Use pullSecretPath to set GOOGLE_APPLICATION_CREDENTIALS

[tejal29]

Fixes #3828

In this PR,

0. rename pullSecret to pullSecretPath
1. Use pullSecretPath specified in skaffold config to construct the GAC env variable.
2. Display a warning message when default kaniko secret path is used.
3. Added an integration test to specify kaniko secret name and secret path.

Output Changes
yes.

1. A warning is shown on user terminal whenever default pull secret path is applied.
   This could add to noise. We should follow it up when we add pod health check and determine kaniko pod failure.

Cases where, kaniko secret name pullSecretName is specified, pullSecretPath which points to path with in the volume mounted secret or local path to create secret from is not specifief

1. kaniko secret pullSecretName exists.

tejaldesai@tejaldesai-macbookpro2 kaniko (fix_kaniko_secret)../../out/skaffold dev -d gcr.io/tejal-test
Listing files to watch...
 - skaffold-example
Generating tags...
 - skaffold-example -> gcr.io/tejal-test/skaffold-example:v1.9.0-21-g897b49bd2
Checking cache...
 - skaffold-example: Not found. Building
Checking for kaniko secret [default/e2esecret]...
WARN[0000] Setting secret keyfile path to kaniko-secret. If this is incorrect, please specify using config key `pullSecret`.
See https://skaffold.dev/docs/references/yaml/#build-cluster-pullSecret 

2. kaniko secret pullSecretName does not exist and no pullSecretPath specified to create it from

Listing files to watch...
 - skaffold-example
Generating tags...
 - skaffold-example -> gcr.io/tejal-test/skaffold-example:v1.9.0-21-g897b49bd2-dirty
Checking cache...
 - skaffold-example: Not found. Building
Checking for kaniko secret [default/e2esecret-not-exists]...
Creating kaniko secret [default/e2esecret-not-exists]...
exiting dev mode because first build failed: setting up pull secret: secret e2esecret-not-exists does not exisit. No path specified to create it

3. Kaniko secret specified using pullSecretName. pullSecretPath points to the path within the secret volume.
   skaffold.yaml

tejaldesai@tejaldesai-macbookpro2 kaniko (fix_kaniko_secret)head skaffold.yaml 
apiVersion: skaffold/v2beta3
kind: Config
build:
  artifacts:
    - image: skaffold-example
      kaniko:
        cache: {}
  cluster:
    pullSecretName: e2esecret-with-path
    pullSecretPath: kaniko-secret.json

Skaffold logs

../../out/skaffold dev -d gcr.io/k8s-skaffold
Listing files to watch...
 - skaffold-example
Generating tags...
 - skaffold-example -> gcr.io/k8s-skaffold/skaffold-example:v1.9.0-21-g897b49bd2-dirty
Checking cache...
 - skaffold-example: Not found. Building
Checking for kaniko secret [default/e2esecret-with-path]...
Building [skaffold-example]...

Kaniko Pod description

kubectl describe po/kaniko-8t24q
Name:         kaniko-8t24q
Namespace:    default
Priority:     0
Node:         gke-integration-tests-default-pool-b6e32cfb-hqj3/10.128.15.201
Start Time:   Mon, 11 May 2020 13:36:07 -0700
Labels:       skaffold-kaniko=skaffold-kaniko
Annotations:  kubernetes.io/limit-ranger: LimitRanger plugin set: cpu request for container kaniko; cpu request for init container kaniko-init-container
Status:       Running
IP:           10.32.6.48
Init Containers:
  ....
Containers:
  kaniko:
    Container ID:  d...
    Host Port:     <none>
    Args:
      --dockerfile
      Dockerfile
      --context
      dir:///kaniko/buildcontext
      --destination
      gcr.io/k8s-skaffold/skaffold-example:v1.9.0-21-g897b49bd2-dirty
      -v
      info
      --cache=true
    State:          Running
      Started:      Mon, 11 May 2020 13:36:12 -0700
    Ready:          True
    Restart Count:  0
    Requests:
      cpu:  100m
    Environment:
      GOOGLE_APPLICATION_CREDENTIALS:  /secret/kaniko-secret.json

[tstromberg]

/cc @yuwenma

[tejal29]

/cc @prary Would be able to try this branch? I want to make sure we don't break your existing workflow with this change.

