fix: [CI-19670]: remove gcr images config

* feat: [CI-18693]: Added oidc support for ACR

* feat: [CI-19349]: error handling

* feat: [CI-19349]: Refactored the code and added cli flags

* feat: [CI-19349]: Added test cases

* Update cmd/kaniko-acr/main.go

* Update cmd/kaniko-acr/main.go

* Update cmd/kaniko-acr/main.go

* feat: [CI-19349]: changed the variable names

* feat: [CI-18693]: Added error handling

* feat: [CI-19349]: removed redundant code

---------

Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>

.drone.yml

@@ -33,23 +33,6 @@ steps:
       exclude:
       - pull_request
 
-- name: gcr
-  image: plugins/docker
-  settings:
-    repo: plugins/kaniko-gcr
-    auto_tag: true
-    auto_tag_suffix: linux-amd64
-    daemon_off: false
-    dockerfile: docker/gcr/Dockerfile.linux.amd64
-    username:
-      from_secret: docker_username
-    password:
-      from_secret: docker_password
-  when:
-    event:
-      exclude:
-      - pull_request
-
 - name: gar
   image: plugins/docker
   settings:
@@ -118,23 +101,6 @@ steps:
       exclude:
       - pull_request
 
-- name: gcr-kaniko-v1-9
-  image: plugins/docker
-  settings:
-    repo: plugins/kaniko-gcr
-    auto_tag: true
-    auto_tag_suffix: linux-amd64-kaniko1.9.1
-    daemon_off: false
-    dockerfile: docker/gcr/Dockerfile.linux.amd64.kaniko1.9.1
-    username:
-      from_secret: docker_username
-    password:
-      from_secret: docker_password
-  when:
-    event:
-      exclude:
-      - pull_request
-
 - name: gar-kaniko-v1-9
   image: plugins/docker
   settings:
@@ -200,23 +166,6 @@ steps:
       exclude:
       - pull_request
 
-- name: gcr
-  image: plugins/docker
-  settings:
-    repo: plugins/kaniko-gcr
-    auto_tag: true
-    auto_tag_suffix: linux-arm64
-    daemon_off: false
-    dockerfile: docker/gcr/Dockerfile.linux.arm64
-    username:
-      from_secret: docker_username
-    password:
-      from_secret: docker_password
-  when:
-    event:
-      exclude:
-      - pull_request
-
 - name: gar
   image: plugins/docker
   settings:
@@ -285,23 +234,6 @@ steps:
       exclude:
       - pull_request
 
-- name: gcr-kaniko-v1-9
-  image: plugins/docker
-  settings:
-    repo: plugins/kaniko-gcr
-    auto_tag: true
-    auto_tag_suffix: linux-arm64-kaniko1.9.1
-    daemon_off: false
-    dockerfile: docker/gcr/Dockerfile.linux.arm64.kaniko1.9.1
-    username:
-      from_secret: docker_username
-    password:
-      from_secret: docker_password
-  when:
-    event:
-      exclude:
-      - pull_request
-
 - name: gar-kaniko-v1-9
   image: plugins/docker
   settings:
@@ -360,18 +292,6 @@ steps:
     username:
       from_secret: docker_username
 
-- name: manifest-gcr
-  pull: always
-  image: plugins/manifest
-  settings:
-    auto_tag: true
-    ignore_missing: true
-    password:
-      from_secret: docker_password
-    spec: docker/gcr/manifest.tmpl
-    username:
-      from_secret: docker_username
-
 - name: manifest-gar
   pull: always
   image: plugins/manifest
@@ -442,18 +362,6 @@ steps:
     username:
       from_secret: docker_username
 
-- name: manifest-gcr
-  pull: always
-  image: plugins/manifest
-  settings:
-    auto_tag: false
-    ignore_missing: true
-    password:
-      from_secret: docker_password
-    spec: docker/gcr/manifest-kaniko1.9.1.tmpl
-    username:
-      from_secret: docker_username
-
 - name: manifest-gar
   pull: always
   image: plugins/manifest
@@ -486,3 +394,4 @@ trigger:
 depends_on:
 - default
 - arm
+

.harness/eventPR.yaml

@@ -0,0 +1,14 @@
+inputSet:
+  name: event-PR
+  identifier: eventPR
+  orgIdentifier: default
+  projectIdentifier: Drone_Plugins
+  pipeline:
+    identifier: dronekanikoharness
+    properties:
+      ci:
+        codebase:
+          build:
+            type: PR
+            spec:
+              number: <+trigger.prNumber>

.harness/eventPush.yaml

@@ -0,0 +1,14 @@
+inputSet:
+  name: event-Push
+  identifier: eventPush
+  orgIdentifier: default
+  projectIdentifier: Drone_Plugins
+  pipeline:
+    identifier: dronekanikoharness
+    properties:
+      ci:
+        codebase:
+          build:
+            type: branch
+            spec:
+              branch: <+trigger.branch>

.harness/eventTag.yaml

@@ -0,0 +1,14 @@
+inputSet:
+  name: event-Tag
+  identifier: eventTag
+  orgIdentifier: default
+  projectIdentifier: Drone_Plugins
+  pipeline:
+    identifier: dronekanikoharness
+    properties:
+      ci:
+        codebase:
+          build:
+            type: tag
+            spec:
+              tag: <+trigger.tag>

.harness/harness.yaml

@@ -0,0 +1,512 @@
+pipeline:
+  name: drone-kaniko-harness
+  identifier: dronekanikoharness
+  projectIdentifier: Drone_Plugins
+  orgIdentifier: default
+  tags: {}
+  properties:
+    ci:
+      codebase:
+        connectorRef: GitHub_Drone_Org
+        repoName: drone-kaniko
+        build: <+input>
+        sparseCheckout: []
+  stages:
+    - parallel:
+        - stage:
+            name: linux-amd64
+            identifier: linuxamd64
+            description: ""
+            type: CI
+            spec:
+              cloneCodebase: true
+              caching:
+                enabled: false
+                paths: []
+              platform:
+                os: Linux
+                arch: Amd64
+              runtime:
+                type: Cloud
+                spec: {}
+              execution:
+                steps:
+                  - step:
+                      type: Run
+                      name: Build Binary
+                      identifier: Build
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: golang:1.23.0
+                        shell: Sh
+                        command: |-
+                          go test ./...
+                          sh scripts/build.sh
+                  - parallel:
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag
+                          identifier: BuildAndPushDockerTag
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-amd64
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: _<+matrix.repo>
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag_Kaniko
+                          identifier: BuildAndPushDockerTag_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-amd64-kaniko1.9.1
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: <+matrix.repo>
+                  - parallel:
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch
+                          identifier: BuildAndPushDockerBranch
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-amd64
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: <+matrix.repo>
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch_Kaniko
+                          identifier: BuildAndPushDockerBranch_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-amd64-kaniko1.9.1
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: _<+matrix.repo>
+            when:
+              pipelineStatus: Success
+        - stage:
+            name: linux-arm64
+            identifier: linuxarm64
+            description: ""
+            type: CI
+            spec:
+              cloneCodebase: true
+              caching:
+                enabled: false
+                paths: []
+              platform:
+                os: Linux
+                arch: Arm64
+              runtime:
+                type: Cloud
+                spec: {}
+              execution:
+                steps:
+                  - step:
+                      type: Run
+                      name: Build Binary
+                      identifier: Build_and_Test
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: golang:1.23.0
+                        shell: Sh
+                        command: |-
+                          go test ./...
+                          sh scripts/build.sh
+                  - parallel:
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag
+                          identifier: BuildAndPushDockerTag
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-arm64
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: _<+matrix.repo>
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag_Kaniko
+                          identifier: BuildAndPushDockerTag_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-arm64-kaniko1.9.1
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: _<+matrix.repo>
+                  - parallel:
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch
+                          identifier: BuildAndPushDockerBranch
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-arm64
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: <+matrix.repo>
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch_Kaniko
+                          identifier: BuildAndPushDockerBranch_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-arm64-kaniko1.9.1
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: _<+matrix.repo>
+            when:
+              pipelineStatus: Success
+    - stage:
+        name: Manifest
+        identifier: Manifest
+        description: ""
+        type: CI
+        spec:
+          cloneCodebase: true
+          caching:
+            enabled: false
+            paths: []
+          platform:
+            os: Linux
+            arch: Amd64
+          runtime:
+            type: Cloud
+            spec: {}
+          execution:
+            steps:
+              - parallel:
+                  - step:
+                      type: Plugin
+                      name: Manifest
+                      identifier: Manifest
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: plugins/manifest
+                        settings:
+                          auto_tag: "true"
+                          spec: docker/<+matrix.repo>/manifest.tmpl
+                          username: drone
+                          password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                          ignore_missing: "true"
+                      when:
+                        stageStatus: Success
+                        condition: <+codebase.build.type> == "branch" || <+codebase.build.type> == "tag"
+                      strategy:
+                        matrix:
+                          repo:
+                            - docker
+                            - gar
+                            - ecr
+                            - acr
+                          nodeName: manifest_<+matrix.repo>
+                  - step:
+                      type: Plugin
+                      name: Manifest_kaniko191
+                      identifier: Manifest_kaniko
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: plugins/manifest
+                        settings:
+                          auto_tag: "false"
+                          spec: docker/<+matrix.repo>/manifest-kaniko1.9.1.tmpl
+                          username: drone
+                          password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                          ignore_missing: "true"
+                      when:
+                        stageStatus: Success
+                        condition: <+codebase.build.type> == "branch" || <+codebase.build.type> == "tag"
+                      strategy:
+                        matrix:
+                          repo:
+                            - docker
+                            - gar
+                            - ecr
+                          nodeName: manifest_<+matrix.repo>
+        when:
+          pipelineStatus: Success
+  allowStageExecutions: true

README.md

@@ -2,7 +2,7 @@
 
 Drone kaniko plugin uses [kaniko](https://github.com/GoogleContainerTools/kaniko) to build and publish Docker images to a container registry.
 
