Default to empty secret path for Kaniko to use Workload Identity cred…

…entials Signed-off-by: vladimir.ivanov <vladimir.ivanov@grasshopperasia.com>
GoogleContainerTools · Apr 28, 2021 · d29c19f · d29c19f
1 parent e119e27
commit d29c19f
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/pkg/skaffold/build/cluster/pod.go b/pkg/skaffold/build/cluster/pod.go
@@ -122,14 +122,7 @@ func (b *Builder) kanikoPodSpec(artifact *latest.KanikoArtifact, tag string) (*v
 }
 
 func (b *Builder) env(artifact *latest.KanikoArtifact, httpProxy, httpsProxy string) []v1.EnvVar {
-	pullSecretPath := strings.Join(
-		[]string{b.ClusterDetails.PullSecretMountPath, b.ClusterDetails.PullSecretPath},
-		"/", // linux filepath separator.
-	)
 	env := []v1.EnvVar{{
-		Name:  "GOOGLE_APPLICATION_CREDENTIALS",
-		Value: pullSecretPath,
-	}, {
 		// This should be same https://github.com/GoogleContainerTools/kaniko/blob/77cfb912f3483c204bfd09e1ada44fd200b15a78/pkg/executor/push.go#L49
 		Name:  "UPSTREAM_CLIENT_TYPE",
 		Value: fmt.Sprintf("UpstreamClient(skaffold-%s)", version.Get().Version),
@@ -155,6 +148,18 @@ func (b *Builder) env(artifact *latest.KanikoArtifact, httpProxy, httpsProxy str
 		})
 	}
 
+	// if cluster.PullSecretName  is non-empty populate secret path and use as GOOGLE_APPLICATION_CREDENTIALS
+	if b.ClusterDetails.PullSecretName != "" {
+		pullSecretPath := strings.Join(
+			[]string{b.ClusterDetails.PullSecretMountPath, b.ClusterDetails.PullSecretPath},
+			"/", // linux filepath separator.
+		)
+		env = append(env, v1.EnvVar{
+			Name:  "GOOGLE_APPLICATION_CREDENTIALS",
+			Value: pullSecretPath,
+		})
+
+	}
 	return env
 }