Gitlab 带有 Kaniko 和 gcloud 的跑步者 sdk

Question

I want to build docker images on Gitlab and use Kaniko for it.

It's working great when I just have Dockerfile and code from repo. Problem starts when before building I want to access GCP Secret Manager and get values for this build.

We are building images directly on Gitlab and storing them in GCR.io.

Below example gitlab-ci.yml config. When we are using image: Docker it will work as we can use curl etc and install cloud sdk. But with Kaniko it's not possible.

dev-build-docker:
  stage: build-docker-image
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  environment: Develop
  only:
    changes:
      - xxxxxxxxxxxx
    refs:
      - develop
  services:
    - docker:dind
  before_script:
    - source vars/.variables
    - echo $CICD_SA_KEY > ${CI_PROJECT_DIR}/service_key.json
    - export GOOGLE_APPLICATION_CREDENTIALS=${CI_PROJECT_DIR}/service_key.json
  script:
    - apk --no-cache add curl
    - apk add bash
    - curl https://sdk.cloud.google.com > install.sh
    - apt install -y python3
    - ./install.sh --disable-prompts
    - export PATH=$PATH:/root/google-cloud-sdk/bin
    - gcloud auth activate-service-account --key-file ${CI_PROJECT_DIR}/service_key.json
    - mkdir creds
    - gcloud secrets versions access latest --project=$projectid_dev --secret=xxxxxxxx > creds/dbpass
    - DB_PASS=$(cat creds/dbpass)
    - gcloud secrets versions access latest --project=$projectid_dev --secret=xxxxxxxxxx-key > creds/creds.2.json
    - gcloud secrets versions access latest --project=$projectid_dev --secret=zzzzzzzzzzzzzz-key > creds/creds.1.json

    # end of gcloud
    - /kaniko/executor --context "$(pwd)" --dockerfile "$(pwd)/Dockerfile" --destination eu.gcr.io/$projectid_dev/xxxxxxxxxxxx:$TAG --destination eu.gcr.io/$projectid_dev/xxxxxxxxxxxx:latest --build-arg NODE_ENV=production --build-arg DB_PASS=$DB_PASS

Kaniko is using busybox and I don't see a way to install gcp sdk and access secrets. Did anyone managed to use gcloud commands before Kaniko executor?

Answer 1

Because of the nature of kaniko , the approach you are looking for is not possible. The mainly reason as you have already noticed is that busybox has a limited tool set and is not possible to install gcloud with its dependencies.

For example, let's say you download the archive version of gcloud and you create your own kaniko version copying the Cloud SDK binaries but then you notice that you will also need python which implies to compile it and this leads you to need more libraries and dependencies which at the end seems not to be too convenient and making kaniko a very big image.

So at the end seems like the best option is to use the Docker in Docker approach. Another workaround which implies an additional step is to build your own kaniko image which contains your secrets on it, for example:

FROM gcr.io/google.com/cloudsdktool/cloud-sdk as secrets
WORKDIR /creds
COPY ./key.json .
RUN gcloud auth activate-service-account --key-file=/secrets/key.json
WORKDIR /secrets
RUN gcloud secrets versions access latest --project=PROJECT_ID --secret=SECRET > creds_2.json


FROM gcr.io/kaniko-project/executor:debug
WORKDIR /build
COPY --from=secrets /secrets/creds_2.json .