Move all files in executor image to /kaniko directory

deploy/Dockerfile

@@ -27,13 +27,15 @@ RUN make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper linux-amd64
 
 FROM scratch
 COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
-COPY --from=0 /usr/local/bin/docker-credential-gcr /usr/local/bin/docker-credential-gcr
-COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/linux-amd64/docker-credential-ecr-login /usr/local/bin/docker-credential-ecr-login
+COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
+COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/linux-amd64/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
 COPY files/ca-certificates.crt /kaniko/ssl/certs/
-COPY files/config.json /root/.docker/
-RUN ["docker-credential-gcr", "config", "--token-source=env"]
+COPY files/config.json /kaniko/.docker/
 ENV HOME /root
 ENV USER /root
-ENV PATH /usr/local/bin
+ENV PATH /usr/local/bin:/kaniko
 ENV SSL_CERT_DIR=/kaniko/ssl/certs
+ENV DOCKER_CONFIG /kaniko/.docker/
+ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json
+RUN ["docker-credential-gcr", "config", "--token-source=env"]
 ENTRYPOINT ["/kaniko/executor"]

deploy/Dockerfile_debug

@@ -35,14 +35,16 @@ RUN tar -C /distroless/bazel-genfiles/busybox/ -xf /distroless/bazel-genfiles/bu
 
 FROM scratch
 COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
-COPY --from=0 /usr/local/bin/docker-credential-gcr /usr/local/bin/docker-credential-gcr
-COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/linux-amd64/docker-credential-ecr-login /usr/local/bin/docker-credential-ecr-login
+COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
+COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/linux-amd64/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
 COPY --from=1 /distroless/bazel-genfiles/busybox/busybox/ /busybox/
 COPY files/ca-certificates.crt /kaniko/ssl/certs/
-COPY files/config.json /root/.docker/
-RUN ["docker-credential-gcr", "config", "--token-source=env"]
+COPY files/config.json /kaniko/.docker/
 ENV HOME /root
 ENV USER /root
-ENV PATH /usr/local/bin:/busybox
+ENV PATH /usr/local/bin:/kaniko:/busybox
 ENV SSL_CERT_DIR=/kaniko/ssl/certs
+ENV DOCKER_CONFIG /kaniko/.docker/
+ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json
+RUN ["docker-credential-gcr", "config", "--token-source=env"]
 ENTRYPOINT ["/kaniko/executor"]

pkg/constants/constants.go

@@ -48,7 +48,5 @@ const (
 	NoBaseImage = "scratch"
 )
 
-// KanikoFiles is the list of files that shouldn't be deleted from kaniko
-var KanikoFiles = []string{"/kaniko/executor", "/kaniko/ssl/certs/ca-certificates.crt",
-	"/root/.docker/config.json", "/usr/local/bin/docker-credential-gcr",
-	"/usr/local/bin/docker-credential-ecr-login"}
+// KanikoBuildFiles is the list of files required to build kaniko
+var KanikoBuildFiles = []string{"/kaniko/executor", "/kaniko/ssl/certs/ca-certificates.crt"}

pkg/util/fs_util.go

@@ -128,7 +128,7 @@ func DeleteFilesystem() error {
 
 // ChildDirInWhitelist returns true if there is a child file or directory of the path in the whitelist
 func ChildDirInWhitelist(path, directory string) bool {
-	for _, d := range constants.KanikoFiles {
+	for _, d := range constants.KanikoBuildFiles {
 		dirPath := filepath.Join(directory, d)
 		if HasFilepathPrefix(dirPath, path) {
 			return true
@@ -223,7 +223,7 @@ func extractFile(dest string, hdr *tar.Header, tr io.Reader) error {
 }
 
 func PathInWhitelist(path, directory string) bool {
-	for _, c := range constants.KanikoFiles {
+	for _, c := range constants.KanikoBuildFiles {
 		if path == c {
 			return false
 		}