Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update docker-credential-gcr to use /v2 #3017

Closed
chauncey-garrett opened this issue Feb 20, 2024 · 2 comments · Fixed by #3026
Closed

Update docker-credential-gcr to use /v2 #3017

chauncey-garrett opened this issue Feb 20, 2024 · 2 comments · Fixed by #3026
Labels
area/security dependencies Pull requests that update a dependency file kind/security priority/p0 Highest priority. Break user flow. We are actively looking at delivering it.

Comments

@chauncey-garrett
Copy link

The docker-credential-gcr go package is outdated and pinned to a version that's now roughly 8 months old (v2.1.8). In this code comment, there's a linked issue regarding the use of /v2 of the go package that's since been resolved.

The docker-credential-gcr repo's docs mention using

go get -u github.com/GoogleCloudPlatform/docker-credential-gcr/v2

It'd seem prudent to update to this for clarity. The latest of docker-credential-gcr is currently v2.1.22.

https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/tag/v2.1.22

It's also worth mentioning that we're currently unable to auth to GAR using kaniko's installed version of docker-credential-gcr. If we exec into a kaniko container and overwrite the docker-credential-gcr binary with the latest version, our issue goes away.

wget -qO- "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v2.1.22/docker-credential-gcr_linux_amd64-2.1.22.tar.gz" | tar xz docker-credential-gcr && \
    chmod +x docker-credential-gcr && \
    mv docker-credential-gcr /kaniko/
@aaron-prindle aaron-prindle mentioned this issue Feb 26, 2024
Merged
@aaron-prindle aaron-prindle added area/security priority/p0 Highest priority. Break user flow. We are actively looking at delivering it. dependencies Pull requests that update a dependency file kind/security labels Feb 26, 2024
@aaron-prindle
Copy link
Collaborator

Thanks for flagging this, submitted #3026 to resolve this.

@chauncey-garrett
Copy link
Author

Thank you for quickly fixing this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security dependencies Pull requests that update a dependency file kind/security priority/p0 Highest priority. Break user flow. We are actively looking at delivering it.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: update docker-credential-gcr to use v2 aaron-prindle/kaniko
2 participants
@chauncey-garrett @aaron-prindle