5

The instructions for using Kaniko in GCB use the exec form of the kaniko project builder, like this:

  - id: 'Build (with Kaniko Cache)'
    name: 'gcr.io/kaniko-project/executor:latest'
    args:
      - --destination=$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA
      - --cache=true
      - --cache-ttl=6h

But I'm using it to replace a docker build, in which I circumvent the exec form of usage in order to inject a build arg (an access token from the Secret Manager) as described here and here.

  - id: 'Build'
    name: gcr.io/cloud-builders/docker
    entrypoint: 'bash'
    args:
      - '-c'
      - |
        docker build --cache-from $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA --build-arg PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt) -t $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA .

I've tried defining a bash entrypoint but that's not found so I'm stuck. Is it even possible to run the non-exec form?

Note: It is possible to access the secret in a file within the container instead of via a build arg, but that would mean changing the setup for my developers to all have that secret file in order to build their development images locally, which I could, but really don't want, to do.

thclark
  • 4,784
  • 3
  • 39
  • 65
  • There is example of docker cloud builder `args` syntax here: https://cloud.google.com/cloud-build/docs/build-config#args. Maybe you should try to use similar approach? – vitooh Dec 28 '20 at 14:43
  • @vitooh those documents show the `exec` form that needs to be worked around, since it doesn't allow dynamic construction of the build args. – thclark Dec 28 '20 at 18:10

2 Answers2

3

I solved it using docker run:

- id: Build
  name: gcr.io/cloud-builders/docker
  entrypoint: /bin/bash
  args:
  - -c
  - |
   docker run \
      --network=cloudbuild \
      -v /workspace:/workspace \
        gcr.io/kaniko-project/executor:latest \
          --dockerfile /workspace/Dockerfile \
          --build-arg=GITHUBTOKEN=$$GITHUBTOKEN \
          --destination=gcr.io/$PROJECT_ID/myapp:$SHORT_SHA \
          --cache=true \
          --context dir:///workspace/
  secretEnv: ['GITHUBTOKEN']

availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/github_machine_user_pat/versions/latest
      env: GITHUBTOKEN
Fábio Uechi
  • 807
  • 7
  • 25
  • When I asked the question, the availableSecrets field wasn't actually available to cloudbuild (or if it was, it wasn't documented). But they're moving fast and in sensible directions, so this is definitely now the correct answer, thanks Fábio. – thclark Mar 14 '22 at 15:31
0

The Kaniko executor image provides the --build-arg flag to pass in ARG values at build time, similarly to Docker. You'll find the full list of additional flags here.

Given that, you'll be able to run your build like so:

steps:
- name: gcr.io/cloud-builders/gcloud
  entrypoint: 'bash'
  args: [ '-c', "gcloud secrets versions access latest --secret=secret-name --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]
- name: 'gcr.io/kaniko-project/executor:latest'
  args:
  - --destination=$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA
  - --cache=true
  - --cache-ttl=6h
  - --build-arg=PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt)
LundinCast
  • 9,412
  • 4
  • 36
  • 48
  • 1
    `$(cat decrypted-pat.txt)` won't work since it is not running within a shell – Fábio Uechi Sep 24 '21 at 00:42
  • There is no shell entrypoint for kaniko. It operates [from a scratch image](https://github.com/GoogleContainerTools/kaniko/blob/8710ce3311be79a331a325d57d13a1b9df6aa5a6/deploy/Dockerfile#L47). – frederix Nov 17 '22 at 18:21