mz280: log used credential sources explicitly (#369)

mzihlmann · web-flow · commit 511f65c343a9 · 2025-11-14T08:54:15.000+07:00
diff --git a/README.md b/README.md
@@ -56,6 +56,7 @@ expect - see [Known Issues](#known-issues).
       - [Caching Layers](#caching-layers)
       - [Caching Base Images](#caching-base-images)
     - [Pushing to Different Registries](#pushing-to-different-registries)
+      - [Credential Provider Priorities](#credential-provider-priorities)
       - [Pushing to Docker Hub](#pushing-to-docker-hub)
       - [Pushing to Google GCR](#pushing-to-google-gcr)
       - [Pushing to GCR using Workload Identity](#pushing-to-gcr-using-workload-identity)
@@ -621,6 +622,11 @@ kaniko comes with support for GCR, Docker `config.json` and Amazon ECR, but
 configuring another credential helper should allow pushing to a different
 registry.
 
+#### Credential Provider Priorities
+
+By default kaniko will configure all built-in credential providers for you. These are `[default, env, google, ecr, acr, gitlab]`.
+You can (de)-activate credential helpers via the [`--credential-helpers`](#flag---credential-helpers) flag. The `default` credential helper will always be active and itself handles two sources: `DOCKER_AUTH_CONFIG` environment variable and `/kaniko/.docker/config.json` file, where priority is always given to `DOCKER_AUTH_CONFIG` and therefore can shadow credentials configured in the config file. If you want to disable `DOCKER_AUTH_CONFIG` you have to unset the environment variable explicitly `unset DOCKER_AUTH_CONFIG` prior to calling kaniko.
+
 #### Pushing to Docker Hub
 
 Get your docker registry user and password encoded in base64
diff --git a/cmd/executor/cmd/root.go b/cmd/executor/cmd/root.go
@@ -187,7 +187,15 @@ var RootCmd = &cobra.Command{
 		}
 		if !opts.NoPush || opts.CacheRepo != "" {
 			if err := executor.CheckPushPermissions(opts); err != nil {
-				exit(fmt.Errorf("error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: %w", err))
+				logrus.Warnf("make sure you entered the correct tag name, that you are authenticated correctly, and try again.")
+				// mz280: remind users that DOCKER_AUTH_CONFIG gets prioritized by docker-cli
+				// https://github.com/docker/cli/pull/6171
+				_, ok := os.LookupEnv("DOCKER_AUTH_CONFIG")
+				if ok {
+					logrus.Warnf("note that your DOCKER_AUTH_CONFIG env variable can shadow credentials from configfile")
+					logrus.Warnf("see https://github.com/osscontainertools/kaniko/issues/280#issuecomment-3498449955")
+				}
+				exit(fmt.Errorf("error checking push permissions: %w", err))
 			}
 		}
 		if err := resolveRelativePaths(); err != nil {
diff --git a/pkg/creds/creds.go b/pkg/creds/creds.go
@@ -17,26 +17,43 @@ limitations under the License.
 package creds
 
 import (
+	"fmt"
 	"io"
+	"os"
+	"strings"
 
 	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
 	"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
 	gitlab "github.com/ePirat/docker-credential-gitlabci/pkg/credhelper"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/v1/google"
 	"github.com/osscontainertools/kaniko/pkg/config"
+	"github.com/osscontainertools/kaniko/pkg/util"
 	"github.com/sirupsen/logrus"
 )
 
 // GetKeychain returns a keychain for accessing container registries.
 func GetKeychain(opts *config.RegistryOptions) authn.Keychain {
 	var helpers []string
+	var prios []string
+
+	_, ok := os.LookupEnv("DOCKER_AUTH_CONFIG")
+	if ok {
+		prios = append(prios, "env:DOCKER_AUTH_CONFIG")
+	}
+
+	cf := util.DockerConfLocation()
+	_, err := os.Lstat(cf)
+	if err == nil {
+		prios = append(prios, fmt.Sprintf("file:%s", cf))
+	}
 
 	if len(opts.CredentialHelpers) == 0 {
 		helpers = []string{"env", "google", "ecr", "acr", "gitlab"}
 	} else {
 		helpers = opts.CredentialHelpers
 	}
+	prios = append(prios, helpers...)
 
 	keychains := []authn.Keychain{authn.DefaultKeychain}
 	for _, source := range helpers {
@@ -72,5 +89,6 @@ func GetKeychain(opts *config.RegistryOptions) authn.Keychain {
 		}
 	}
 
+	logrus.Infof("credential providers by priority: [%s]", strings.Join(prios, ", "))
 	return authn.NewMultiKeychain(keychains...)
 }

Original file line number	Diff line number	Diff line change
`@@ -187,7 +187,15 @@ var RootCmd = &cobra.Command{`
`187`	`187`	`}`
`188`	`188`	`if !opts.NoPush \|\| opts.CacheRepo != "" {`
`189`	`189`	`if err := executor.CheckPushPermissions(opts); err != nil {`
`190`		`- exit(fmt.Errorf("error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: %w", err))`
	`190`	`+ logrus.Warnf("make sure you entered the correct tag name, that you are authenticated correctly, and try again.")`
	`191`	`+ // mz280: remind users that DOCKER_AUTH_CONFIG gets prioritized by docker-cli`
	`192`	`+ // https://github.com/docker/cli/pull/6171`
	`193`	`+ _, ok := os.LookupEnv("DOCKER_AUTH_CONFIG")`
	`194`	`+ if ok {`
	`195`	`+ logrus.Warnf("note that your DOCKER_AUTH_CONFIG env variable can shadow credentials from configfile")`
	`196`	`+ logrus.Warnf("see https://github.com/osscontainertools/kaniko/issues/280#issuecomment-3498449955")`
	`197`	`+ }`
	`198`	`+ exit(fmt.Errorf("error checking push permissions: %w", err))`
`191`	`199`	`}`
`192`	`200`	`}`
`193`	`201`	`if err := resolveRelativePaths(); err != nil {`