 +29,19 @@ import (
 
 // Build builds a list of artifacts with Kaniko.
 func (b *Builder) Build(ctx context.Context, out io.Writer, tagger tag.Tagger, artifacts []*latest.Artifact) ([]build.Artifact, error) {
-	teardown, err := b.setupSecret(out)
+	teardownPullSecret, err := b.setupPullSecret(out)
 	if err != nil {
-		return nil, errors.Wrap(err, "setting up secret")
+		return nil, errors.Wrap(err, "setting up pull secret")
+	}
+	defer teardownPullSecret()
+
+	if b.DockerConfig != nil {
+		teardownDockerConfigSecret, err := b.setupDockerConfigSecret(out)
+		if err != nil {
+			return nil, errors.Wrap(err, "setting up docker config secret")
+		}
+		defer teardownDockerConfigSecret()
 	}
-	defer teardown()
 
 	return build.InParallel(ctx, out, tagger, artifacts, b.buildArtifactWithKaniko)
 }
diff --git a/pkg/skaffold/build/kaniko/secret.go b/pkg/skaffold/build/kaniko/secret.go
@@ -29,7 +29,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func (b *Builder) setupSecret(out io.Writer) (func(), error) {
+func (b *Builder) setupPullSecret(out io.Writer) (func(), error) {
 	color.Default.Fprintf(out, "Creating kaniko secret [%s]...\n", b.PullSecretName)
 
 	client, err := kubernetes.GetClientset()
@@ -51,7 +51,7 @@ func (b *Builder) setupSecret(out io.Writer) (func(), error) {
 
 	secretData, err := ioutil.ReadFile(b.PullSecret)
 	if err != nil {
-		return nil, errors.Wrap(err, "reading secret")
+		return nil, errors.Wrap(err, "reading pull secret")
 	}
 
 	secret := &v1.Secret{
@@ -65,12 +65,62 @@ func (b *Builder) setupSecret(out io.Writer) (func(), error) {
 	}
 
 	if _, err := secrets.Create(secret); err != nil {
-		return nil, errors.Wrapf(err, "creating secret: %s", err)
+		return nil, errors.Wrapf(err, "creating pull secret: %s", err)
 	}
 
 	return func() {
 		if err := secrets.Delete(b.PullSecretName, &metav1.DeleteOptions{}); err != nil {
-			logrus.Warnf("deleting secret")
+			logrus.Warnf("deleting pull secret")
+		}
+	}, nil
+}
+
+func (b *Builder) setupDockerConfigSecret(out io.Writer) (func(), error) {
+	if b.DockerConfig == nil {
+		return func() {}, nil
+	}
+
+	color.Default.Fprintf(out, "Creating docker config secret [%s]...\n", b.DockerConfig.SecretName)
+
+	client, err := kubernetes.GetClientset()
+	if err != nil {
+		return nil, errors.Wrap(err, "getting kubernetes client")
+	}
+
+	secrets := client.CoreV1().Secrets(b.Namespace)
+
+	if b.DockerConfig.Path == "" {
+		logrus.Debug("No docker config specified. Checking for one in the cluster.")
+
+		if _, err := secrets.Get(b.DockerConfig.SecretName, metav1.GetOptions{}); err != nil {
+			return nil, errors.Wrap(err, "checking for existing kaniko secret")
+		}
+
+		return func() {}, nil
+	}
+
+	secretData, err := ioutil.ReadFile(b.DockerConfig.Path)
+	if err != nil {
+		return nil, errors.Wrap(err, "reading docker config")
+	}
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   b.DockerConfig.SecretName,
+			Labels: map[string]string{"skaffold-kaniko": "skaffold-kaniko"},
+		},
+		Data: map[string][]byte{
+			"config.json": secretData,
+		},
+	}
+
+	if _, err := secrets.Create(secret); err != nil {
+		return nil, errors.Wrapf(err, "creating docker config secret: %s", err)
+	}
+
+	return func() {
+		if err := secrets.Delete(b.DockerConfig.SecretName, &metav1.DeleteOptions{}); err != nil {
+			logrus.Warnf("deleting docker config secret")
 		}
 	}, nil
 }
diff --git a/pkg/skaffold/build/kaniko/sources/sources.go b/pkg/skaffold/build/kaniko/sources/sources.go
@@ -48,7 +48,7 @@ func Retrieve(cfg *latest.KanikoBuild) BuildContextSource {
 }
 
 func podTemplate(cfg *latest.KanikoBuild, args []string) *v1.Pod {
-	return &v1.Pod{
+	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "kaniko-",
 			Labels:       map[string]string{"skaffold-kaniko": "skaffold-kaniko"},
@@ -81,7 +81,32 @@ func podTemplate(cfg *latest.KanikoBuild, args []string) *v1.Pod {
 						SecretName: cfg.PullSecretName,
 					},
 				},
-			}},
+			},
+			},
 		},
 	}
+
+	if cfg.DockerConfig == nil {
+		return pod
+	}
+
+	volumeMount := v1.VolumeMount{
+		Name:      constants.DefaultKanikoDockerConfigSecretName,
+		MountPath: constants.DefaultKanikoDockerConfigPath,
+	}
+
+	pod.Spec.Containers[0].VolumeMounts = append(pod.Spec.Containers[0].VolumeMounts, volumeMount)
+
+	volume := v1.Volume{
+		Name: constants.DefaultKanikoDockerConfigSecretName,
+		VolumeSource: v1.VolumeSource{
+			Secret: &v1.SecretVolumeSource{
+				SecretName: cfg.DockerConfig.SecretName,
+			},
+		},
+	}
+
+	pod.Spec.Volumes = append(pod.Spec.Volumes, volume)
+
+	return pod
 }
diff --git a/pkg/skaffold/constants/constants.go b/pkg/skaffold/constants/constants.go
@@ -47,12 +47,14 @@ const (
 
 	DefaultKustomizationPath = "."
 