[tejal29]

Hold off merging until @prary can verify.

[codecov]

Codecov Report

Merging #4147 into master will increase coverage by 0.02%.
The diff coverage is 90.32%.

@@            Coverage Diff             @@
##           master    #4147      +/-   ##
==========================================
+ Coverage   71.93%   71.95%   +0.02%     
==========================================
  Files         322      322              
  Lines       12313    12328      +15     
==========================================
+ Hits         8857     8871      +14     
- Misses       2896     2897       +1     
  Partials      560      560              

Impacted Files	Coverage Δ
pkg/skaffold/schema/latest/config.go	100.00% <ø> (ø)
pkg/skaffold/schema/defaults/defaults.go	90.72% <75.00%> (ø)
pkg/skaffold/build/cluster/secret.go	41.53% <86.66%> (+5.33%)	⬆️
pkg/skaffold/build/cluster/pod.go	87.84% <100.00%> (+0.27%)	⬆️
pkg/skaffold/schema/v2beta4/upgrade.go	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7731b62...f5db1db. Read the comment docs.

[balopat]

This looks like a bug to me - why don't we fall back to default pullsecret name?

[tejal29]

pullSecretName and pullSecret are two different configs

1. pullSecretName is used to indicate the secret name. The default is kaniko-secret and is only set if pullSecret is specified.
2. pullSecret refers to secret file path.

With this PR, pullSecret is used for a dual purpose.

1. To create a secret if it does not exist from the file specified in this value
2. To set GOOGLE_APPLICATION_CREDENTAILS env variable to this path when secret exists.

A bunch of tekton users, create secrets one time using a command like below.
See Additional Information in linked issue
A way to specify which path the secret lies at when using a secret is created using command if secret already exists.

kubectl create secret generic kaniko-secret --from-file=/Users/tejaldesai/workspace/keys/my-key.json

If a secret already exists, we should set the GOOGLE_APPLICATION_CREDENTAILS to path within the volume.

[tstromberg]

It sounds like pullSecret should be renamed to pullSecretPath.

[tejal29]

done! Renamed pullSecret to pullSecretPath

[balopat]

do we really want a warning here? I think a debug level is sufficient, as the user should only see this when there is something wrong. For those users who have 100% right with the default value, this just adds extra noise.

[tejal29]

it does add to extra noise. However, it is not documented very well that skaffold expects the secret to be at path kaniko-secret when creating a secret.
Untill, we can provide an actionable error, i feel the noise is fine.

[chanseokoh]

Should be pullSecretPath (not pullSecret) in the message, right?

[chanseokoh]

Just a thought: I presume there's a history for the name pullSecret. Although the skaffold.yaml reference documents that it's "for pulling base images and pushing the final image", but I've been thinking this can be confusing to some people. For example, #3828 was about pushing a final image to GCR.

[prary]

Hold off merging until @prary can verify.

will verify and update you guys asap.

[tejal29]

@prary ping! Can you please try this out? Let me know if i can help verify.

Thanks
Tejal

[prary]

Hi @tejal29
I did try it but it failed, my workspace broke in middle hence reason for failure is unknown. I will get back to you with proper analysis once workspace issue is resolved, apologies for the delay.

Thanks for informing about this PR.

[tstromberg]

It sounds like pullSecret should be renamed to pullSecretPath.

[kiran0707]

Hi,
Tested the change on behalf of @prary . It worked fine... the usual . it didnt break anything.

There is one thing that we have been seeing for past few skaffold versions.
At end of skaffold build, it tries to get the image ( i think for verifying whether image was pushed ), this thing results in error if this file $USERS_HOME/.docker/config.json is missing.

[tejal29]

Thanks @kiran0707 Will look into this.

[tstromberg]

Code looks good. Please check the PR title and description for accuracy.

[tejal29]

Code looks good. Please check the PR title and description for accuracy.

done. Can you take a look again.
Thanks

addressed comments