gitkubernetesazure-devopskaniko

Kaniko with Azure Devops Context

I am trying to run kaniko builds on Kubernetes.

containers:
  - name: kaniko
    image: gcr.io/kaniko-project/executor:latest
    args: ["--context=https://dev.azure.com/,
            "--destination=build:1.0.0",
            "--dockerfile=dockerfile"]

The source repo is on azure devops and only reachable via http or ssh

As far as i understand, i will have set http.extraHeader to use PAT authentication

https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Linux

git -c http.extraHeader="Authorization: Basic ${B64_PAT}" clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName

Is there a way to handle the authentication via environment variables or some kind of wrapper for kaniko-project/executor?

I tried ssh://PAT@repo and env variables GIT_TOKEN, GIT_USERNAME, GIT_PASSWORD combinations

Solution

  • Short answer: Yes it's possible to use Kaniko with Azure DevOps context.

    Detailed answer:

    Kaniko uses under the hood "go-git" library (because Kaniko is written with Go language). At this time of writing this answer, it's not possible for Kaniko to fetch the source code from Azure DevOps repository because it appears that go-git does not work with Azure DevOps git repos (it doesn't implement "multi-ack" protocol which is used by Azure DevOps).

    The workaround of this is to use an "initContainer" with any image you want where you can "git clone" your repo and let Kaniko consume it afterwards. Here's a link that can help you (and anyone else reading this post) to achieve this combination: https://github.com/GoogleContainerTools/kaniko/issues/719#issuecomment-1283407534

    Here's a sample code of how it helped me achieve that:

                # Init container to git clone the source code
            initContainers:
            - name: git-clone
              image: alpine:3.18.0
              command: ["sh", "-c"]
              args:
              - |
                apk add --no-cache git && \
                AUTH=\$(echo -n ":\$PAT_TOKEN" | base64) && \
                git -c http.extraHeader="Authorization: Basic \$AUTH" clone --depth 1 $(Build.Repository.Uri) /workspace
              env:
                - name: GIT_TERMINAL_PROMPT
                  value: "0"
                - name: PAT_TOKEN
                  value: YOUR_SECRET # Or coming from Secrets it's better
              volumeMounts:
              - name: build-context
                mountPath: /workspace
            # Kaniko container
            containers:
            - name: kaniko
              image: gcr.io/kaniko-project/executor:latest
              args:
              - "--dockerfile=Dockerfile"
              - "--context=dir:///workspace"
              - "--destination=build:1.0.0"
              volumeMounts:
              - name: build-context
                mountPath: /workspace
            
            restartPolicy: Never
            volumes:
            - name: build-context
              emptyDir: {}

    In this sample code, I use the initContainer to fetch the source code of my repo and populate the "/workspace" folder. Both Kaniko (main container) and "initContainer" use this volume as it is mounted on both sides (volumeMounts). Of course, feel free to adapt to your needs.