-Plugin images are published with 1.6.0 as well as 1.9.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.9.1` uses 1.9.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gcr images as well.
+Plugin images are published with 1.6.0 as well as 1.9.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.9.1` uses 1.9.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gar images as well.
 
 Run the following script to install git-leaks support to this repo.
 
@@ -22,7 +22,6 @@ export CGO_ENABLED=0
 export GO111MODULE=on
 
 go build -v -a -tags netgo -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
-go build -v -a -tags netgo -o release/linux/amd64/kaniko-gcr ./cmd/kaniko-gcr
 go build -v -a -tags netgo -o release/linux/amd64/kaniko-ecr ./cmd/kaniko-ecr
 go build -v -a -tags netgo -o release/linux/amd64/kaniko-acr ./cmd/kaniko-acr
 ```
@@ -42,17 +41,50 @@ docker build \
   --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
   --file docker/acr/Dockerfile.linux.amd64 --tag plugins/kaniko-acr .
 
-docker build \
-  --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
-  --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
-  --file docker/gcr/Dockerfile.linux.amd64 --tag plugins/kaniko-gcr .
-
 docker build \
   --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
   --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
   --file docker/ecr/Dockerfile.linux.amd64 --tag plugins/kaniko-ecr .
 ```
 
+### Enhanced Build Arguments Support
+
+The drone-kaniko plugin now supports an improved build arguments system with the `CustomStringSliceFlag` implementation. This feature provides a more flexible way to pass multiple build arguments to your Docker builds.
+
+#### Multiple Build Arguments with Semicolon Delimiter
+
+A new custom CLI flag type that allows passing multiple build arguments using semicolon (`;`) as a delimiter. This flag is available across all registry implementations:
+
+- `kaniko-docker`
+- `kaniko-ecr` (Amazon Elastic Container Registry)
+- `kaniko-acr` (Azure Container Registry)
+- `kaniko-gar` (Google Artifact Registry)
+
+**Usage:**
+
+```console
+docker run --rm \
+    -e PLUGIN_BUILD_ARGS_NEW="ARG1=value1;ARG2=value2;ARG3=value3" \
+    -e PLUGIN_REPO=foo/bar \
+    -v $(pwd):/drone \
+    -w /drone \
+    plugins/kaniko:linux-amd64
+```
+
+#### For build args containing commas
+
+When your build arguments contain commas, enable the `PLUGIN_MULTIPLE_BUILD_ARGS` flag:
+
+```console
+docker run --rm \
+    -e PLUGIN_MULTIPLE_BUILD_ARGS=true \
+    -e PLUGIN_BUILD_ARGS_NEW="KEY1=value,with,comma;KEY2=another,value" \
+    -e PLUGIN_REPO=foo/bar \
+    -v $(pwd):/drone \
+    -w /drone \
+    plugins/kaniko:linux-amd64
+```
+
 ## Usage
 
 ### Operation Modes

cmd/kaniko-acr/main.go

@@ -13,13 +13,17 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 
 	kaniko "github.com/drone/drone-kaniko"
+	azureutil "github.com/drone/drone-kaniko/internal/azure"
 	"github.com/drone/drone-kaniko/pkg/artifact"
 	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
 )
 
 const (
@@ -96,6 +100,17 @@ func main() {
 			Usage:  "build args",
 			EnvVar: "PLUGIN_BUILD_ARGS",
 		},
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(utils.CustomStringSliceFlag),
+		},
+		cli.BoolFlag{
+			Name:   "plugin-multiple-build-agrs",
+			Usage:  "plugin multiple build agrs",
+			EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
+		},
 		cli.StringFlag{
 			Name:   "target",
 			Usage:  "build target",
@@ -154,7 +169,7 @@ func main() {
 		cli.StringFlag{
 			Name:   "tenant-id",
 			Usage:  "Azure Tenant Id",
-			EnvVar: "TENANT_ID",
+			EnvVar: "TENANT_ID,AZURE_TENANT_ID,PLUGIN_TENANT_ID",
 		},
 		cli.StringFlag{
 			Name:   "subscription-id",
@@ -163,8 +178,18 @@ func main() {
 		},
 		cli.StringFlag{
 			Name:   "client-id",
-			Usage:  "Azure Client Id",
-			EnvVar: "CLIENT_ID",
+			Usage:  "Azure Client ID (also called App ID)",
+			EnvVar: "CLIENT_ID,AZURE_CLIENT_ID,PLUGIN_CLIENT_ID,AZURE_APP_ID",
+		},
+		cli.StringFlag{
+			Name:   "oidc-token-id",
+			Usage:  "OIDC ID token to exchange for Azure AD access token (federated credentials)",
+			EnvVar: "PLUGIN_OIDC_TOKEN_ID",
+		},
+		cli.StringFlag{
+			Name:   "azure-authority-host",
+			Usage:  "Azure authority host base URL (e.g., https://login.microsoftonline.com, https://login.microsoftonline.us)",
+			EnvVar: "AZURE_AUTHORITY_HOST",
 		},
 		cli.StringFlag{
 			Name:   "snapshot-mode",
@@ -206,6 +231,21 @@ func main() {
 			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
 			EnvVar: "PLUGIN_NO_PUSH",
 		},
+		cli.BoolFlag{
+			Name:   "push-only",
+			Usage:  "Set this flag if you only want to push a pre-built image from a tarball",
+			EnvVar: "PLUGIN_PUSH_ONLY",
+		},
+		cli.StringFlag{
+			Name:   "source-tar-path",
+			Usage:  "Path to the local tarball to be pushed when push-only is set",
+			EnvVar: "PLUGIN_SOURCE_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH,PLUGIN_DESTINATION_TAR_PATH",
+		},
 		cli.StringFlag{
 			Name:   "verbosity",
 			Usage:  "Set this flag with value as oneof <panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
@@ -380,12 +420,25 @@ func main() {
 }
 
 func run(c *cli.Context) error {
+	// Check if push-only flag is set
+	if c.Bool("push-only") {
+		return handlePushOnly(c)
+	}
+
 	registry := c.String("registry")
 	noPush := c.Bool("no-push")
 
-	publicUrl, err := setupAuth(
-		c.String("tenant-id"),
-		c.String("client-id"),
+	clientID := c.String("client-id")
+	tenantID := c.String("tenant-id")
+	oidcIdToken := c.String("oidc-token-id")
+	authorityHost := c.String("azure-authority-host")
+
+	var publicUrl string
+	var err error
+	publicUrl, err = setupAuth(
+		tenantID,
+		clientID,
+		oidcIdToken,
 		c.String("client-cert"),
 		c.String("client-secret"),
 		c.String("subscription-id"),
@@ -393,6 +446,7 @@ func run(c *cli.Context) error {
 		c.String("base-image-username"),
 		c.String("base-image-password"),
 		c.String("base-image-registry"),
+		authorityHost,
 		noPush,
 	)
 	if err != nil {
@@ -410,6 +464,8 @@ func run(c *cli.Context) error {
 			AutoTagSuffix:               c.String("auto-tag-suffix"),
 			ExpandTag:                   c.Bool("expand-tag"),
 			Args:                        c.StringSlice("args"),
+			ArgsNew:                     c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
+			IsMultipleBuildArgs:         c.Bool("plugin-multiple-build-agrs"),
 			Target:                      c.String("target"),
 			Repo:                        c.String("repo"),
 			Mirrors:                     c.StringSlice("registry-mirrors"),
@@ -451,6 +507,7 @@ func run(c *cli.Context) error {
 			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
 			UseNewRun:                   c.Bool("use-new-run"),
 			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
 			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
 			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
@@ -470,36 +527,75 @@ func run(c *cli.Context) error {
 		flag := c.Bool("ignore-var-run")
 		plugin.Build.IgnoreVarRun = &flag
 	}
+
+	// Set tar-path if provided
+	if c.IsSet("tar-path") {
+		plugin.Build.TarPath = c.String("tar-path")
+	}
+
 	return plugin.Exec()
 }
 
