From c42881410c90ff36fa97f4089cdd1ff2557057ba Mon Sep 17 00:00:00 2001
From: Jon Johnson <jonjohnson@google.com>
Date: Tue, 23 Jun 2020 10:45:33 -0700
Subject: [PATCH] Add pkg.dev to automagic config file population

Kaniko currently does config file setup for GCR such that pushing to GCR
automagically works. This change does the same for pkg.dev:
https://cloud.google.com/artifact-registry

This also tightens up the hostname check to ensure we don't send
credentials to a registry that happens to contain "gcr.io".
---
 pkg/executor/push.go      | 9 +++++----
 pkg/executor/push_test.go | 4 ++++
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/pkg/executor/push.go b/pkg/executor/push.go
index 623c92525..d0733eb15 100644
--- a/pkg/executor/push.go
+++ b/pkg/executor/push.go
@@ -105,19 +105,20 @@ func CheckPushPermissions(opts *config.KanikoOptions) error {
 			continue
 		}
 
+		registryName := destRef.Repository.Registry.Name()
 		// Historically kaniko was pre-configured by default with gcr credential helper,
 		// in here we keep the backwards compatibility by enabling the GCR helper only
-		// when gcr.io is in one of the destinations.
-		if strings.Contains(destRef.RegistryStr(), "gcr.io") {
+		// when gcr.io (or pkg.dev) is in one of the destinations.
+		if registryName == "gcr.io" || strings.HasSuffix(registryName, ".gcr.io") || strings.HasSuffix(registryName, ".pkg.dev") {
 			// Checking for existence of docker.config as it's normally required for
 			// authenticated registries and prevent overwriting user provided docker conf
 			if _, err := fs.Stat(DockerConfLocation()); os.IsNotExist(err) {
-				if err := execCommand("docker-credential-gcr", "configure-docker").Run(); err != nil {
+				flags := fmt.Sprintf("--registries=%s", registryName)
+				if err := execCommand("docker-credential-gcr", "configure-docker", flags).Run(); err != nil {
 					return errors.Wrap(err, "error while configuring docker-credential-gcr helper")
 				}
 			}
 		}
-		registryName := destRef.Repository.Registry.Name()
 		if opts.Insecure || opts.InsecureRegistries.Contains(registryName) {
 			newReg, err := name.NewRegistry(registryName, name.WeakValidation, name.Insecure)
 			if err != nil {
diff --git a/pkg/executor/push_test.go b/pkg/executor/push_test.go
index 2fd36f23c..f7699ce19 100644
--- a/pkg/executor/push_test.go
+++ b/pkg/executor/push_test.go
@@ -299,8 +299,12 @@ func TestCheckPushPermissions(t *testing.T) {
 	}{
 		{"gcr.io/test-image", true, false},
 		{"gcr.io/test-image", false, true},
+		{"us-docker.pkg.dev/test-image", true, false},
+		{"us-docker.pkg.dev/test-image", false, true},
 		{"localhost:5000/test-image", false, false},
 		{"localhost:5000/test-image", false, true},
+		{"notgcr.io/test-image", false, false},
+		{"notgcr.io/test-image", false, true},
 	}
 
 	execCommand = fakeExecCommand