Include credential helper binaries in Docker image for crane

[Tommyf]

It would greatly ease using crane in a CI/CD pipeline if it was able to make use of the credential helpers mentioned in https://github.com/google/go-containerregistry/tree/master/pkg/authn

As it stands, you need to use another method to get the login credentials into the running container. Not a hard problem to solve, but not as elegant as using credential helpers, which is the recommended way anyway.

Kaniko bundles the common helpers (AWS, GCP) in, so it seems feasible to bundle them in to the official Crane docker image too.

[jonjohnsonjr]

That's an interesting idea. I'd be somewhat reluctant to maintain that kind of thing, since I don't have any personal interest in running stuff on AWS or Azure... I also don't want to bloat the image with unused credential helpers if we can avoid it.

If you're running on GCP, the gcrane version might work for you.

Ideally, we could reuse kaniko's work and just rebase our images onto their "credential helper" image.

I also don't love the idea of implicitly endorsing just AWS/GCP/Azure by having only support for their credential helpers, when there are so many other registries.

[Tommyf]

I understand not wanting to bloat. Is it possible to have some tag that includes credential helpers? Or does that also get too ugly to maintain?

I'm actually running on AWS. Otherwise, yeah, I would likely use the gcrane version.

Do the myriad of other registries also have credential helper tools? It's my understanding that these helpers exist for the cloud provider registries as they are primarily used when running somewhere with instance metadata exposed. That would narrow it down to just the bigger cloud provider hosted registries surely? Maybe that is still a big list...

[rcollette]

I'm piggy backing off of Kaniko this way.

FROM golang:1.15-alpine as build
RUN apk --no-cache add git && \
    CGO_ENABLED=0 GOOS=linux go get -u -ldflags '-extldflags "-static" -w -s' github.com/google/go-containerregistry/cmd/crane

FROM gcr.io/kaniko-project/executor:debug
COPY --from=build /go/bin/crane /usr/local/bin/crane
ENTRYPOINT [""]

(credit to Victor Noel here https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4712)

I added the necessary credential helper entries in /kaniko/.docker/config.json
If I go into the /kaniko directory, the crane commands work from there.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

[timwsuqld]

/remove-lifecycle stale

[sachin2411]

Hello I am struggling to retag image built using kaniko in ECR using credential helper inside crane container.Issue I face 401 not authorized .Any leads would be appreciated

[sbp-bvanb]

Could someone indicate what is the current status of this?