This feature allows one to specify an https URL for any of the
digest-file options, resulting in an HTTP PUT to the provided
URL. This could for example be a (pre-signed) URL to S3 or GCS.
Currently the final digest is only written to the local filesystem,
which disappears and is not accessible when Kaniko is run in a
managed container service like AWS ECS.
By supporting https a single implementation supports all storage
services, without the need for special code for S3, GCS, etc..
This commit changes the condition check for the behavior when no-push is
set to true while destinations are needed. Prior this change, users would
have to set destinations even when noPush option is set to true. More
specifically, a workaround for tar files to be generated when --no-push is
true and destinations is empty is provided where a dummy destination would be
set.
* Add mTLS (client cert) support
Add support for Mutual TLS (mTLS) client certificate authentication.
The expected format of the new --registry-client-cert flag is the same
as the existing --registry-certificate flag, which will allow
different client certificates for different registries:
--registry-client-cert my.registry.url=/path/to/cert.crt,/path/to/key.key
* tidy: Rename mTLS (Client Cert) flag to be in line with others
This flag didn't describe that it was for the client certs uses with
the registry. Although this should be reasonably obvious, I like the
consistency with the other registry flag.
* test: Added unit tests for mTLS (Client Cert) loading
* test: Add 2 more tests for comma split formatting
since the comma splitting is a new portion of code let's make sure
that that format works well too in other cases
* tidy: Fix formatting of flag help text
* tidy: Made invalid cert format error consistent
I was running the tests and saw the message:
Failed to load client certificate/key '/path/to/client/certificate.cert' for my.registry.name, format is my.registry.name=/path/to/cert,/path/to/key
I then realized that it'd be a lot nicer if this showed the user what
they input, and how they should change it (rather than decomposing it:
Failed to load client certificate/key 'my.registry.name=/path/to/client/certificate.cert', expected format: my.registry.name=/path/to/cert,/path/to/key
* test: Fixed incorrect test argument
This didn't fail the test before because it's only attempting to show
that certs only get loaded and used for their associated registry but
it's important to keep this correct.
This case is covered by the test below, "RegistriesClientCertificates
incorrect cert format"
* doc: Add new flag to README.md
* mod: Fail to push if there was a problem loading client certs
Rather than warning that there was an issue, we should fail if the
requested client certificates were not found or failed to load.
This feels a lot better than waiting for the build to finish then
failing later.
* mod: Return an error if the certificate authority fails to load, just like client certs
The MakeTransport function was changed in the previous commit to
allow returning errors if there was a problem loading certificates,
rather than just print warnings.
This feels a lot better as you get the error immediately that there's
a problem to fix, rather than getting a warning, then later an error
that the server's certificate could not be verified.
* tidy: fix golint issues
* Add support for configurable compression algorithm (gzip, zstd) and compression level
We want to make the layer compression in kaniko configurable, so we have added two optional command line arguments “--compression” and “--compression-level”. The former allows the user to specify a compression algorithm (zstd, gzip) and the latter can be used to specify the compression level.
Depending on the selected compression algorithm and level we modify the set of layerOptions that are used to create tarball layers in `push.go` and `build.go`.
The actual implementation of the zstd support can be found in our fork of the go-containerregistry package for which we have filed this PR: google/go-containerregistry#1487
The changes should be fully backwards compatible.
* Restrict inputs for compression flag to gzip and zstd
This change will ensure that users can only specify supported compression algorithms (`zstd`, `gzip`) to the `--compression` flag.
* Fix incorrect type for switch statements on config.Compression
* Adds the ability to provide `--cache-repo` as an OCI image layout path
- Adds cache.LayoutCache to implement cache.LayerCache interface
- When opts.CacheRepo has "oci:" prefix, instantiates a LayoutCache
Signed-off-by: Natalie Arellano <narellano@vmware.com>
* Add integration test for layout cache
Signed-off-by: Natalie Arellano <narellano@vmware.com>
* Updates from PR review
Signed-off-by: Natalie Arellano <narellano@vmware.com>
Signed-off-by: Natalie Arellano <narellano@vmware.com>
* fix: Correct flatten function in layers
- Added a test.
- Cache current image, track deletes in `whiteouts` as well as normal adds in `layers`.
- Fix ugly delete behavior of `layerHashCache`.
Delete it when crerating a new snapshot.
- Slight cleanup in `snapshot.go`.
- Format ugly `WalkFS` function.
* fix: Add symbolic link changes to Hasher and CacheHasher
* fix: Better log messages
* fix(ci): Integration tests
* fix(ci): Add `--no-cache` to docker builds
* fix(ci): Pass credentials for error integration test
* np: Missing .gitignore in `hack`
* np: Capitalize every log message
- Correct some linting.
* fix: Key function
- Merge only last layer onto `currentImage`.
* fix: Remove old obsolete `cacheHasher`
* Remove tarball.WithCompressedCaching flag to resolve OOM Killed error
Large images cannot be build as the kaniko container will be killed due to an OOM error. Removing the tarball compression drastically reduces the memory required to push large image layers. Fixes#1680
This change may increase the build time for smaller images. Therefore a command line option to trigger the compression or a more intelligent behaviour may be useful.
* Add new command line flag to toggle compressed caching
* Add unittest for build with --compressed-caching command line flag set to false
which means we can now:
- set up one or more mirrors
- set up registries certificates
- skip TLS verify
- use plain HTTP
using the same set of flags that are defined for the executor
* Allow DOCKER_CONFIG to be a filename
* UnitTest: DockerConfLocation must return a file if it is existent and passed using env, or default if the file is incorrect
Kaniko currently does config file setup for GCR such that pushing to GCR
automagically works. This change does the same for pkg.dev:
https://cloud.google.com/artifact-registry
This also tightens up the hostname check to ensure we don't send
credentials to a registry that happens to contain "gcr.io".
This uses the default provided retry transport by
go-containerregistry as this originally had no retries
built in.
This is useful to avoid intermittent failures of image
registries when returning a retryable status code.
Add tests. The tests assume a POSIX file system, but it seems many
other tests assume Linux, so perhaps this is not a problem, or at
least does not add a new problem.
Fixes#1235
If the DOCKER_CONFIG environment variable is set, use it when
determining if the Docker config file exists. Fall back to kaniko
default if it the DOCKER_CONFIG environment variable is not set.
Fixes#1228
Kaniko by default used to configure the GCR credential helper however
this caused Kaniko to fail when trying to use a base image from a public
GCR image. This patch makes it possible to use public GCR images as base
image when using docker even when you're not authenticated to GCR.
Co-authored-by: Nate Williams <nate.williams@files.com>
Matheus Pimenta
Manish Giri
Lio李歐
JeromeJu
Julian
Eric
Lavrenti Frobeen
Lavrenti Frobeen
Natalie Arellano
Gabriel Nützi
Jason D'Amour
Jason Hall
Tejal Desai
Janosch Maier
Vivek Kumar
Lars Gröber
Sascha Schwarze
Or Geva
Josh Chorlton
Matt Moore
Vincent Behar
ejose19
Akram Ben Aissi
Tejal Desai
Jon Johnson
Ben Einaudi
Mitchell Friedman
David Dooling
Sam Stoelinga
Will Ripley
Don McCasland
alexa
chhsia0