From 8d3731a9840dfea3b8aef195483b781fb92cd4e5 Mon Sep 17 00:00:00 2001
From: Priya Wadhwa <priyawadhwa@google.com>
Date: Wed, 2 May 2018 16:56:14 -0400
Subject: [PATCH 1/5] Add credential helper and docs for pushing to Amazon ECR

---
 README.md         | 52 ++++++++++++++++++++++++++++++++++++++++++++++-
 deploy/Dockerfile |  5 +++++
 2 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a2c5b24f1..a3e72db2c 100644
--- a/README.md
+++ b/README.md
@@ -142,8 +142,58 @@ To run kaniko in Docker, run the following command:
 
 kaniko uses Docker credential helpers to push images to a registry.
 
-kaniko comes with support for GCR, but configuring another credential helper should allow pushing to a different registry.
+kaniko comes with support for GCR and Amazon ECR, but configuring another credential helper should allow pushing to a different registry.
 
+#### Pushing to Amazon ECR
+The Amazon ECR [credential helper](https://github.com/awslabs/amazon-ecr-credential-helper) is built in to the kaniko executor image.
+To configure credentials, you will need to do the following:
+1. Update the `credHelpers` section of [config.json](https://github.com/GoogleContainerTools/kaniko/blob/master/files/config.json) with the specific URI of your ECR registry:
+```json
+{
+	"credHelpers": {
+		"aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
+	}
+}
+```
+You can mount in the new config as a configMap:
+```shell
+kubectl create configmap docker-config --from-file=<path to config.json>
+```
+2. Create a Kubernetes secret for your `~/.aws/credentials` file so that credentials can be accessed within the cluster.
+To create the secret, run:
+
+```shell
+kubectl create secret generic aws-secret --from-file=<path to .aws/credentials>
+```
+
+The Kubernetes Pod spec should look similar to this, with the args parameters filled in:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kaniko
+spec:
+  containers:
+  - name: kaniko
+    image: gcr.io/kaniko-project/executor:latest
+    args: ["--dockerfile=<path to Dockerfile>",
+            "--context=<path to build context>",
+            "--destination=<aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:my-tag>"]
+    volumeMounts:
+      - name: aws-secret
+        mountPath: /root/.aws/
+      - name: docker-config
+        mountPath: /root/.docker/
+  restartPolicy: Never
+  volumes:
+    - name: aws-secret
+      secret:
+        secretName: aws-secret
+    - name: docker-config
+      configMap:
+        name: docker-config
+```
 ### Debug Image
 
 We provide `gcr.io/kaniko-project/executor:debug` as a a version of the executor image based off a Debian image. 
diff --git a/deploy/Dockerfile b/deploy/Dockerfile
index 1b93031bd..c5863c340 100644
--- a/deploy/Dockerfile
+++ b/deploy/Dockerfile
@@ -21,10 +21,15 @@ RUN make
 WORKDIR /usr/local/bin
 ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.4.3-static/docker-credential-gcr_linux_amd64-1.4.3.tar.gz .
 RUN tar -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.4.3.tar.gz
+# Get Amazon ECR credential helper
+RUN go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login
+WORKDIR /go/src/github.com/awslabs/amazon-ecr-credential-helper
+RUN make linux-amd64
 
 FROM scratch
 COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
 COPY --from=0 /usr/local/bin/docker-credential-gcr /usr/local/bin/docker-credential-gcr
+COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/linux-amd64/ /usr/local/bin/
 COPY files/ca-certificates.crt /kaniko/ssl/certs/
 COPY files/config.json /root/.docker/
 RUN ["docker-credential-gcr", "config", "--token-source=env"]

From 26b8e01697ab926c2cdb6739b56f8e6eb20ef97e Mon Sep 17 00:00:00 2001
From: Priya Wadhwa <priyawadhwa@google.com>
Date: Thu, 3 May 2018 11:19:02 -0400
Subject: [PATCH 2/5] Remove workdir

---
 deploy/Dockerfile | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/deploy/Dockerfile b/deploy/Dockerfile
index c5863c340..823b3a941 100644
--- a/deploy/Dockerfile
+++ b/deploy/Dockerfile
@@ -18,13 +18,12 @@ FROM golang:1.10
 WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
 COPY . .
 RUN make
-WORKDIR /usr/local/bin
-ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.4.3-static/docker-credential-gcr_linux_amd64-1.4.3.tar.gz .
-RUN tar -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.4.3.tar.gz
+# Get GCR credential helper
+ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.4.3-static/docker-credential-gcr_linux_amd64-1.4.3.tar.gz /usr/local/bin/
+RUN tar -C /usr/local/bin/ -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.4.3.tar.gz
 # Get Amazon ECR credential helper
 RUN go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login
-WORKDIR /go/src/github.com/awslabs/amazon-ecr-credential-helper
-RUN make linux-amd64
+RUN make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper linux-amd64
 
