feat: implement kaniko.imagePullSecret for pulling images from privat…

…e registry w/ auth (#9665) * feat: add config option kaniko.imagePullSecret * feat: pull kaniko images from private registry w/ pull secret * test: verify pod spec for kaniko.imagePullSecret * format test * add period to end of ImagePullSecret description * regenerate v4beta12 schema * fix indentation with gofmt --------- Co-authored-by: dherges <[email protected]>
GoogleContainerTools · Jan 15, 2025 · 7747647 · 7747647
1 parent 4459228
commit 7747647
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 3 deletions.
diff --git a/docs-v2/content/en/schemas/v4beta12.json b/docs-v2/content/en/schemas/v4beta12.json
@@ -2763,6 +2763,11 @@
           "description": "specify a file to save the image name with digest of the built image to.",
           "x-intellij-html-description": "specify a file to save the image name with digest of the built image to."
         },
+        "imagePullSecret": {
+          "type": "string",
+          "description": "name of the Kubernetes secret for pulling kaniko image and kaniko init image from a private registry.",
+          "x-intellij-html-description": "name of the Kubernetes secret for pulling kaniko image and kaniko init image from a private registry."
+        },
         "initImage": {
           "type": "string",
           "description": "image used to run init container which mounts kaniko context.",
@@ -2929,6 +2934,7 @@
         "target",
         "initImage",
         "image",
+        "imagePullSecret",
         "destination",
         "digestFile",
         "imageFSExtractRetry",

diff --git a/pkg/skaffold/build/cluster/pod.go b/pkg/skaffold/build/cluster/pod.go
@@ -95,6 +95,13 @@ func (b *Builder) kanikoPodSpec(artifact *latest.KanikoArtifact, tag string, pla
 		addSecretVolume(pod, kaniko.DefaultSecretName, b.ClusterDetails.PullSecretMountPath, b.ClusterDetails.PullSecretName)
 	}
 
+	// Add secret for pulling kaniko images from a private registry
+	if artifact.ImagePullSecret != "" {
+		pod.Spec.ImagePullSecrets = []v1.LocalObjectReference{{
+			Name: artifact.ImagePullSecret,
+		}}
+	}
+
 	// Add host path volume for cache
 	if artifact.Cache != nil && artifact.Cache.HostPath != "" {
 		addHostPathVolume(pod, kaniko.DefaultCacheDirName, kaniko.DefaultCacheDirMountPath, artifact.Cache.HostPath)

diff --git a/pkg/skaffold/build/cluster/pod_test.go b/pkg/skaffold/build/cluster/pod_test.go
@@ -181,9 +181,10 @@ func TestKanikoArgs(t *testing.T) {
 
 func TestKanikoPodSpec(t *testing.T) {
 	artifact := &latest.KanikoArtifact{
-		Image:          "image",
-		DockerfilePath: "Dockerfile",
-		InitImage:      "init/image",
+		Image:           "image",
+		DockerfilePath:  "Dockerfile",
+		InitImage:       "init/image",
+		ImagePullSecret: "image-pull-secret",
 		Destination: []string{
 			"gcr.io/foo/bar:test-1",
 			"gcr.io/foo/bar:test-2",
@@ -353,6 +354,9 @@ func TestKanikoPodSpec(t *testing.T) {
 					},
 				},
 			}},
+			ImagePullSecrets: []v1.LocalObjectReference{{
+				Name: "image-pull-secret",
+			}},
 			ServiceAccountName: "aVerySpecialSA",
 			SecurityContext: &v1.PodSecurityContext{
 				RunAsUser: &runAsUser,

diff --git a/pkg/skaffold/schema/latest/config.go b/pkg/skaffold/schema/latest/config.go
@@ -1471,6 +1471,9 @@ type KanikoArtifact struct {
 	// Defaults to the latest released version of `gcr.io/kaniko-project/executor`.
 	Image string `yaml:"image,omitempty"`
 
+	// ImagePullSecret is the name of the Kubernetes secret for pulling kaniko image and kaniko init image from a private registry.
+	ImagePullSecret string `yaml:"imagePullSecret,omitempty"`
+
 	// Destination is additional tags to push.
 	Destination []string `yaml:"destination,omitempty"`