-	DefaultKanikoImage             = "gcr.io/kaniko-project/executor:v0.7.0@sha256:0b4e0812aa17c54a9b8d8c8d7cb35559a892a341650acf7cb428c3e8cb4a3919"
-	DefaultKanikoSecretName        = "kaniko-secret"
-	DefaultKanikoTimeout           = "20m"
-	DefaultKanikoContainerName     = "kaniko"
-	DefaultKanikoEmptyDirName      = "kaniko-emptydir"
-	DefaultKanikoEmptyDirMountPath = "/kaniko/buildcontext"
+	DefaultKanikoImage                  = "gcr.io/kaniko-project/executor:v0.7.0@sha256:0b4e0812aa17c54a9b8d8c8d7cb35559a892a341650acf7cb428c3e8cb4a3919"
+	DefaultKanikoSecretName             = "kaniko-secret"
+	DefaultKanikoTimeout                = "20m"
+	DefaultKanikoContainerName          = "kaniko"
+	DefaultKanikoEmptyDirName           = "kaniko-emptydir"
+	DefaultKanikoEmptyDirMountPath      = "/kaniko/buildcontext"
+	DefaultKanikoDockerConfigSecretName = "docker-cfg"
+	DefaultKanikoDockerConfigPath       = "/kaniko/.docker"
 
 	DefaultBusyboxImage = "busybox"
 
diff --git a/pkg/skaffold/schema/defaults/defaults.go b/pkg/skaffold/schema/defaults/defaults.go
@@ -43,6 +43,7 @@ func Set(c *latest.SkaffoldPipeline) error {
 		setDefaultKanikoNamespace,
 		setDefaultKanikoSecret,
 		setDefaultKanikoBuildContext,
+		setDefaultDockerConfigSecret,
 	); err != nil {
 		return err
 	}
@@ -175,6 +176,26 @@ func setDefaultKanikoSecret(kaniko *latest.KanikoBuild) error {
 	return nil
 }
 
+func setDefaultDockerConfigSecret(kaniko *latest.KanikoBuild) error {
+	if kaniko.DockerConfig == nil {
+		return nil
+	}
+
+	kaniko.DockerConfig.SecretName = valueOrDefault(kaniko.DockerConfig.SecretName, constants.DefaultKanikoDockerConfigSecretName)
+
+	if kaniko.DockerConfig.Path != "" {
+		absPath, err := homedir.Expand(kaniko.DockerConfig.Path)
+		if err != nil {
+			return fmt.Errorf("unable to expand dockerConfig.path %s", kaniko.DockerConfig.Path)
+		}
+
+		kaniko.DockerConfig.Path = absPath
+		return nil
+	}
+
+	return nil
+}
+
 func setDefaultKanikoBuildContext(kaniko *latest.KanikoBuild) error {
 	if kaniko.BuildContext == nil {
 		kaniko.BuildContext = &latest.KanikoBuildContext{
diff --git a/pkg/skaffold/schema/latest/config.go b/pkg/skaffold/schema/latest/config.go
@@ -126,6 +126,13 @@ type KanikoBuild struct {
 	Namespace       string              `yaml:"namespace,omitempty"`
 	Timeout         string              `yaml:"timeout,omitempty"`
 	Image           string              `yaml:"image,omitempty"`
+	DockerConfig    *DockerConfig       `yaml:"dockerConfig,omitempty"`
+}
+
+// DockerConfig contains information about the docker config.json to mount
+type DockerConfig struct {
+	Path       string `yaml:"path,omitempty"`
+	SecretName string `yaml:"secretName,omitempty"`
 }
 
 type TestConfig []*TestCase
diff --git a/pkg/skaffold/schema/versions_test.go b/pkg/skaffold/schema/versions_test.go
@@ -88,6 +88,9 @@ build:
     pullSecretName: secret-name
     namespace: nskaniko
     timeout: 120m
+    dockerConfig:
+      secretName: config-name
+      path: /kaniko/.docker
 `
 	badConfig = "bad config"
 )
@@ -169,6 +172,7 @@ func TestParseConfig(t *testing.T) {
 			expected: config(
 				withKanikoBuild("demo", "secret-name", "nskaniko", "/secret.json", "120m",
 					withGitTagger(),
+					withDockerConfig("config-name", "/kaniko/.docker"),
 				),
 				withKubectlDeploy("k8s/*.yaml"),
 			),
@@ -264,6 +268,15 @@ func withKanikoBuild(bucket, secretName, namespace, secret string, timeout strin
 	}
 }
 
+func withDockerConfig(secretName string, path string) func(*latest.BuildConfig) {
+	return func(cfg *latest.BuildConfig) {
+		cfg.KanikoBuild.DockerConfig = &latest.DockerConfig{
+			SecretName: secretName,
+			Path:       path,
+		}
+	}
+}
+
 func withKubectlDeploy(manifests ...string) func(*latest.SkaffoldPipeline) {
 	return func(cfg *latest.SkaffoldPipeline) {
 		cfg.Deploy = latest.DeployConfig{