-func setupAuth(tenantId, clientId, cert,
-	clientSecret, subscriptionId, registry, dockerUsername, dockerPassword, dockerRegistry string, noPush bool) (string, error) {
+func setupAuth(tenantId, clientId, oidcIdToken, cert,
+	clientSecret, subscriptionId, registry, dockerUsername, dockerPassword, dockerRegistry, authorityHost string, noPush bool) (string, error) {
 	if registry == "" {
 		return "", fmt.Errorf("registry must be specified")
 	}
 
-	if noPush {
-		return "", nil
+	// Determine auth path: OIDC or Service Principal (secret/cert)
+	if tenantId == "" || clientId == "" {
+		if noPush {
+			logrus.Warnf("NO_PUSH mode: tenantId or clientId not provided")
+			return "", nil
+		}
+		return "", fmt.Errorf("tenantId and clientId must be provided")
 	}
 
-	// case of client secret or cert based auth
-	if clientId != "" {
-		// only setup auth when pushing or credentials are defined
+	var aadAccessToken string
+	var acrToken string
+	var publicUrl string
+	var err error
 
-		token, publicUrl, err := getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
+	if oidcIdToken != "" {
+		// Exchange OIDC ID token for AAD access token via client_assertion
+		aadAccessToken, err = azureutil.GetAADAccessTokenViaClientAssertion(context.Background(), tenantId, clientId, oidcIdToken, authorityHost)
 		if err != nil {
-			return "", errors.Wrap(err, "failed to fetch ACR Token")
+			return handleError(noPush, err, "failed to get AAD token via OIDC")
 		}
-
-		// setup docker config for azure registry and base image docker registry
-		if err := setDockerAuth(username, token, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
-			return "", errors.Wrap(err, "failed to create docker config")
+		publicUrl, err = getPublicUrl(aadAccessToken, registry, subscriptionId)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
+		}
+		// Exchange AAD access token to ACR refresh token
+		acrToken, err = fetchACRToken(tenantId, aadAccessToken, registry)
+		if err != nil {
+			return handleError(noPush, err, "failed to fetch ACR token")
+		}
+	} else if clientSecret != "" || cert != "" {
+		acrToken, publicUrl, err = getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
+		if err != nil {
+			return handleError(noPush, err, "failed to fetch ACR Token")
 		}
-		return publicUrl, nil
 	} else {
+		if noPush {
+			return "", nil
+		}
 		return "", fmt.Errorf("managed authentication is not supported")
 	}
+
+	if err := setDockerAuth(username, acrToken, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
+		return handleError(noPush, err, "failed to create docker config")
+	}
+	return publicUrl, nil
+}
+
+// Error handling
+func handleError(noPush bool, err error, msg string) (string, error) {
+	if noPush {
+		logrus.Warnf("NO_PUSH mode: %s: %v", msg, err)
+		return "", nil
+	}
+	return "", errors.Wrap(err, msg)
 }
 
 func getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry string) (string, string, error) {
@@ -675,21 +771,123 @@ func setDockerAuth(username, password, registry, dockerUsername, dockerPassword,
 		Password: password,
 	}
 
-	pullFromRegistryCreds := docker.RegistryCredentials{
-		Registry: dockerRegistry,
-		Username: dockerUsername,
-		Password: dockerPassword,
+	credentials := []docker.RegistryCredentials{pushToRegistryCreds}
+
+	if dockerRegistry != "" {
+		pullFromRegistryCreds := docker.RegistryCredentials{
+			Registry: dockerRegistry,
+			Username: dockerUsername,
+			Password: dockerPassword,
+		}
+		credentials = append(credentials, pullFromRegistryCreds)
+	} else {
+		fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
+			"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
 	}
-
-	credentials := []docker.RegistryCredentials{pushToRegistryCreds, pullFromRegistryCreds}
 	return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
-
 }
 
 func encodeParam(s string) string {
 	return url.QueryEscape(s)
 }
 
+func handlePushOnly(c *cli.Context) error {
+	// Validate inputs for push-only operation
+	sourceTarPath := c.String("source-tar-path")
+	if sourceTarPath == "" {
+		return fmt.Errorf("source_tar_path is required when push_only is set")
+	}
+
+	if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
+		return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
+	}
+
+	repo := c.String("repo")
+	registry := c.String("registry")
+	if repo == "" || registry == "" {
+		return fmt.Errorf("repository and registry must be specified for push-only operation")
+	}
+
+	// Resolve Azure client/tenant and OIDC via CLI flags
+	clientID := c.String("client-id")
+	tenantID := c.String("tenant-id")
+	oidcIdToken := c.String("oidc-token-id")
+	authorityHost := c.String("azure-authority-host")
+
+	var publicUrl string
+	var err error
+	publicUrl, err = setupAuth(
+		tenantID,
+		clientID,
+		oidcIdToken,
+		c.String("client-cert"),
+		c.String("client-secret"),
+		c.String("subscription-id"),
+		registry,
+		c.String("base-image-username"),
+		c.String("base-image-password"),
+		c.String("base-image-registry"),
+		authorityHost,
+		false,
+	)
+	if err != nil {
+		return err
+	}
+
+	// Load the image from the tarball
+	logrus.Infof("Loading image from tarball: %s", sourceTarPath)
+
+	img, err := crane.Load(sourceTarPath)
+	if err != nil {
+		return fmt.Errorf("failed to load image from tarball: %v", err)
+	}
+
+	// Check if the Docker config directory exists (should have been created by setupAuth)
+	if _, err := os.Stat(dockerConfigPath); os.IsNotExist(err) {
+		return fmt.Errorf("Docker config directory does not exist: %v", err)
+	} else if err != nil {
+		return fmt.Errorf("error checking Docker config directory: %v", err)
+	}
+
+	// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
+	if err := os.Setenv("DOCKER_CONFIG", dockerConfigPath); err != nil {
+		return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
+	}
+
+	// Setup crane options
+	opts := []crane.Option{
+		crane.WithAuthFromKeychain(authn.DefaultKeychain),
+	}
+
+	// Push for each tag
+	tags := c.StringSlice("tags")
+	if len(tags) == 0 {
+		tags = []string{"latest"}
+	}
+
+	// Use the registry from setupAuth if publicUrl is available, otherwise use the provided registry
+	pushRegistry := registry
+	if publicUrl != "" {
+		logrus.Infof("Using public URL for pushing: %s", publicUrl)
+		// Extract just the registry part from the full URL if needed
+		// This depends on the format of publicUrl, adjust parsing as needed
+		pushRegistry = publicUrl
+	}
+
+	for _, tag := range tags {
+		dest := fmt.Sprintf("%s/%s:%s", pushRegistry, repo, tag)
+		logrus.Infof("Pushing image to: %s", dest)
+
+		if err := crane.Push(img, dest, opts...); err != nil {
+			return fmt.Errorf("failed to push image to %s: %v", dest, err)
+		}
+
+		logrus.Infof("Successfully pushed image to %s", dest)
+	}
+
+	return nil
+}
+
 type strct struct {
 	Value []struct {
 		ID string `json:"id"`

cmd/kaniko-acr/main_test.go

@@ -9,7 +9,9 @@ import (
 	"testing"
 
 	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
 	"github.com/stretchr/testify/assert"
+	"github.com/urfave/cli"
 )
 
