Add a krane tool. (#1218)

This adds a `krane` tool, which is effectively `crane` with a multi-keychain that prefers default authentication mechanisms, but links `k8schain` as a fallback.

This enables this tool to act as a drop-in replacement for `crane`, but it can support common Kubernetes-based workload identity mechanisms.

README.md

@@ -131,12 +131,18 @@ and registries.
 [`gcrane`](cmd/gcrane/README.md) is a GCR-specific variant of `crane` that has
 richer output for the `ls` subcommand and some basic garbage collection support.
 
+### `krane`
+
+[`krane`](cmd/krane/README.md) is a drop-in replacement for `crane` that supports
+common Kubernetes-based workload identity mechanisms using [`k8schain`](#k8schain)
+as a fallback to traditional authentication mechanisms.
+
 ### `k8schain`
 
 [`k8schain`](pkg/authn/k8schain/README.md) implements the authentication
-semantics use by kubelets in a way that is easily consumable by this library.
+semantics used by kubelets in a way that is easily consumable by this library.
 
-`k8schain` is not a standalone tool, but it's linked here for visibility.
+`k8schain` is not a standalone tool, but it is linked here for visibility.
 
 ### Emeritus: [`ko`](https://github.com/google/ko)
 

cloudbuild.yaml

@@ -23,23 +23,29 @@ steps:
     chmod +x ko
     alias ko=./ko
 
-    # Use the ko binary to build the crane and gcrane builder images.
+    # Use the ko binary to build the crane-ish builder images.
     ko publish --platform=all -B github.com/google/go-containerregistry/cmd/crane  -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
     ko publish --platform=all -B github.com/google/go-containerregistry/cmd/gcrane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
+    ko publish --platform=all -B github.com/google/go-containerregistry/cmd/krane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
 
-    # Use the ko binary to build the crane and gcrane builder *debug* images.
+    # Use the ko binary to build the crane-ish builder *debug* images.
     export KO_CONFIG_PATH=./.ko/debug/
     ko publish --platform=all -B github.com/google/go-containerregistry/cmd/crane  -t "debug"
     ko publish --platform=all -B github.com/google/go-containerregistry/cmd/gcrane -t "debug"
+    ko publish --platform=all -B github.com/google/go-containerregistry/cmd/krane -t "debug"
 
-    # Tag-specific debug images are pushed to gcr.io/go-containerregistry/{g}crane/debug:...
+    # Tag-specific debug images are pushed to gcr.io/go-containerregistry/TOOL/debug:...
     KO_DOCKER_REPO=gcr.io/$PROJECT_ID/crane/debug  ko publish --platform=all --bare github.com/google/go-containerregistry/cmd/crane  -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
     KO_DOCKER_REPO=gcr.io/$PROJECT_ID/gcrane/debug ko publish --platform=all --bare github.com/google/go-containerregistry/cmd/gcrane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
+    KO_DOCKER_REPO=gcr.io/$PROJECT_ID/krane/debug ko publish --platform=all --bare github.com/google/go-containerregistry/cmd/krane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
 
-# Use the crane builder to get the digest for crane and gcrane.
+# Use the crane builder to get the digest for crane-ish.
 - name: gcr.io/$PROJECT_ID/crane
   args: ['digest', 'gcr.io/$PROJECT_ID/crane']
 
 - name: gcr.io/$PROJECT_ID/crane
   args: ['digest', 'gcr.io/$PROJECT_ID/gcrane']
 
+- name: gcr.io/$PROJECT_ID/crane
+  args: ['digest', 'gcr.io/$PROJECT_ID/krane']
+

cmd/krane/README.md

@@ -0,0 +1,14 @@
+# `krane`
+
+<img src="../../images/crane.png" width="40%">
+
+This tool is a variant of the [`crane`](../crane/README.md) command, but builds in
+support for authenticating against registries based on the way the `kubelet`'s
+`pkg/credentialprovider` authenticates.  In particular this tool supports
+authenticating with common "workload identity" mechanisms on platforms such as GKE
+and EKS.
+
+This additional keychain logic only kicks in if alternative authentication mechanisms
+have NOT been configured and `crane` would otherwise perform the command without
+credentials, so **it is a drop-in replacement for `crane` that adds support for
+authenticating with Kubernetes-based workload identity mechanisms**.

cmd/krane/go.mod

@@ -0,0 +1,78 @@
+module github.com/google/go-containerregistry/cmd/krane
+
+go 1.17
+
+replace (
+	github.com/google/go-containerregistry => ../..
+	github.com/google/go-containerregistry/pkg/authn/k8schain => ../../pkg/authn/k8schain
+)
+
+require (
+	github.com/google/go-containerregistry v0.7.0
+	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211223213658-2874338840a6
+)
+
+require (
+	cloud.google.com/go v0.99.0 // indirect
+	github.com/Azure/azure-sdk-for-go v43.0.0+incompatible // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.12 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.5 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect
+	github.com/Azure/go-autorest/autorest/validation v0.1.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.0 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/aws/aws-sdk-go v1.35.24 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/cli v20.10.12+incompatible // indirect
+	github.com/docker/distribution v2.7.1+incompatible // indirect
+	github.com/docker/docker v20.10.12+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/form3tech-oss/jwt-go v3.2.2+incompatible // indirect
+	github.com/go-logr/logr v0.4.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-cmp v0.5.6 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/googleapis/gnostic v0.4.1 // indirect
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/spf13/cobra v1.3.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/vdemeester/k8s-pkg-credentialprovider v1.21.0-1 // indirect
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
+	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f // indirect
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
+	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/api v0.21.1 // indirect
+	k8s.io/apimachinery v0.21.1 // indirect
+	k8s.io/client-go v0.21.1 // indirect
+	k8s.io/cloud-provider v0.21.0 // indirect
+	k8s.io/component-base v0.21.0 // indirect
+	k8s.io/klog/v2 v2.8.0 // indirect
+	k8s.io/legacy-cloud-providers v0.21.0 // indirect
+	k8s.io/utils v0.0.0-20201110183641-67b214c5f920 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.1.0 // indirect
+	sigs.k8s.io/yaml v1.2.0 // indirect
+)