Add skip tls verify option to kaniko builder

I was able to recreate the error in GoogleContainerTools#1961 by using a kaniko image without a cert & pushing to an unauthenticated registry in Cloud Run. Adding this flag resolves that bug.
priyawadhwa · Oct 2, 2019 · d50f1e4 · d50f1e4
1 parent 08551a7
commit d50f1e4
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/pkg/skaffold/build/cluster/kaniko.go b/pkg/skaffold/build/cluster/kaniko.go
@@ -27,6 +27,7 @@ import (
 	"github.com/GoogleContainerTools/skaffold/pkg/skaffold/kubernetes"
 	"github.com/GoogleContainerTools/skaffold/pkg/skaffold/schema/latest"
 	"github.com/GoogleContainerTools/skaffold/pkg/skaffold/util"
+	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -139,5 +140,21 @@ func args(artifact *latest.KanikoArtifact, context, tag string) ([]string, error
 		args = append(args, "--reproducible")
 	}
 
+	if artifact.SkipTLS {
+		reg, err := artifactRegistry(tag)
+		if err != nil {
+			return nil, err
+		}
+		args = append(args, "--skip-tls-verify-registry", reg)
+	}
+
 	return args, nil
 }
+
+func artifactRegistry(i string) (string, error) {
+	ref, err := name.ParseReference(i)
+	if err != nil {
+		return "", err
+	}
+	return ref.Context().RegistryStr(), nil
+}
diff --git a/pkg/skaffold/schema/latest/config.go b/pkg/skaffold/schema/latest/config.go
@@ -725,6 +725,9 @@ type KanikoArtifact struct {
 
 	// Reproducible is used to strip timestamps out of the built image.
 	Reproducible bool `yaml:"reproducible,omitempty"`
+
+	// SkipTLS skips TLS verification when pulling and pushing the image.
+	SkipTLS bool `yaml:"skipTLS,omitempty"`
 }
 
 // DockerArtifact *beta* describes an artifact built from a Dockerfile,