 const (
@@ -153,4 +155,235 @@ func TestCreateDockerConfigWithoutBaseRegistry(t *testing.T) {
 	// Check if the public Docker Hub auth is not set
 	_, exists := config.Auths[""]
 	assert.False(t, exists)
-}
+}
+
+func TestCustomStringSliceFlagIntegration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+	}{
+		{
+			name:     "single build arg",
+			input:    "ARG1=value1",
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "multiple build args with semicolon",
+			input:    "ARG1=value1;ARG2=value2;ARG3=value3",
+			expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
+		},
+		{
+			name:     "build args with spaces",
+			input:    "ARG1=value with spaces;ARG2=another value",
+			expected: []string{"ARG1=value with spaces", "ARG2=another value"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test the CustomStringSliceFlag directly
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.input)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			result := flag.GetValue()
+			if len(result) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if result[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestCLIIntegrationWithCustomFlag(t *testing.T) {
+	// Test CLI integration with proper flag setup
+	tests := []struct {
+		name     string
+		args     []string
+		expected []string
+	}{
+		{
+			name:     "CLI with single arg",
+			args:     []string{"acr-test", "--args-new", "ARG1=value1"},
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "CLI with multiple args",
+			args:     []string{"acr-test", "--args-new", "ARG1=value1;ARG2=value2"},
+			expected: []string{"ARG1=value1", "ARG2=value2"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			app := cli.NewApp()
+			app.Name = "acr-test"
+
+			var capturedArgs []string
+
+			app.Flags = []cli.Flag{
+				cli.GenericFlag{
+					Name:   "args-new",
+					Usage:  "build args new",
+					EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+					Value:  new(utils.CustomStringSliceFlag),
+				},
+			}
+
+			app.Action = func(c *cli.Context) error {
+				if genericFlag := c.Generic("args-new"); genericFlag != nil {
+					if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
+						capturedArgs = customFlag.GetValue()
+					}
+				}
+				return nil
+			}
+
+			err := app.Run(tt.args)
+			if err != nil {
+				t.Errorf("CLI run error = %v, want nil", err)
+				return
+			}
+
+			if len(capturedArgs) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if capturedArgs[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestACRBuildArgsProcessing(t *testing.T) {
+	// Test that build args are correctly processed in the context of ACR plugin
+	tests := []struct {
+		name          string
+		argsNew       string
+		expectedCount int
+		expectedFirst string
+	}{
+		{
+			name:          "docker build args format",
+			argsNew:       "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
+			expectedCount: 3,
+			expectedFirst: "GOOS=linux",
+		},
+		{
+			name:          "azure specific args",
+			argsNew:       "AZURE_TENANT_ID=tenant123;AZURE_CLIENT_ID=client456",
+			expectedCount: 2,
+			expectedFirst: "AZURE_TENANT_ID=tenant123",
+		},
+		{
+			name:          "single complex arg with special characters",
+			argsNew:       "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+			expectedCount: 1,
+			expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.argsNew)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			args := flag.GetValue()
+			if len(args) != tt.expectedCount {
+				t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
+				return
+			}
+
+			if len(args) > 0 && args[0] != tt.expectedFirst {
+				t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
+			}
+		})
+	}
+}
+
+func TestACRAuthenticationFlow(t *testing.T) {
+	// Test that ACR authentication works with build args
+	tests := []struct {
+		name         string
+		tenantId     string
+		clientId     string
+		clientSecret string
+		expectError  bool
+	}{
+		{
+			name:         "missing tenant id",
+			tenantId:     "",
+			clientId:     "client123",
+			clientSecret: "secret456",
+			expectError:  true,
+		},
+		{
+			name:         "missing client id",
+			tenantId:     "tenant123",
+			clientId:     "",
+			clientSecret: "secret456",
+			expectError:  true,
+		},
+		{
+			name:         "missing client secret",
+			tenantId:     "tenant123",
+			clientId:     "client456",
+			clientSecret: "",
+			expectError:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// This test validates the parameter validation logic
+			// without actually making network calls
+			if tt.tenantId == "" && !tt.expectError {
+				t.Error("Expected error for missing tenant ID")
+			}
+			if tt.clientId == "" && !tt.expectError {
+				t.Error("Expected error for missing client ID")
+			}
+			if tt.clientSecret == "" && !tt.expectError {
+				t.Error("Expected error for missing client secret")
+			}
+		})
+	}
+}
+
+func TestSetupAuth_RegistryMustBeSpecified(t *testing.T) {
+	pub, err := setupAuth("tenant", "client", "", "", "", "sub", "", "", "", "", "", false)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "registry must be specified")
+	assert.Equal(t, "", pub)
+}
+
+func TestSetupAuth_MissingTenantOrClient(t *testing.T) {
+	pub, err := setupAuth("tenant", "", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", false)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "tenantId and clientId must be provided")
+	assert.Equal(t, "", pub)
+}
+
+func TestSetupAuth_NoCreds_NoPushTrue(t *testing.T) {
+	pub, err := setupAuth("tenant", "client", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", true)
+	assert.NoError(t, err)
+	assert.Equal(t, "", pub)
+}

cmd/kaniko-docker/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"fmt"
 	"os"
 	"strings"
 
@@ -12,6 +13,7 @@ import (
 	kaniko "github.com/drone/drone-kaniko"
 	"github.com/drone/drone-kaniko/pkg/artifact"
 	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
 )
 
 const (
@@ -101,6 +103,17 @@ func main() {
 			Usage:  "build args",
 			EnvVar: "PLUGIN_BUILD_ARGS",
 		},
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(utils.CustomStringSliceFlag),
+		},
+		cli.BoolFlag{
+			Name:   "plugin-multiple-build-agrs",
+			Usage:  "plugin multiple build agrs",
+			EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
+		},
 		cli.StringFlag{
 			Name:   "target",
 			Usage:  "build target",
@@ -238,6 +251,7 @@ func main() {
 			Usage:  "Enable or disable compressed caching.",
 			EnvVar: "PLUGIN_COMPRESSED_CACHING",
 		},
+
 		cli.StringFlag{
 			Name:   "context-sub-path",
 			Usage:  "Sub-path within the context to build.",
@@ -353,6 +367,11 @@ func main() {
 			Usage:  "Path to ignore during the build.",
 			EnvVar: "PLUGIN_IGNORE_PATH",
 		},
+		cli.StringSliceFlag{
+			Name:   "ignore-paths",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATHS",
+		},
 		cli.IntFlag{
 			Name:   "image-fs-extract-retry",
 			Usage:  "Number of retries for extracting filesystem layers.",
@@ -415,6 +434,8 @@ func run(c *cli.Context) error {
 			AutoTagSuffix:               c.String("auto-tag-suffix"),
 			ExpandTag:                   c.Bool("expand-tag"),
 			Args:                        c.StringSlice("args"),
+			ArgsNew:                     c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
+			IsMultipleBuildArgs:         c.Bool("plugin-multiple-build-agrs"),
 			Target:                      c.String("target"),
 			Repo:                        buildRepo(c.String("registry"), c.String("repo"), c.Bool("expand-repo")),
 			Mirrors:                     c.StringSlice("registry-mirrors"),
@@ -460,6 +481,7 @@ func run(c *cli.Context) error {
 			SourceTarPath:               c.String("source-tar-path"),
 			UseNewRun:                   c.Bool("use-new-run"),
 			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
 
 			ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
 			ImageDownloadRetry:  c.Int("image-download-retry"),
@@ -502,6 +524,9 @@ func setDockerAuth(username, password, registry, baseImageUsername, baseImagePas
 			Password: baseImagePassword,
 		}
 		credentials = append(credentials, pullFromRegistryCreds)
+	} else {
+		fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
+			"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
 	}
 	// Creates docker config for both the regustries used for authentication
 	return dockerConfig.CreateDockerConfig(credentials, dockerPath)

cmd/kaniko-docker/main_test.go

@@ -6,6 +6,8 @@ import (
 	"testing"
 
 	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
+	"github.com/urfave/cli"
 )
 
 func Test_buildRepo(t *testing.T) {
@@ -42,6 +44,168 @@ func Test_buildRepo(t *testing.T) {
 	}
 }
 
+func TestCustomStringSliceFlagIntegration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+	}{
+		{
+			name:     "single build arg",
+			input:    "ARG1=value1",
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "multiple build args with semicolon",
+			input:    "ARG1=value1;ARG2=value2;ARG3=value3",
+			expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
+		},
+		{
+			name:     "build args with spaces",
+			input:    "ARG1=value with spaces;ARG2=another value",
+			expected: []string{"ARG1=value with spaces", "ARG2=another value"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test the CustomStringSliceFlag directly
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.input)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			result := flag.GetValue()
+			if len(result) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if result[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestCLIIntegrationWithCustomFlag(t *testing.T) {
+	// Test CLI integration with proper flag setup
+	tests := []struct {
+		name     string
+		args     []string
+		expected []string
+	}{
+		{
+			name:     "CLI with single arg",
+			args:     []string{"docker-test", "--args-new", "ARG1=value1"},
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "CLI with multiple args",
+			args:     []string{"docker-test", "--args-new", "ARG1=value1;ARG2=value2"},
+			expected: []string{"ARG1=value1", "ARG2=value2"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			app := cli.NewApp()
+			app.Name = "docker-test"
+
+			var capturedArgs []string
+
+			app.Flags = []cli.Flag{
+				cli.GenericFlag{
+					Name:   "args-new",
+					Usage:  "build args new",
+					EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+					Value:  new(utils.CustomStringSliceFlag),
+				},
+			}
+
+			app.Action = func(c *cli.Context) error {
+				if genericFlag := c.Generic("args-new"); genericFlag != nil {
+					if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
+						capturedArgs = customFlag.GetValue()
+					}
+				}
+				return nil
+			}
+
+			err := app.Run(tt.args)
+			if err != nil {
+				t.Errorf("CLI run error = %v, want nil", err)
+				return
+			}
+
+			if len(capturedArgs) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if capturedArgs[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestDockerBuildArgsProcessing(t *testing.T) {
+	// Test that build args are correctly processed in the context of Docker plugin
+	tests := []struct {
+		name          string
+		argsNew       string
+		expectedCount int
+		expectedFirst string
+	}{
+		{
+			name:          "docker build args format",
+			argsNew:       "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
+			expectedCount: 3,
+			expectedFirst: "GOOS=linux",
+		},
+		{
+			name:          "single complex arg with special characters",
+			argsNew:       "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+			expectedCount: 1,
+			expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+		},
+		{
+			name:          "args with equals and semicolons",
+			argsNew:       "API_URL=https://api.example.com;DEBUG=true;VERSION=1.0.0",
+			expectedCount: 3,
+			expectedFirst: "API_URL=https://api.example.com",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.argsNew)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			args := flag.GetValue()
+			if len(args) != tt.expectedCount {
+				t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
+				return
+			}
+
+			if len(args) > 0 && args[0] != tt.expectedFirst {
+				t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
+			}
+		})
+	}
+}
+
 func TestCreateDockerConfig(t *testing.T) {
 	config := docker.NewConfig()
 	tempDir, err := ioutil.TempDir("", "docker-config-test")

