0

I am trying to clone a simple, private, repo in GitLab, build an image and push it to the repo's container registry using a Tekton pipeline. I have configured a service account that refers to a secret that uses basic auth. The clone task works fine, but the Kaniko build/push task continues to fail with an authentication issue (error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again). My initial assumption was that I could use the same sa/secret for both git and docker. I have tried several permutations including separate secrets with tekton annotations, a separate sa for the build/push task and other types of auth such as dockerconfigjson and token. All with no luck. With this such a fundamental pair of tasks, I'm surprised I can't find an easy answer.

Rich Jones
  • 1
  • 4
  • Another data point. So far, the only way I can push an image to a private registry is by using a workspace with a secret (config.json) in the Kaniko task. Service account isn't working (for me). I was hoping I could share a service account across both tasks. – Rich Jones Sep 16 '22 at 23:07
  • did you check this https://tekton.dev/docs/how-to-guides/kaniko-build-push/#container-registry-authentication – Adiii Sep 17 '22 at 07:14
  • Yes, that tutorial works, but it clones a public Git repo. I can pull from that repo (no secret) and push to my private repo (with secret). I need to be able to use auth for both and can't seem to get to work. – Rich Jones Sep 18 '22 at 17:06
  • I've also tried several other types of secrets to authenticate to my GitLab container registry including basic auth, .dockerconfigjson and access token. The only one that works is the one in that tutorial. I'm using the most recent Kaniko release. Below is the working secret configuration: `apiVersion: v1 kind: Secret metadata: name: docker-credentials data: config.json: ewo...` – Rich Jones Sep 18 '22 at 19:02
  • Ok, figured it out. When you use the Kaniko task, you have to specify a "dockerconfig" workspace that provides a secret as defined in the previous comment. I used a service account with a basic-auth secret to clone the Git repo, but adding a second secret to the SA for the Docker registry or using a separate SA did not work. I'd love to hear any comments. – Rich Jones Sep 19 '22 at 21:52
  • Last thing on this thread. The README for the Kaniko task on Tekton Hub does describe the use of the dockerconfig workspace for authentication. I made a bad assumption that I could use a service account to provide credentials and went down the proverbial rabbit hole. – Rich Jones Sep 19 '22 at 22:07

0 Answers0