Add credential helper and docs for pushing to Amazon ECR

README.md

@@ -142,8 +142,58 @@ To run kaniko in Docker, run the following command:
 
 kaniko uses Docker credential helpers to push images to a registry.
 
-kaniko comes with support for GCR, but configuring another credential helper should allow pushing to a different registry.
+kaniko comes with support for GCR and Amazon ECR, but configuring another credential helper should allow pushing to a different registry.
 
+#### Pushing to Amazon ECR
+The Amazon ECR [credential helper](https://github.com/awslabs/amazon-ecr-credential-helper) is built in to the kaniko executor image.
+To configure credentials, you will need to do the following:
+1. Update the `credHelpers` section of [config.json](https://github.com/GoogleContainerTools/kaniko/blob/master/files/config.json) with the specific URI of your ECR registry:
+```json
+{
+	"credHelpers": {
+		"aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
+	}
+}
+```
+You can mount in the new config as a configMap:
+```shell
+kubectl create configmap docker-config --from-file=<path to config.json>
+```
+2. Create a Kubernetes secret for your `~/.aws/credentials` file so that credentials can be accessed within the cluster.
+To create the secret, run:
+
+```shell
+kubectl create secret generic aws-secret --from-file=<path to .aws/credentials>
+```
+
+The Kubernetes Pod spec should look similar to this, with the args parameters filled in:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kaniko
+spec:
+  containers:
+  - name: kaniko
+    image: gcr.io/kaniko-project/executor:latest
+    args: ["--dockerfile=<path to Dockerfile>",
+            "--context=<path to build context>",
+            "--destination=<aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:my-tag>"]
+    volumeMounts:
+      - name: aws-secret
+        mountPath: /root/.aws/
+      - name: docker-config
+        mountPath: /root/.docker/
+  restartPolicy: Never
+  volumes:
+    - name: aws-secret
+      secret:
+        secretName: aws-secret
+    - name: docker-config
+      configMap:
+        name: docker-config
+```
 ### Debug Image
 
 We provide `gcr.io/kaniko-project/executor:debug` as a a version of the executor image based off a Debian image. 

deploy/Dockerfile

@@ -21,10 +21,15 @@ RUN make
 WORKDIR /usr/local/bin
 ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.4.3-static/docker-credential-gcr_linux_amd64-1.4.3.tar.gz .
 RUN tar -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.4.3.tar.gz
+# Get Amazon ECR credential helper
+RUN go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login
+WORKDIR /go/src/github.com/awslabs/amazon-ecr-credential-helper
+RUN make linux-amd64
 
 FROM scratch
 COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
 COPY --from=0 /usr/local/bin/docker-credential-gcr /usr/local/bin/docker-credential-gcr
+COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/linux-amd64/ /usr/local/bin/
 COPY files/ca-certificates.crt /kaniko/ssl/certs/
 COPY files/config.json /root/.docker/
 RUN ["docker-credential-gcr", "config", "--token-source=env"]