cmd/kaniko-ecr/main.go

@@ -14,6 +14,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
 	awsv1 "github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
@@ -29,6 +30,9 @@ import (
 	kaniko "github.com/drone/drone-kaniko"
 	"github.com/drone/drone-kaniko/pkg/artifact"
 	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
 )
 
 const (
@@ -129,7 +133,7 @@ func main() {
 			Name:   "args-new",
 			Usage:  "build args new",
 			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
-			Value:  new(CustomStringSliceFlag),
+			Value:  new(utils.CustomStringSliceFlag),
 		},
 		cli.BoolFlag{
 			Name:   "plugin-multiple-build-agrs",
@@ -403,6 +407,21 @@ func main() {
 			Usage:  "OIDC token for assuming role via web identity",
 			EnvVar: "PLUGIN_OIDC_TOKEN_ID",
 		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH, PLUGIN_DESTINATION_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "source-tar-path",
+			Usage:  "Set this flag for the source tarball during push operations.",
+			EnvVar: "PLUGIN_SOURCE_TAR_PATH",
+		},
+		cli.BoolFlag{
+			Name:   "push-only",
+			Usage:  "Specify if the operation is push-only",
+			EnvVar: "PLUGIN_PUSH_ONLY",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -415,10 +434,21 @@ func run(c *cli.Context) error {
 	registry := c.String("registry")
 	region := c.String("region")
 	noPush := c.Bool("no-push")
+	pushOnly := c.Bool("push-only")
 	assumeRole := c.String("assume-role")
 	externalId := c.String("external-id")
 	oidcToken := c.String("oidc-token-id")
 
+	// Validate flags
+	if noPush && pushOnly {
+		return fmt.Errorf("no-push and push-only flags cannot be used together")
+	}
+
+	// Handle push-only operation
+	if pushOnly {
+		return handlePushOnly(c)
+	}
+
 	// setup docker config for azure registry and base image docker registry
 	err := setDockerAuth(
 		c.String("docker-registry"),
@@ -475,7 +505,7 @@ func run(c *cli.Context) error {
 			AutoTagSuffix:               c.String("auto-tag-suffix"),
 			ExpandTag:                   c.Bool("expand-tag"),
 			Args:                        c.StringSlice("args"),
-			ArgsNew:                     c.Generic("args-new").(*CustomStringSliceFlag).GetValue(),
+			ArgsNew:                     c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
 			IsMultipleBuildArgs:         c.Bool("plugin-multiple-build-agrs"),
 			Target:                      c.String("target"),
 			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
@@ -518,8 +548,12 @@ func run(c *cli.Context) error {
 			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
 			UseNewRun:                   c.Bool("use-new-run"),
 			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
 			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
 			ImageDownloadRetry:          c.Int("image-download-retry"),
+			TarPath:                     c.String("tar-path"),
+			SourceTarPath:               c.String("source-tar-path"),
+			PushOnly:                    c.Bool("push-only"),
 		},
 		Artifact: kaniko.Artifact{
 			Tags:         c.StringSlice("tags"),
@@ -552,6 +586,9 @@ func setDockerAuth(dockerRegistry, dockerUsername, dockerPassword, accessKey, se
 			Password: dockerPassword,
 		}
 		credentials = append(credentials, pullFromRegistryCreds)
+	} else {
+		fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
+			"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
 	}
 
 	if assumeRole != "" && oidcToken != "" {
@@ -845,3 +882,130 @@ func getOidcCreds(oidcToken, assumeRole string) (string, string, string, error)
 	// Return the credentials
 	return *result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken, nil
 }
+
+func createECRSession(region, accessKey, secretKey, sessionToken string) *ecrv1.ECR {
+	sess := session.Must(session.NewSession(&awsv1.Config{
+		Region: awsv1.String(region),
+		Credentials: credentials.NewStaticCredentials(
+			accessKey,
+			secretKey,
+			sessionToken,
+		),
+	}))
+	return ecrv1.New(sess)
+}
+
+func getECRCredentials(region, registry, assumeRole, externalId, accessKey, secretKey, oidcToken string) (string, string, error) {
+	if assumeRole != "" && oidcToken != "" {
+		// For OIDC auth with assume role
+		awsAccessKey, awsSecretKey, awsSessionToken, err := getOidcCreds(oidcToken, assumeRole)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get OIDC credentials: %w", err)
+		}
+
+		// Create ECR session and get auth info
+		svc := createECRSession(region, awsAccessKey, awsSecretKey, awsSessionToken)
+		username, password, _, err := getAuthInfo(svc)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
+		}
+		return username, password, nil
+	} else if assumeRole != "" {
+		// For assume role auth
+		username, password, _, err := getAssumeRoleCreds(region, assumeRole, externalId, "")
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
+		}
+		return username, password, nil
+	} else if accessKey != "" && secretKey != "" {
+		// For direct credentials
+		sess := session.Must(session.NewSession(&awsv1.Config{
+			Region: awsv1.String(region),
+			Credentials: credentials.NewStaticCredentials(
+				accessKey,
+				secretKey,
+				"",
+			),
+		}))
+		svc := ecrv1.New(sess)
+
+		username, password, _, err := getAuthInfo(svc)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
+		}
+		return username, password, nil
+	} else {
+		// For IAM role auth (default credentials)
+		sess := session.Must(session.NewSession(&awsv1.Config{
+			Region: awsv1.String(region),
+		}))
+		svc := ecrv1.New(sess)
+
+		username, password, _, err := getAuthInfo(svc)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
+		}
+		return username, password, nil
+	}
+}
+
+func handlePushOnly(c *cli.Context) error {
+	sourceTarPath := c.String("source-tar-path")
+	if sourceTarPath == "" {
+		return fmt.Errorf("source_tar_path is required when push_only is set")
+	}
+
+	if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
+		return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
+	}
+
+	repo := c.String("repo")
+	registry := c.String("registry")
+	if repo == "" || registry == "" {
+		return fmt.Errorf("repository and registry must be specified for push-only operation")
+	}
+
+	// Load the image from the tarball
+	img, err := crane.Load(sourceTarPath)
+	if err != nil {
+		return fmt.Errorf("failed to load image from tarball: %v", err)
+	}
+
+	// Get ECR credentials using the common function
+	username, password, err := getECRCredentials(
+		c.String("region"),
+		registry,
+		c.String("assume-role"),
+		c.String("external-id"),
+		c.String("access-key"),
+		c.String("secret-key"),
+		c.String("oidc-token-id"),
+	)
+	if err != nil {
+		return err
+	}
+
+	// Setup crane auth
+	opts := []crane.Option{
+		crane.WithAuth(&authn.Basic{
+			Username: username,
+			Password: password,
+		}),
+	}
+
+	// Push for each tag
+	tags := c.StringSlice("tags")
+	if len(tags) == 0 {
+		tags = []string{"latest"}
+	}
+
+	for _, tag := range tags {
+		dest := fmt.Sprintf("%s/%s:%s", registry, repo, tag)
+		if err := crane.Push(img, dest, opts...); err != nil {
+			return fmt.Errorf("failed to push image to %s: %v", dest, err)
+		}
+		fmt.Printf("Successfully pushed image to %s\n", dest)
+	}
+
+	return nil
+}

cmd/kaniko-ecr/main_test.go

@@ -7,7 +7,9 @@ import (
 	"testing"
 
