Requires authentication even for public registries

[samos123]

Currently when using a public image from GCR it will fail with trying to authenticate with Google Cloud. However for public images that shouldn't be needed.

Steps to reproduce:

1. Remove any authentication with gcloud. E.g. mv ~/.config/gcloud{,.bak}
2. Use go-containerregistry to pull an image from a public GCR repo

crane pull gcr.io/distroless/base-debian10 test.tgz
WARNING: Could not open the configuration file: [/home/stoelinga/.config/gcloud/configurations/config_default].
ERROR: (gcloud.auth.docker-helper) You do not currently have an active account selected.
Please run:

  $ gcloud auth login

to obtain new credentials, or if you have already logged in with a
different account:

  $ gcloud config set account ACCOUNT

to select an already authenticated account to use.
2020/01/29 16:40:05 error getting credentials - err: exit status 1, out: ``

Current result:
Failure telling you to authenticate with google cloud

Expected result:
Successfully pull down the image

[jonjohnsonjr]

Seems like you've configured a credential helper in ~/.docker/config.json (or $DOCKER_CONFIG) but it isn't set up properly.

We do eagerly get credentials for a registry, which is the cause of this error. If we deferred fetching creds until we actually got a 401, we could avoid this... which is definitely something we should do.

[tejal29]

@samos123, i ended up removing ~/.docker/config.json and ~/.config/gcloud. Looks like i was able to pull the image.

$mv ~/.config/gcloud ~/Desktop

$ls ~/.config/
configstore	gbackup		hub
$ls ~/.config/gbackup/
exclude		exclude.d	include

 $crane pull gcr.io/distroless/base-debian10 test.tgz
2020/01/29 16:59:55 No matching credentials were found, falling back on anonymous

$ls -alh test.tgz 
-rw-r--r--  1 tejaldesai  primarygroup   8.3M Jan 29 17:02 test.tgz

[samos123]

interesting then it must be something in Kaniko that we're doing incorrectly in relation to this library. Since on Travis CI, i did not configure the gcloud docker credential helper but it would still fail with a similar message that authentication with gcloud was needed.

[tejal29]

Thanks a lot @filesnate for debugging this.
I agree, we should replace config.json with empty file and other users who use private images can add their config as a volume mount inside cluster like this
or on the docker run command like you mentioned

Would you up for submitting a PR to remove credentials helper in from the executor image ?

[filesnate]

See GoogleContainerTools/kaniko#1125

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.