Look for usable on-cluster credentials using k8schain

[imjasonh]

This updates deps and uses k8schain and NewMultiKeychain to attempt to authorize pushes using available image pull secrets.

This change isn't ready to merge, I just wanted to get some initial feedback about the plan and maybe ideas about how I should go about testing this.

[imjasonh]

Just tried this on my cluster, and got this:

time="2018-07-19T00:24:38Z" level=error msg="serviceaccounts \"default\" is forbidden: User \"system:serviceaccount:default:default\" cannot get serviceaccounts in the namespace \"default\": Unknown user \"system:serviceaccount:default:default\""

Reproducing with this pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: build-pod
spec:
  restartPolicy: Never
  initContainers:
  - image: gcr.io/cloud-builders/git
    name: 'git-clone'
    args: ['clone', 'https://gist.github.com/f1fb27779bc17009198e2cef946bf749.git', '/workspace']
    volumeMounts:
    - mountPath: /workspace
      name: workspace

  - image: gcr.io/jasonhall-kube/executor
    name: kaniko
    workingDir: /workspace
    args:
    - --destination=gcr.io/jasonhall-kube/built-with-kaniko-fixed
    volumeMounts:
    - mountPath: /workspace
      name: workspace

  containers:
  - image: ubuntu
    name: nop
    args: ['echo', 'done']

  volumes:
  - name: workspace
    emptyDir: {}

@mattmoor any ideas about what's going wrong here? I'm hoping that k8schain will enable me to push with the cluster's image pull secrets -- it's authorized to pull my kaniko executor image, but kaniko+k8schain isn't able to get to those secrets.

[priyawadhwa]

It looks like you changed the auth for getting base images, but not for pushing at the end of the build. That might be the issue?

[imjasonh]

Well that would certainly help, wouldn't it 😄

Unfortunately, I don't think that's the problem, since the failure seems to happen long before the image is built or pushed. The full logs from the failing container are:

$ kubectl logs build-pod -c kaniko
time="2018-07-19T01:10:02Z" level=info msg="appending to multi args gcr.io/jasonhall-kube/built-with-kaniko-fixed"
time="2018-07-19T01:10:02Z" level=info msg="Unpacking filesystem of golang:latest..."
time="2018-07-19T01:10:02Z" level=error msg="serviceaccounts \"default\" is forbidden: User \"system:serviceaccount:default:default\" cannot get serviceaccounts in the namespace \"default\": Unknown user \"system:serviceaccount:default:default\""

[mattmoor]

NewInCluster will use the pod's serviceaccount identity to try and talk to the API server and read secrets, you want this which I now realize isn't documented. Oops.

[imjasonh]

Oh okay. I'll give that a try. Sounds like we need better docs about which is useful in which scenarios, and maybe a rename, since I figured NewInCluster would be the one I wanted while trying to auth from in the cluster.

[imjasonh]

That worked! 🎉

[mattmoor]

This LGTM, thanks for jumping on this @imjasonh

[mattmoor]

FYI remote.WithTransport(http.DefaultTransport) is a nop

[priyawadhwa]

I just merged #244 which moved the auth for getting base images here. I think if you change that to use k8schain we should be good!

[imjasonh]

@priyawadhwa Rebased and updated image_util.go to use k8schain, this should be RFAL.

[mattmoor]

Very eager to see this land :)

thanks @imjasonh and @priyawadhwa

[priyawadhwa]

LGTM, thanks for making this change!