 	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
 	"github.com/stretchr/testify/assert"
+	"github.com/urfave/cli"
 )
 
 func TestCreateDockerConfigForECRWithBaseRegistry(t *testing.T) {
@@ -42,4 +44,166 @@ func TestCreateDockerConfigForECRWithBaseRegistry(t *testing.T) {
 
 	expectedDockerAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(dockerUsername + ":" + dockerPassword))}
 	assert.Equal(t, expectedDockerAuth, config.Auths[dockerRegistry])
-}
+}
+
+func TestCustomStringSliceFlagIntegration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+	}{
+		{
+			name:     "single build arg",
+			input:    "ARG1=value1",
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "multiple build args with semicolon",
+			input:    "ARG1=value1;ARG2=value2;ARG3=value3",
+			expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
+		},
+		{
+			name:     "build args with spaces",
+			input:    "ARG1=value with spaces;ARG2=another value",
+			expected: []string{"ARG1=value with spaces", "ARG2=another value"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test the CustomStringSliceFlag directly
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.input)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			result := flag.GetValue()
+			if len(result) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if result[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestCLIIntegrationWithCustomFlag(t *testing.T) {
+	// Test CLI integration with proper flag setup
+	tests := []struct {
+		name     string
+		args     []string
+		expected []string
+	}{
+		{
+			name:     "CLI with single arg",
+			args:     []string{"ecr-test", "--args-new", "ARG1=value1"},
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "CLI with multiple args",
+			args:     []string{"ecr-test", "--args-new", "ARG1=value1;ARG2=value2"},
+			expected: []string{"ARG1=value1", "ARG2=value2"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			app := cli.NewApp()
+			app.Name = "ecr-test"
+
+			var capturedArgs []string
+
+			app.Flags = []cli.Flag{
+				cli.GenericFlag{
+					Name:   "args-new",
+					Usage:  "build args new",
+					EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+					Value:  new(utils.CustomStringSliceFlag),
+				},
+			}
+
+			app.Action = func(c *cli.Context) error {
+				if genericFlag := c.Generic("args-new"); genericFlag != nil {
+					if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
+						capturedArgs = customFlag.GetValue()
+					}
+				}
+				return nil
+			}
+
+			err := app.Run(tt.args)
+			if err != nil {
+				t.Errorf("CLI run error = %v, want nil", err)
+				return
+			}
+
+			if len(capturedArgs) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if capturedArgs[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestECRBuildArgsProcessing(t *testing.T) {
+	// Test that build args are correctly processed in the context of ECR plugin
+	tests := []struct {
+		name          string
+		argsNew       string
+		expectedCount int
+		expectedFirst string
+	}{
+		{
+			name:          "docker build args format",
+			argsNew:       "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
+			expectedCount: 3,
+			expectedFirst: "GOOS=linux",
+		},
+		{
+			name:          "aws specific args",
+			argsNew:       "AWS_REGION=us-west-2;AWS_ACCOUNT_ID=123456789012",
+			expectedCount: 2,
+			expectedFirst: "AWS_REGION=us-west-2",
+		},
+		{
+			name:          "single complex arg with special characters",
+			argsNew:       "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+			expectedCount: 1,
+			expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.argsNew)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			args := flag.GetValue()
+			if len(args) != tt.expectedCount {
+				t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
+				return
+			}
+
+			if len(args) > 0 && args[0] != tt.expectedFirst {
+				t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
+			}
+		})
+	}
+}

cmd/kaniko-gar/main.go

@@ -1,9 +1,12 @@
 package main
 
 import (
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 
 	"github.com/joho/godotenv"
 	"github.com/pkg/errors"
@@ -13,13 +16,17 @@ import (
 	kaniko "github.com/drone/drone-kaniko"
 	"github.com/drone/drone-kaniko/pkg/artifact"
 	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
+	"github.com/drone/drone-kaniko/pkg/utils"
+
 )
 
 const (
 	dockerConfigPath string = "/kaniko/.docker"
 	// GAR JSON key file path
-	garKeyPath       string = "/kaniko/config.json"
-	garEnvVariable   string = "GOOGLE_APPLICATION_CREDENTIALS"
+	garKeyPath     string = "/kaniko/config.json"
+	garEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
 
 	defaultDigestFile string = "/kaniko/digest-file"
 )
@@ -91,6 +98,17 @@ func main() {
 			Usage:  "build args",
 			EnvVar: "PLUGIN_BUILD_ARGS",
 		},
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(utils.CustomStringSliceFlag),
+		},
+		cli.BoolFlag{
+			Name:   "plugin-multiple-build-agrs",
+			Usage:  "plugin multiple build agrs",
+			EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
+		},
 		cli.StringFlag{
 			Name:   "target",
 			Usage:  "build target",
@@ -166,6 +184,21 @@ func main() {
 			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
 			EnvVar: "PLUGIN_NO_PUSH",
 		},
+		cli.BoolFlag{
+			Name:   "push-only",
+			Usage:  "Set this flag if you only want to push a pre-built image from a tarball",
+			EnvVar: "PLUGIN_PUSH_ONLY",
+		},
+		cli.StringFlag{
+			Name:   "source-tar-path",
+			Usage:  "Path to the local tarball to be pushed when push-only is set",
+			EnvVar: "PLUGIN_SOURCE_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH,PLUGIN_DESTINATION_TAR_PATH",
+		},
 		cli.StringFlag{
 			Name:   "verbosity",
 			Usage:  "Set this flag as --verbosity=<panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
@@ -340,6 +373,11 @@ func main() {
 }
 
 func run(c *cli.Context) error {
+	// Check if this is a push-only operation
+	if c.Bool("push-only") {
+		return handlePushOnly(c)
+	}
+
 	noPush := c.Bool("no-push")
 	jsonKey := c.String("json-key")
 	// JSON key may not be set in the following cases:
@@ -351,7 +389,7 @@ func run(c *cli.Context) error {
 		}
 
 		// setup docker config only when base image registry is specified
-		if c.String("base-image-registry") != ""{
+		if c.String("base-image-registry") != "" {
 			if err := setDockerAuth(
 				c.String("base-image-username"),
 				c.String("base-image-password"),
@@ -359,6 +397,9 @@ func run(c *cli.Context) error {
 			); err != nil {
 				return errors.Wrap(err, "failed to create docker config")
 			}
+		} else {
+			fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
+				"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
 		}
 	}
 
@@ -373,6 +414,8 @@ func run(c *cli.Context) error {
 			AutoTagSuffix:               c.String("auto-tag-suffix"),
 			ExpandTag:                   c.Bool("expand-tag"),
 			Args:                        c.StringSlice("args"),
+			ArgsNew:                     c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
+			IsMultipleBuildArgs:         c.Bool("plugin-multiple-build-agrs"),
 			Target:                      c.String("target"),
 			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
 			Mirrors:                     c.StringSlice("registry-mirrors"),
@@ -383,6 +426,9 @@ func run(c *cli.Context) error {
 			CacheTTL:                    c.Int("cache-ttl"),
 			DigestFile:                  defaultDigestFile,
 			NoPush:                      noPush,
+			PushOnly:                    c.Bool("push-only"),
+			SourceTarPath:               c.String("source-tar-path"),
+			TarPath:                     c.String("tar-path"),
 			Verbosity:                   c.String("verbosity"),
 			Platform:                    c.String("platform"),
 			SkipUnusedStages:            c.Bool("skip-unused-stages"),
@@ -414,6 +460,7 @@ func run(c *cli.Context) error {
 			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
 			UseNewRun:                   c.Bool("use-new-run"),
 			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
 			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
 			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
@@ -436,7 +483,7 @@ func run(c *cli.Context) error {
 	return plugin.Exec()
 }
 
-func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) (error) {
+func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) error {
 	dockerConfig := docker.NewConfig()
 	dockerRegistryCreds := docker.RegistryCredentials{
 		Registry: dockerRegistry,
@@ -460,3 +507,113 @@ func setupGARAuth(jsonKey string) error {
 	}
 	return nil
 }
+
+func handlePushOnly(c *cli.Context) error {
+	// Validate inputs for push-only operation
+	sourceTarPath := c.String("source-tar-path")
+	if sourceTarPath == "" {
+		return fmt.Errorf("source_tar_path is required when push_only is set")
+	}
+
+	if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
+		return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
+	}
+
+	repo := c.String("repo")
+	registry := c.String("registry")
+	if repo == "" || registry == "" {
+		return fmt.Errorf("repository and registry must be specified for push-only operation")
+	}
+
+	// Authentication options for crane
+	var opts []crane.Option
+
+	// Setup GAR authentication
+	jsonKey := c.String("json-key")
+	if jsonKey != "" {
+		if err := setupGARAuth(jsonKey); err != nil {
+			return err
+		}
+
+		logrus.Info("Setting up authentication for GAR")
+
+		// Create Docker config directory if it doesn't exist
+		dockerConfigDir := "/kaniko/.docker"
+		if err := os.MkdirAll(dockerConfigDir, 0755); err != nil {
+			return fmt.Errorf("failed to create Docker config directory: %v", err)
+		}
+
+		// Generate a Docker config with GAR auth
+		type DockerAuth struct {
+			Username string `json:"username"`
+			Password string `json:"password"`
+			Auth     string `json:"auth"`
+		}
+
+		type DockerConfig struct {
+			Auths map[string]DockerAuth `json:"auths"`
+		}
+
+		// Create proper Auth field (base64 encoded username:password)
+		username := "_json_key"
+		authString := base64.StdEncoding.EncodeToString([]byte(username + ":" + jsonKey))
+
+		// Use _json_key as username and the key content as password for GAR
+		config := DockerConfig{
+			Auths: map[string]DockerAuth{
+				registry: {
+					Username: username,
+					Password: jsonKey,
+					Auth:     authString,
+				},
+			},
+		}
+
+		// Write the Docker config
+		configBytes, err := json.Marshal(config)
+		if err != nil {
+			return fmt.Errorf("failed to marshal Docker config: %v", err)
+		}
+
+		dockerConfigPath := filepath.Join(dockerConfigDir, "config.json")
+		if err := ioutil.WriteFile(dockerConfigPath, configBytes, 0644); err != nil {
+			return fmt.Errorf("failed to write Docker config: %v", err)
+		}
+
+		// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
+		if err := os.Setenv("DOCKER_CONFIG", dockerConfigDir); err != nil {
+			return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
+		}
+
+		// Set up crane to use basic auth with docker config
+		opts = append(opts, crane.WithAuthFromKeychain(authn.DefaultKeychain))
+	} else {
+		logrus.Warn("No JSON key provided, authentication may fail if not running with workload identity")
+	}
+
+	// Load the image from the tarball
+	logrus.Infof("Loading image from tarball: %s", sourceTarPath)
+	img, err := crane.Load(sourceTarPath)
+	if err != nil {
+		return fmt.Errorf("failed to load image from tarball: %v", err)
+	}
+
+	// Push for each tag
+	tags := c.StringSlice("tags")
+	if len(tags) == 0 {
+		tags = []string{"latest"}
+	}
+
+	for _, tag := range tags {
+		dest := fmt.Sprintf("%s/%s:%s", registry, repo, tag)
+		logrus.Infof("Pushing image to: %s", dest)
+
+		if err := crane.Push(img, dest, opts...); err != nil {
+			return fmt.Errorf("failed to push image to %s: %v", dest, err)
+		}
+
+		logrus.Infof("Successfully pushed image to %s", dest)
+	}
+
+	return nil
+}

