The instructions for using Kaniko in GCB use the exec form of the kaniko project builder, like this:
- id: 'Build (with Kaniko Cache)'
name: 'gcr.io/kaniko-project/executor:latest'
args:
- --destination=$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA
- --cache=true
- --cache-ttl=6h
But I'm using it to replace a docker build, in which I circumvent the exec form of usage in order to inject a build arg (an access token from the Secret Manager) as described here and here.
- id: 'Build'
name: gcr.io/cloud-builders/docker
entrypoint: 'bash'
args:
- '-c'
- |
docker build --cache-from $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA --build-arg PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt) -t $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME:$SHORT_SHA .
I've tried defining a bash entrypoint but that's not found so I'm stuck. Is it even possible to run the non-exec form?
Note: It is possible to access the secret in a file within the container instead of via a build arg, but that would mean changing the setup for my developers to all have that secret file in order to build their development images locally, which I could, but really don't want, to do.
I solved it using docker run:
- id: Build
name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
args:
- -c
- |
docker run \
--network=cloudbuild \
-v /workspace:/workspace \
gcr.io/kaniko-project/executor:latest \
--dockerfile /workspace/Dockerfile \
--build-arg=GITHUBTOKEN=$$GITHUBTOKEN \
--destination=gcr.io/$PROJECT_ID/myapp:$SHORT_SHA \
--cache=true \
--context dir:///workspace/
secretEnv: ['GITHUBTOKEN']
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/github_machine_user_pat/versions/latest
env: GITHUBTOKEN