DEVHIDE
Login Or Sign up

How can I use a non-exec entrypoint for Kaniko in Google Cloud Build (to enable build arg definition)

2.7k Views Asked by At

The instructions for using Kaniko in GCB use the exec form of the kaniko project builder, like this:

  - id: 'Build (with Kaniko Cache)'
    name: 'gcr.io/kaniko-project/executor:latest'
    args:
      - --destination=$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA
      - --cache=true
      - --cache-ttl=6h

But I'm using it to replace a docker build, in which I circumvent the exec form of usage in order to inject a build arg (an access token from the Secret Manager) as described here and here.

  - id: 'Build'
    name: gcr.io/cloud-builders/docker
    entrypoint: 'bash'
    args:
      - '-c'
      - |
        docker build --cache-from $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA --build-arg PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt) -t $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA .

I've tried defining a bash entrypoint but that's not found so I'm stuck. Is it even possible to run the non-exec form?

Note: It is possible to access the secret in a file within the container instead of via a build arg, but that would mean changing the setup for my developers to all have that secret file in order to build their development images locally, which I could, but really don't want, to do.

docker google-cloud-platform google-cloud-build kaniko
Original Q&A
2

There are 2 best solutions below

1
On BEST ANSWER

I solved it using docker run:

- id: Build
  name: gcr.io/cloud-builders/docker
  entrypoint: /bin/bash
  args:
  - -c
  - |
   docker run \
      --network=cloudbuild \
      -v /workspace:/workspace \
        gcr.io/kaniko-project/executor:latest \
          --dockerfile /workspace/Dockerfile \
          --build-arg=GITHUBTOKEN=$$GITHUBTOKEN \
          --destination=gcr.io/$PROJECT_ID/myapp:$SHORT_SHA \
          --cache=true \
          --context dir:///workspace/
  secretEnv: ['GITHUBTOKEN']

availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/github_machine_user_pat/versions/latest
      env: GITHUBTOKEN
2
On

The Kaniko executor image provides the --build-arg flag to pass in ARG values at build time, similarly to Docker. You'll find the full list of additional flags here.

Given that, you'll be able to run your build like so:

steps:
- name: gcr.io/cloud-builders/gcloud
  entrypoint: 'bash'
  args: [ '-c', "gcloud secrets versions access latest --secret=secret-name --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]
- name: 'gcr.io/kaniko-project/executor:latest'
  args:
  - --destination=$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA
  - --cache=true
  - --cache-ttl=6h
  - --build-arg=PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt)

Related Questions in DOCKER

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-CLOUD-BUILD

Related Questions in KANIKO

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.