cmd/kaniko-gar/main_test.go

@@ -0,0 +1,286 @@
+package main
+
+import (
+	"os"
+	"testing"
+
+	"github.com/drone/drone-kaniko/pkg/utils"
+	"github.com/urfave/cli"
+)
+
+func TestCustomStringSliceFlagIntegration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+	}{
+		{
+			name:     "single build arg",
+			input:    "ARG1=value1",
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "multiple build args with semicolon",
+			input:    "ARG1=value1;ARG2=value2;ARG3=value3",
+			expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
+		},
+		{
+			name:     "build args with spaces",
+			input:    "ARG1=value with spaces;ARG2=another value",
+			expected: []string{"ARG1=value with spaces", "ARG2=another value"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test the CustomStringSliceFlag directly
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.input)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			result := flag.GetValue()
+			if len(result) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if result[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestCLIIntegrationWithCustomFlag(t *testing.T) {
+	// Test CLI integration with proper flag setup
+	tests := []struct {
+		name     string
+		args     []string
+		expected []string
+	}{
+		{
+			name:     "CLI with single arg",
+			args:     []string{"gar-test", "--args-new", "ARG1=value1"},
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "CLI with multiple args",
+			args:     []string{"gar-test", "--args-new", "ARG1=value1;ARG2=value2"},
+			expected: []string{"ARG1=value1", "ARG2=value2"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			app := cli.NewApp()
+			app.Name = "gar-test"
+
+			var capturedArgs []string
+
+			app.Flags = []cli.Flag{
+				cli.GenericFlag{
+					Name:   "args-new",
+					Usage:  "build args new",
+					EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+					Value:  new(utils.CustomStringSliceFlag),
+				},
+			}
+
+			app.Action = func(c *cli.Context) error {
+				if genericFlag := c.Generic("args-new"); genericFlag != nil {
+					if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
+						capturedArgs = customFlag.GetValue()
+					}
+				}
+				return nil
+			}
+
+			err := app.Run(tt.args)
+			if err != nil {
+				t.Errorf("CLI run error = %v, want nil", err)
+				return
+			}
+
+			if len(capturedArgs) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if capturedArgs[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestEnvironmentVariableIntegration(t *testing.T) {
+	// Test that environment variables work with CustomStringSliceFlag
+	originalEnv := os.Getenv("PLUGIN_BUILD_ARGS_NEW")
+	defer func() {
+		if originalEnv != "" {
+			os.Setenv("PLUGIN_BUILD_ARGS_NEW", originalEnv)
+		} else {
+			os.Unsetenv("PLUGIN_BUILD_ARGS_NEW")
+		}
+	}()
+
+	os.Setenv("PLUGIN_BUILD_ARGS_NEW", "ENV_ARG1=env_value1;ENV_ARG2=env_value2")
+
+	app := cli.NewApp()
+	app.Flags = []cli.Flag{
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(utils.CustomStringSliceFlag),
+		},
+	}
+
+	var capturedArgs []string
+	app.Action = func(c *cli.Context) error {
+		if flag := c.Generic("args-new"); flag != nil {
+			if customFlag, ok := flag.(*utils.CustomStringSliceFlag); ok {
+				capturedArgs = customFlag.GetValue()
+			}
+		}
+		return nil
+	}
+
+	err := app.Run([]string{"test"})
+	if err != nil {
+		t.Errorf("App.Run() error = %v, want nil", err)
+		return
+	}
+
+	expected := []string{"ENV_ARG1=env_value1", "ENV_ARG2=env_value2"}
+	if len(capturedArgs) != len(expected) {
+		t.Errorf("Environment variable test: got %d args, want %d", len(capturedArgs), len(expected))
+		return
+	}
+
+	for i, exp := range expected {
+		if capturedArgs[i] != exp {
+			t.Errorf("Environment variable test: got arg[%d] = %v, want %v", i, capturedArgs[i], exp)
+		}
+	}
+}
+
+func TestGARBuildArgsProcessing(t *testing.T) {
+	// Test that build args are correctly processed in the context of GAR plugin
+	tests := []struct {
+		name          string
+		argsNew       string
+		expectedCount int
+		expectedFirst string
+	}{
+		{
+			name:          "docker build args format",
+			argsNew:       "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
+			expectedCount: 3,
+			expectedFirst: "GOOS=linux",
+		},
+		{
+			name:          "google cloud specific args",
+			argsNew:       "GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json;PROJECT_ID=my-project",
+			expectedCount: 2,
+			expectedFirst: "GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json",
+		},
+		{
+			name:          "single complex arg with special characters",
+			argsNew:       "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+			expectedCount: 1,
+			expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.argsNew)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			args := flag.GetValue()
+			if len(args) != tt.expectedCount {
+				t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
+				return
+			}
+
+			if len(args) > 0 && args[0] != tt.expectedFirst {
+				t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
+			}
+		})
+	}
+}
+
+func TestGARRegistryFormatting(t *testing.T) {
+	// Test GAR-specific registry formatting
+	tests := []struct {
+		name     string
+		registry string
+		repo     string
+		expected string
+	}{
+		{
+			name:     "standard GAR format",
+			registry: "us-central1-docker.pkg.dev",
+			repo:     "my-project/my-repo/my-image",
+			expected: "us-central1-docker.pkg.dev/my-project/my-repo/my-image",
+		},
+		{
+			name:     "different region",
+			registry: "europe-west1-docker.pkg.dev",
+			repo:     "project123/repo456/image789",
+			expected: "europe-west1-docker.pkg.dev/project123/repo456/image789",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// This would be the format used in the GAR plugin
+			result := tt.registry + "/" + tt.repo
+			if result != tt.expected {
+				t.Errorf("GAR formatting: got %v, want %v", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestGARAuthSetup(t *testing.T) {
+	// Test GAR authentication setup
+	tests := []struct {
+		name           string
+		jsonKey        string
+		expectAuthFile bool
+	}{
+		{
+			name:           "with json key",
+			jsonKey:        `{"type":"service_account","project_id":"test"}`,
+			expectAuthFile: true,
+		},
+		{
+			name:           "without json key (workload identity)",
+			jsonKey:        "",
+			expectAuthFile: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// This simulates the auth setup logic
+			hasAuthFile := tt.jsonKey != ""
+			if hasAuthFile != tt.expectAuthFile {
+				t.Errorf("Auth file expectation: got %v, want %v", hasAuthFile, tt.expectAuthFile)
+			}
+		})
+	}
+}

