Trying to use the kaniko-gcr plugin to build and publish towards gcr.io on a k8s cluster running workload identity it fails.
The plugin code implements a number of checks that are actually not necessary and breaks the auth flow towards google.
Basically it works perfectly if just this entire function is removed from the code drone-kaniko/main.go at main · drone/drone-kaniko · GitHub
(I’ve successfully tried it)
Any interest in fixing this in the official images? I guess the only thing really needed is not failing after this check, but rather let the google ecosystem figure out what to do.
As it is now where it always set the GOOGLE_APPLICATION_CREDENTIALS env variable it forces the google code to use that since it’s the highest prio in their flow, but by not setting it when the json isn’t present it allows it to fallback to the next auth mechanism
Workload identity is not currently supported by this plugin. If you are interested in enhancing the plugin to support additional authentication options, please consider sending a pull request to drone/drone-kaniko.
I cannot recommend a design (I did not write this plugin, and I’ve never used Kaniko) however, the plugin authors should be able to review your draft pull request and recommend any necessary changes.
It’s a one-line fix I think, and I’d be happy to open a PR if the maintainers are interested. Was going to open an issue on github to have a discussion on it first, but that doesn’t seem possible?
(there’s some extra administrative work required on my side to actually contribute code back, so before going through that process I want to know the fix is actually wanted)
I think considering workload identity supported/not supported is the wrong way to approach the problem, the google ecosystem has a number of authentication methods and anything built towards that should lean against the default behavior rather than enforcing a subset of it. (It’s actually about doing less rather than extra effort)