Fix support for insecure registry

[guilhermebr]

fixes #168

[dlorenc]

What's left on this?

[guilhermebr]

This PR needs google/go-containerregistry#125

[dlorenc]

@guilhermebr are you still planning on fixing this?

[guilhermebr]

@dlorenc Yes I will back this week to solve this! sorry for the delay

[StephenLiuYa]

I'm looking forward to this.

[shashankkoppar]

Is there any progress on this one?

[asvasyanin]

Any updates?

[guilhermebr]

Waiting for google/go-containerregistry#125

[diclophis]

You can install your own set of root-certificates and volume map them into the kaniko deployment as a possible alternative to using HTTP or ignoring bad SSL...

---
apiVersion: v1
kind: Pod
metadata:
  name: kaniko-build
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:
  containers:
  - image: gcr.io/kaniko-project/executor:latest
    imagePullPolicy: IfNotPresent
    name: kaniko-build
    args: [...]
    volumeMounts:
    - mountPath: /kaniko/ssl/certs
      name: ca-certificates
  restartPolicy: Never
  volumes:
  - configMap:
      name: ca-certificates
    name: ca-certificates
...

I extract my CA authorities from a known good source, and then build a configmap mentioned above:

kubectl create configmap ca-certificates --from-file=ca-certificates.crt --from-file=ca.private.crt

For example, the ca trust chain is typically found on FROM ubuntu:bionic-20180526 at /etc/ssl/certs/ca-certificates.crt ...

[dlorenc]

Waiting for google/go-containerregistry#125

👍 3

I think the change got into go-containerregistry now, still interested in porting it over here now?

[amit-uc]

When is this issue going to be resolved?

[guilhermebr]

PTAL @dlorenc

[priyawadhwa]

LGTM, thanks for fixing this!