diff --git a/README.md b/README.md index dfbd11a5be..30c4d8464d 100644 --- a/README.md +++ b/README.md @@ -147,8 +147,58 @@ To run kaniko in Docker, run the following command: kaniko uses Docker credential helpers to push images to a registry. -kaniko comes with support for GCR, but configuring another credential helper should allow pushing to a different registry. +kaniko comes with support for GCR and Amazon ECR, but configuring another credential helper should allow pushing to a different registry. + +#### Pushing to Amazon ECR +The Amazon ECR [credential helper](https://github.com/awslabs/amazon-ecr-credential-helper) is built in to the kaniko executor image. +To configure credentials, you will need to do the following: +1. Update the `credHelpers` section of [config.json](https://github.com/GoogleContainerTools/kaniko/blob/master/files/config.json) with the specific URI of your ECR registry: +```json +{ + "credHelpers": { + "aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login" + } +} +``` +You can mount in the new config as a configMap: +```shell +kubectl create configmap docker-config --from-file= +``` +2. Create a Kubernetes secret for your `~/.aws/credentials` file so that credentials can be accessed within the cluster. +To create the secret, run: + +```shell +kubectl create secret generic aws-secret --from-file= +``` + +The Kubernetes Pod spec should look similar to this, with the args parameters filled in: +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: kaniko +spec: + containers: + - name: kaniko + image: gcr.io/kaniko-project/executor:latest + args: ["--dockerfile=", + "--context=", + "--destination="] + volumeMounts: + - name: aws-secret + mountPath: /root/.aws/ + - name: docker-config + mountPath: /root/.docker/ + restartPolicy: Never + volumes: + - name: aws-secret + secret: + secretName: aws-secret + - name: docker-config + configMap: + name: docker-config +``` ### Debug Image We provide `gcr.io/kaniko-project/executor:debug` as a a version of the executor image based off a Debian image. diff --git a/deploy/Dockerfile b/deploy/Dockerfile index 1b93031bd4..054b5fdd5e 100644 --- a/deploy/Dockerfile +++ b/deploy/Dockerfile @@ -18,13 +18,17 @@ FROM golang:1.10 WORKDIR /go/src/github.com/GoogleContainerTools/kaniko COPY . . RUN make -WORKDIR /usr/local/bin -ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.4.3-static/docker-credential-gcr_linux_amd64-1.4.3.tar.gz . -RUN tar -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.4.3.tar.gz +# Get GCR credential helper +ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.4.3-static/docker-credential-gcr_linux_amd64-1.4.3.tar.gz /usr/local/bin/ +RUN tar -C /usr/local/bin/ -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.4.3.tar.gz +# Get Amazon ECR credential helper +RUN go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login +RUN make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper linux-amd64 FROM scratch COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor COPY --from=0 /usr/local/bin/docker-credential-gcr /usr/local/bin/docker-credential-gcr +COPY --from=0 /go/src/github.com/awslabs/amazon-ecr-credential-helper/bin/linux-amd64/docker-credential-ecr-login /usr/local/bin/docker-credential-ecr-login COPY files/ca-certificates.crt /kaniko/ssl/certs/ COPY files/config.json /root/.docker/ RUN ["docker-credential-gcr", "config", "--token-source=env"]