 FROM scratch
 COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor

From d040c89af6a41667db34f12aca43bf880f516322 Mon Sep 17 00:00:00 2001
From: Priya Wadhwa <priyawadhwa@google.com>
Date: Mon, 7 May 2018 15:02:00 -0700
Subject: [PATCH 3/5] Ignore symlinks during file extraction if link is
 whitelisted

---
 integration_tests/dockerfiles/Dockerfile_test_copy | 2 +-
 pkg/util/fs_util.go                                | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/integration_tests/dockerfiles/Dockerfile_test_copy b/integration_tests/dockerfiles/Dockerfile_test_copy
index 99c179c11..fd184394d 100644
--- a/integration_tests/dockerfiles/Dockerfile_test_copy
+++ b/integration_tests/dockerfiles/Dockerfile_test_copy
@@ -1,4 +1,4 @@
-FROM gcr.io/distroless/base
+FROM alpine:3.7
 COPY context/foo foo
 COPY context/foo /foodir/
 COPY context/bar/b* bar/
diff --git a/pkg/util/fs_util.go b/pkg/util/fs_util.go
index 3d8b46bc5..f167f18a5 100644
--- a/pkg/util/fs_util.go
+++ b/pkg/util/fs_util.go
@@ -94,6 +94,12 @@ func GetFSFromImage(img v1.Image) error {
 				logrus.Infof("Not adding %s because it is whitelisted", path)
 				continue
 			}
+			if hdr.Typeflag == tar.TypeSymlink {
+				if checkWhitelist(hdr.Linkname, whitelist) {
+					logrus.Debugf("skipping symlink from %s to %s because %s is whitelisted", hdr.Linkname, path, hdr.Linkname)
+					continue
+				}
+			}
 			fs[path] = struct{}{}
 
 			if err := extractFile("/", hdr, tr); err != nil {

From adaff3ee89c8a1868d41423c6d0e6ffe706c500e Mon Sep 17 00:00:00 2001
From: Nicolas Byl <nicolas.byl@codecentric.de>
Date: Tue, 8 May 2018 21:34:02 +0200
Subject: [PATCH 4/5] make destination required to fix "could not parse
 reference" errors

---
 cmd/executor/cmd/root.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cmd/executor/cmd/root.go b/cmd/executor/cmd/root.go
index 6a4fd546e..2e5d0a66a 100644
--- a/cmd/executor/cmd/root.go
+++ b/cmd/executor/cmd/root.go
@@ -47,6 +47,7 @@ func init() {
 	RootCmd.PersistentFlags().StringVarP(&srcContext, "context", "c", "/workspace/", "Path to the dockerfile build context.")
 	RootCmd.PersistentFlags().StringVarP(&bucket, "bucket", "b", "", "Name of the GCS bucket from which to access build context as tarball.")
 	RootCmd.PersistentFlags().StringVarP(&destination, "destination", "d", "", "Registry the final image should be pushed to (ex: gcr.io/test/example:latest)")
+	RootCmd.MarkPersistentFlagRequired("destination")
 	RootCmd.PersistentFlags().StringVarP(&snapshotMode, "snapshotMode", "", "full", "Set this flag to change the file attributes inspected during snapshotting")
 	RootCmd.PersistentFlags().BoolVarP(&dockerInsecureSkipTLSVerify, "insecure-skip-tls-verify", "", false, "Push to insecure registry ignoring TLS verify")
 	RootCmd.PersistentFlags().StringVarP(&logLevel, "verbosity", "v", constants.DefaultLogLevel, "Log level (debug, info, warn, error, fatal, panic")

From f5b84574052a4473f59bfe64921cf5a3fcc88b27 Mon Sep 17 00:00:00 2001
From: Priya Wadhwa <priyawadhwa@google.com>
Date: Wed, 9 May 2018 12:01:05 -0700
Subject: [PATCH 5/5] Add shell command to commands.go

---
 pkg/commands/commands.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/commands/commands.go b/pkg/commands/commands.go
index 0d8e6cafa..dc3ea66e1 100644
--- a/pkg/commands/commands.go
+++ b/pkg/commands/commands.go
@@ -63,6 +63,8 @@ func GetCommand(cmd instructions.Command, buildcontext string) (DockerCommand, e
 		return &VolumeCommand{cmd: c}, nil
 	case *instructions.StopSignalCommand:
 		return &StopSignalCommand{cmd: c}, nil
+	case *instructions.ShellCommand:
+		return &ShellCommand{cmd: c}, nil
 	case *instructions.MaintainerCommand:
 		logrus.Warnf("%s is deprecated, skipping", cmd.Name())
 		return nil, nil