-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kaniko fails to push built image to a private registry with self-signed certificate #1539
Comments
It may be worth double-checking the This has worked well for me in various contexts: cat "$REGISTRY_CERT" >> /kaniko/ssl/certs/ca-certificates.crt # File at path in $REGISTRY_CERT contains all certs in chain |
I have checked it several times. /kaniko/ssl/certs/ca-certificates.crt contains the preconfigured Root CAs necessary for communicating with gcr, docker hub etc. In skaffold one can't issue a command prior to calling kaniko executor (or it's just me). The solution I found that kind of fools kaniko is to mount a secret as /kaniko/ssl/certs/additional-ca-cert-bundle.crt. This I managed to get working so that the build starts but when trying to push the image, kaniko fails. I get the same result if I mount the secret in the pod (doesn't matter where exactly) and pass --registry-certificate argument to kaniko. |
@netcho were you able to get this to work? I have tried adding the cert in /kaniko/ssl/certs/ca-certificates.crt but seem to be getting the same error. Any help would be greatly appreciated! |
Anyone have updates on this? I'm running into cert issues with my pipeline that weren't happening previously (numerous successful builds over the past 6 months) and I'm kind of lost as to what my next steps should be. Nothing with my certs had changed, though I've made sure to insert certs and verify that they are in for both those in
|
Also got the same problem, any work around? Tried to put the certifcate after /kaniko/ssl/certs/ca-certificates.crt, but not luck. |
same issue, i wonder if old certs from the build time of kaniko itself are the issue |
Same problem here, we were using Kaniko in the last two years to build Docker images inside Gitlab runner jobs without any problems, but this week we have to update our Docker registry cert and this error started to happen. I can push to our private registry from k8s nodes and from my PC, but not from a pipeline job running Kaniko. It looks similar to #2281, however, the 1.9.2 version didn't fix it. |
I have the same issue. This is not fixed, presumably? |
as workaround you can copy your private registry cert in to kaniko executor image |
We're running into the same issue, unfortunately @taislapta's suggestion didn't work either. We've tried:
Both of which should result in our custom cert living in We are able to append our cert to
But this requires us to store the cert in every repo we want to build images for. |
We are using a similar approach, but the CA cert comes from the build environment similar to your
We build with Jenkins, and the apps have a Jenkins pipeline that reference our CA environment variable but do not need to store a cert in the app repo. It has been working well. We also derived a custom Kaniko container that had the cert pre-installed and that worked too, but opted for the solution above to avoid maintaining image updates. |
If you notice the Dockerfile script in my first code block, that's exactly what we're trying to do! But the kaniko image that kaniko builds doesn't end up with the cert installed. We found a root cause in our case being the |
I have this issue when i try a build a kaniko extended image with the arg |
Actual behavior
When building an image with skaffold, kaniko fails to push the image after it has built it. The build process goes fine but when the image has to be pushed to the registry, I get the following error:
failed to build: getting image: Get "https://registry.home/v2/": x509: certificate signed by unknown authority
I have specified a certificate file with --registry-certificate flag via skaffold.yaml. The registry uses a certificate chain with the following order:
Root CA -> Intermediate CA -> Server cert.
I have also tried mounting the certificate chain as /kaniko/ssl/certs/additional-ca-cert-bundle.crt but kaniko fails with the same error.
Expected behavior
Kaniko should successfully push the image to registry.
To Reproduce
Steps to reproduce the behavior:
Additional Information
Dockerfile
FROM node:10 AS build-env
ADD . /app
WORKDIR /app
RUN npm install --only=production
FROM gcr.io/distroless/nodejs:10
COPY --from=build-env /app /app
WORKDIR /app
CMD ["server.js"]
A sample nodejs app
Logs from the build: https://paste2.org/bLvmzUEN
Kaniko Image: latest debug
Triage Notes for the Maintainers
--cache
flagThe text was updated successfully, but these errors were encountered: