GitLabCI Kaniko on shared runner "error checking push permissions -- make sure you entered the correct tag name"

Question

This similar question is not applicable because I am not using Kubernetes or my own registered runner.

I am attempting to build a Ruby-based image in my GitLabCI pipeline in order to have my gems pre-installed for use by subsequent pipeline stages. In order to build this image, I am attempting to use Kaniko in a job that runs in the .pre stage.

build_custom_dockerfile:
  stage: .pre
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  variables:
    IMAGE_TAG: ${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
  script:
    - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"username\":\"${CI_REGISTRY_USER}\",\"password\":\"${CI_REGISTRY_PASSWORD}\"}}}" > /kaniko/.docker/config.json
    - /kaniko/executor --context ${CI_PROJECT_DIR} --dockerfile ${CI_PROJECT_DIR}/dockerfiles/custom/Dockerfile --destination \
      ${CI_REGISTRY_IMAGE}:${IMAGE_TAG}

This is of course based on the official GitLabCI Kaniko documentation.

However, when I run my pipeline, this job returns an error with the following message:

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: getting tag for destination: registries must be valid RFC 3986 URI authorities: registry.gitlab.com

The Dockerfile path is correct and through testing with invalid Dockerfile paths to the --dockerfile argument, it is clear to me this is not the source of the issue.

As far as I can tell, I am using the correct pipeline environment variables for authentication and following the documentation for using Kaniko verbatim. I am running my pipeline jobs with GitLab's shared runners.

According to this issue comment from May, others were experiencing a similar issue which was then resolved when reverting to the debug-v0.16.0 Kaniko image. Likewise, I changed the Image name line to name: gcr.io/kaniko-project/executor:debug-v0.16.0 but this resulted in the same error message.

Finally, I tried creating a generic user to access the registry, using a deployment key as indicated here. Via the GitLabCI environment variables project settings interface, I added two variables corresponding to the username and key, and substituted these variables in my pipeline script. This resulted in the same error message.

I tried several variations on this approach, including renaming these custom variables to "CI_REGISTRY_USER" and "CI_REGISTRY_PASSWORD" (the predefined variables). I also made sure neither of these variables was marked as "protected". None of this solved the problem.

I have also tried running the tutorial script verbatim (without custom image tag), and this too results in the same error message.

Has anyone had any recent success in using Kaniko to build Docker images in their GitLabCI pipelines? It appears others are experiencing similar problems but as far as I can tell, no solutions have been put forward and I am not certain whether the issue is on my end. Please let me know if any additional information would be useful to diagnose potential problem sources. Thanks all!

Answer 1

I ran into this issue before many times forgetting that the variable was set to protected thus will only be exported to protected branches.

Answer 2

I also had this problem with my gitlab-ci pipeline. I wanted to push directly to the public docker-hub repository with an access token to my account.

The problem in the end was, for my case, that I used the wrong registry address. Instead of docker.io, which is changed by kaniko to https://index.docker.io/v2, I had to insert https://index.docker.io/v1/. Afterwards, the container was built without any problems, even with protected ci variables