dockergitlab-cinexuskaniko

Kaniko not able to auth against Nexus OSS

We're facing an issue where we cannot push docker images to our nexus registry using kaniko. Below I provided a minimal Repro as well as we're using Nexus OSS 3.49.0-02.

It results in a 404 using a malformed url pattern vor accessing the v2 Dockerapi:

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try
again: checking push permission for "private.registry.com/repository/imagename:tag": creating push check transport for 
private.registry.com failed: GET https://private.registry.com/v2/: unexpected status code 404 Not Found: 
...[html]...

Our Gitlab-CI script part looks like this:

- echo "{\"auths\":{\"private.registry.com":{\"auth\":\"$NEXUS_DEPLOY_USER_PW_BASE64\"}}}" > /kaniko/.docker/config.json
- /kaniko/executor
      --context "${CI_PROJECT_DIR}/frontend"
      --dockerfile "${CI_PROJECT_DIR}/frontend/Dockerfile.app-builder"
      --build-arg=CI_COMMIT_SHA=$CI_COMMIT_SHA
      --build-arg=CI_COMMIT_BRANCH=$CI_COMMIT_BRANCH
      --build-arg=CI_COMMIT_TAG=$CI_COMMIT_TAG
      --destination "$BASE_URL/app-ui:$APP_VERSION"
      --destination "$BASE_URL/app-ui:$BRANCH_TAG"
      --destination "$BASE_URL/app-ui"

It is also not working with non-Base64 encoded credentials NEXUS_DEPLOY_USER_PW_BASE64. So I provided non-base64 auth in the reproduction example.

Reproduction:

Dockerfile

FROM gcr.io/kaniko-project/executor:v1.14.0-debug

ADD Dockerfile.test Dockerfile.test

ARG REGISTRY_URL=[YOUR_NEXUS_URL]/repository/dockercontainer
ARG REGISTRY_USER=[your credential]
ARG REGISTRY_PASSWORD=[your credential]

RUN echo "{\"auths\":{\"$REGISTRY_URL\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json

RUN /kaniko/executor --context "." --dockerfile "Dockerfile.test" --destination "${REGISTRY_URL}/test:latest"

CMD [ "echo", "Hello World" ]

Dockerfile.test

FROM alpine:latest
CMD [ "echo", "Hello World" ]

Folder structure

In the kaniko dir, run docker build .

kaniko
  |__ Dockerfile
  |__ Dockerfile.test
Solution

  • This exact case is described in official docs

    There is no way to give the Docker client the application context path or base registry path. Docker needs the registry exposed at the root of the host + port that it is accessing.

    Check reverse proxy strategies for guidance, but it usually boils down to:

    1. Specify http or https port for your repository in nexus, i.e. as http port 8081
    2. Use it as-is in kaniko, i.e. as private.registry.com:8091/imagename:tag
    3. (Or) Configure reverse-proxy to redirect requests from repository.private.registry.com to private.registry.com:8091, and then use repository.private.registry.com/imagename:tag in kaniko

    Slightly off-topic, but you also can get rid of Nexus and use Harbor instead, which supports private.registry.com/repository/imagename:tag scenario out of box.