From 8a020010b75852d5180f20f768fd09458175fd46 Mon Sep 17 00:00:00 2001
From: Sam Stoelinga <sammiestoel@gmail.com>
Date: Sun, 15 Mar 2020 19:33:22 -0700
Subject: [PATCH] Add ability to use public GCR image

Kaniko by default used to configure the GCR credential helper however
this caused Kaniko to fail when trying to use a base image from a public
GCR image. This patch makes it possible to use public GCR images as base
image when using docker even when you're not authenticated to GCR.

Co-authored-by: Nate Williams <nate.williams@files.com>
---
 deploy/Dockerfile        | 2 --
 deploy/Dockerfile_debug  | 2 --
 deploy/Dockerfile_warmer | 2 --
 pkg/executor/push.go     | 9 +++++++++
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/deploy/Dockerfile b/deploy/Dockerfile
index 2e1b1fb9b..4a9ec93ac 100644
--- a/deploy/Dockerfile
+++ b/deploy/Dockerfile
@@ -20,7 +20,6 @@ WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
 # Get GCR credential helper
 ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.5.0/docker-credential-gcr_linux_amd64-1.5.0.tar.gz /usr/local/bin/
 RUN tar -C /usr/local/bin/ -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.5.0.tar.gz
-RUN docker-credential-gcr configure-docker
 # Get Amazon ECR credential helper
 RUN go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login
 RUN make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper linux-amd64
@@ -37,7 +36,6 @@ COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
 COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/linux-amd64/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
 COPY --from=0 /usr/local/bin/docker-credential-acr-linux /kaniko/docker-credential-acr-linux
 COPY files/ca-certificates.crt /kaniko/ssl/certs/
-COPY --from=0 /root/.docker/config.json /kaniko/.docker/config.json
 ENV HOME /root
 ENV USER /root
 ENV PATH /usr/local/bin:/kaniko
diff --git a/deploy/Dockerfile_debug b/deploy/Dockerfile_debug
index e9ccf15e3..197c80841 100644
--- a/deploy/Dockerfile_debug
+++ b/deploy/Dockerfile_debug
@@ -21,7 +21,6 @@ WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
 # Get GCR credential helper
 ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.5.0/docker-credential-gcr_linux_amd64-1.5.0.tar.gz /usr/local/bin/
 RUN tar -C /usr/local/bin/ -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.5.0.tar.gz
-RUN docker-credential-gcr configure-docker
 # Get Amazon ECR credential helper
 RUN go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login
 RUN make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper linux-amd64 
@@ -43,7 +42,6 @@ COPY --from=1 /distroless/bazel-bin/experimental/busybox/busybox/ /busybox/
 # Declare /busybox as a volume to get it automatically whitelisted
 VOLUME /busybox
 COPY files/ca-certificates.crt /kaniko/ssl/certs/
-COPY --from=0 /root/.docker/config.json /kaniko/.docker/config.json
 ENV HOME /root
 ENV USER /root
 ENV PATH /usr/local/bin:/kaniko:/busybox
diff --git a/deploy/Dockerfile_warmer b/deploy/Dockerfile_warmer
index d33d2d74b..3163e746a 100644
--- a/deploy/Dockerfile_warmer
+++ b/deploy/Dockerfile_warmer
@@ -20,7 +20,6 @@ WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
 # Get GCR credential helper
 ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.5.0/docker-credential-gcr_linux_amd64-1.5.0.tar.gz /usr/local/bin/
 RUN tar -C /usr/local/bin/ -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.5.0.tar.gz
-RUN docker-credential-gcr configure-docker
 # Get Amazon ECR credential helper
 RUN go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login
 RUN make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper linux-amd64
@@ -33,7 +32,6 @@ COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/warmer /kaniko/
 COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
 COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/linux-amd64/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
 COPY files/ca-certificates.crt /kaniko/ssl/certs/
-COPY --from=0 /root/.docker/config.json /kaniko/.docker/config.json
 ENV HOME /root
 ENV USER /root
 ENV PATH /usr/local/bin:/kaniko
diff --git a/pkg/executor/push.go b/pkg/executor/push.go
index 1141563bc..6128ac7df 100644
--- a/pkg/executor/push.go
+++ b/pkg/executor/push.go
@@ -24,6 +24,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"
 	"time"
@@ -114,7 +115,15 @@ func CheckPushPermissions(opts *config.KanikoOptions) error {
 		if checked[destRef.Context().RepositoryStr()] {
 			continue
 		}
+		if strings.Contains(destRef.RegistryStr(), "gcr.io") {
+			if _, err := os.Stat("/kaniko/.docker/config.json"); os.IsNotExist(err) {
+				cmd := exec.Command("docker-credential-gcr", "configure-docker")
+				if err := cmd.Run(); err != nil {
+					return errors.Wrap(err, "error while configuring docker-credential-gcr helper")
+				}
+			}
 
+		}
 		registryName := destRef.Repository.Registry.Name()
 		if opts.Insecure || opts.InsecureRegistries.Contains(registryName) {
 			newReg, err := name.NewRegistry(registryName, name.WeakValidation, name.Insecure)