cmd/kaniko-gcr/main.go

@@ -1,463 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-
-	"github.com/joho/godotenv"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-	"github.com/urfave/cli"
-
-	kaniko "github.com/drone/drone-kaniko"
-	"github.com/drone/drone-kaniko/pkg/artifact"
-	"github.com/drone/drone-kaniko/pkg/docker"
-)
-
-const (
-	dockerConfigPath string = "/kaniko/.docker"
-	// GCR JSON key file path
-	gcrKeyPath       string = "/kaniko/config.json"
-	gcrEnvVariable   string = "GOOGLE_APPLICATION_CREDENTIALS"
-
-	defaultDigestFile string = "/kaniko/digest-file"
-)
-
-var (
-	version = "unknown"
-)
-
-func main() {
-	// Load env-file if it exists first
-	if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
-		if err := godotenv.Load(env); err != nil {
-			logrus.Fatal(err)
-		}
-	}
-
-	app := cli.NewApp()
-	app.Name = "kaniko gcr plugin"
-	app.Usage = "kaniko gcr plugin"
-	app.Action = run
-	app.Version = version
-	app.Flags = []cli.Flag{
-		cli.StringFlag{
-			Name:   "dockerfile",
-			Usage:  "build dockerfile",
-			Value:  "Dockerfile",
-			EnvVar: "PLUGIN_DOCKERFILE",
-		},
-		cli.StringFlag{
-			Name:   "context",
-			Usage:  "build context",
-			Value:  ".",
-			EnvVar: "PLUGIN_CONTEXT",
-		},
-		cli.StringFlag{
-			Name:   "drone-commit-ref",
-			Usage:  "git commit ref passed by Drone",
-			EnvVar: "DRONE_COMMIT_REF",
-		},
-		cli.StringFlag{
-			Name:   "drone-repo-branch",
-			Usage:  "git repository default branch passed by Drone",
-			EnvVar: "DRONE_REPO_BRANCH",
-		},
-		cli.StringSliceFlag{
-			Name:     "tags",
-			Usage:    "build tags",
-			Value:    &cli.StringSlice{"latest"},
-			EnvVar:   "PLUGIN_TAGS",
-			FilePath: ".tags",
-		},
-		cli.BoolFlag{
-			Name:   "expand-tag",
-			Usage:  "enable for semver tagging",
-			EnvVar: "PLUGIN_EXPAND_TAG",
-		},
-		cli.BoolFlag{
-			Name:   "auto-tag",
-			Usage:  "enable auto generation of build tags",
-			EnvVar: "PLUGIN_AUTO_TAG",
-		},
-		cli.StringFlag{
-			Name:   "auto-tag-suffix",
-			Usage:  "the suffix of auto build tags",
-			EnvVar: "PLUGIN_AUTO_TAG_SUFFIX",
-		},
-		cli.StringSliceFlag{
-			Name:   "args",
-			Usage:  "build args",
-			EnvVar: "PLUGIN_BUILD_ARGS",
-		},
-		cli.StringFlag{
-			Name:   "target",
-			Usage:  "build target",
-			EnvVar: "PLUGIN_TARGET",
-		},
-		cli.StringFlag{
-			Name:   "repo",
-			Usage:  "gcr repository",
-			EnvVar: "PLUGIN_REPO",
-		},
-		cli.StringSliceFlag{
-			Name:   "custom-labels",
-			Usage:  "additional k=v labels",
-			EnvVar: "PLUGIN_CUSTOM_LABELS",
-		},
-		cli.StringFlag{
-			Name:   "registry",
-			Usage:  "gcr registry",
-			Value:  "gcr.io",
-			EnvVar: "PLUGIN_REGISTRY,BASE_REGISTRY",
-		},
-		cli.StringFlag{
-			Name:   "base-image-username",
-			Usage:  "Docker username for base image registry",
-			EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
-		},
-		cli.StringFlag{
-			Name:   "base-image-password",
-			Usage:  "Docker password for base image registry",
-			EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
-		},
-		cli.StringFlag{
-			Name:   "base-image-registry",
-			Usage:  "Docker registry for base image registry",
-			EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
-		},
-		cli.StringSliceFlag{
-			Name:   "registry-mirrors",
-			Usage:  "docker registry mirrors",
-			EnvVar: "PLUGIN_REGISTRY_MIRRORS",
-		},
-		cli.StringFlag{
-			Name:   "json-key",
-			Usage:  "docker username",
-			EnvVar: "PLUGIN_JSON_KEY",
-		},
-		cli.StringFlag{
-			Name:   "snapshot-mode",
-			Usage:  "Specify one of full, redo or time as snapshot mode",
-			EnvVar: "PLUGIN_SNAPSHOT_MODE",
-		},
-		cli.BoolFlag{
-			Name:   "enable-cache",
-			Usage:  "Set this flag to opt into caching with kaniko",
-			EnvVar: "PLUGIN_ENABLE_CACHE",
-		},
-		cli.StringFlag{
-			Name:   "cache-repo",
-			Usage:  "Remote repository that will be used to store cached layers. Cache repo should be present in specified registry. enable-cache needs to be set to use this flag",
-			EnvVar: "PLUGIN_CACHE_REPO",
-		},
-		cli.IntFlag{
-			Name:   "cache-ttl",
-			Usage:  "Cache timeout in hours. Defaults to two weeks.",
-			EnvVar: "PLUGIN_CACHE_TTL",
-		},
-		cli.StringFlag{
-			Name:   "artifact-file",
-			Usage:  "Artifact file location that will be generated by the plugin. This file will include information of docker images that are uploaded by the plugin.",
-			EnvVar: "PLUGIN_ARTIFACT_FILE",
-		},
-		cli.BoolFlag{
-			Name:   "no-push",
-			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
-			EnvVar: "PLUGIN_NO_PUSH",
-		},
-		cli.StringFlag{
-			Name:   "verbosity",
-			Usage:  "Set this flag as --verbosity=<panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
-			EnvVar: "PLUGIN_VERBOSITY",
-		},
-		cli.StringFlag{
-			Name:   "platform",
-			Usage:  "Allows to build with another default platform than the host, similarly to docker build --platform",
-			EnvVar: "PLUGIN_PLATFORM",
-		},
-		cli.BoolFlag{
-			Name:   "skip-unused-stages",
-			Usage:  "build only used stages",
-			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
-		},
-		cli.StringFlag{
-			Name:   "cache-dir",
-			Usage:  "Set this flag to specify a local directory cache for base images",
-			EnvVar: "PLUGIN_CACHE_DIR",
-		},
-
-		cli.BoolFlag{
-			Name:   "cache-copy-layers",
-			Usage:  "Enable or disable copying layers from the cache.",
-			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
-		},
-		cli.BoolFlag{
-			Name:   "cache-run-layers",
-			Usage:  "Enable or disable running layers from the cache.",
-			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
-		},
-		cli.BoolFlag{
-			Name:   "cleanup",
-			Usage:  "Enable or disable cleanup of temporary files.",
-			EnvVar: "PLUGIN_CLEANUP",
-		},
-		cli.BoolFlag{
-			Name:   "compressed-caching",
-			Usage:  "Enable or disable compressed caching.",
-			EnvVar: "PLUGIN_COMPRESSED_CACHING",
-		},
-		cli.StringFlag{
-			Name:   "context-sub-path",
-			Usage:  "Sub-path within the context to build.",
-			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
-		},
-		cli.StringFlag{
-			Name:   "custom-platform",
-			Usage:  "Platform to use for building.",
-			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
-		},
-		cli.BoolFlag{
-			Name:   "force",
-			Usage:  "Force building the image even if it already exists.",
-			EnvVar: "PLUGIN_FORCE",
-		},
-		cli.StringFlag{
-			Name:   "image-name-with-digest-file",
-			Usage:  "Write image name with digest to a file.",
-			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
-		},
-		cli.StringFlag{
-			Name:   "image-name-tag-with-digest-file",
-			Usage:  "Write image name with tag and digest to a file.",
-			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
-		},
-		cli.BoolFlag{
-			Name:   "insecure",
-			Usage:  "Allow connecting to registries without TLS.",
-			EnvVar: "PLUGIN_INSECURE",
-		},
-		cli.BoolFlag{
-			Name:   "insecure-pull",
-			Usage:  "Allow insecure pulls from the registry.",
-			EnvVar: "PLUGIN_INSECURE_PULL",
-		},
-		cli.StringFlag{
-			Name:   "insecure-registry",
-			Usage:  "Use plain HTTP for registry communication.",
-			EnvVar: "PLUGIN_INSECURE_REGISTRY",
-		},
-		cli.StringFlag{
-			Name:   "log-format",
-			Usage:  "Set the log format for build output.",
-			EnvVar: "PLUGIN_LOG_FORMAT",
-		},
-		cli.BoolFlag{
-			Name:   "log-timestamp",
-			Usage:  "Show timestamps in build output.",
-			EnvVar: "PLUGIN_LOG_TIMESTAMP",
-		},
-		cli.StringFlag{
-			Name:   "oci-layout-path",
-			Usage:  "Directory to store OCI layout.",
-			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
-		},
-		cli.IntFlag{
-			Name:   "push-retry",
-			Usage:  "Number of times to retry pushing an image.",
-			EnvVar: "PLUGIN_PUSH_RETRY",
-		},
-		cli.StringFlag{
-			Name:   "registry-certificate",
-			Usage:  "Path to a file containing a registry certificate.",
-			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
-		},
-		cli.StringFlag{
-			Name:   "registry-client-cert",
-			Usage:  "Path to a file containing a registry client certificate.",
-			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
-		},
-		cli.BoolFlag{
-			Name:   "skip-default-registry-fallback",
-			Usage:  "Skip Docker Hub and default registry fallback.",
-			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
-		},
-		cli.BoolFlag{
-			Name:   "reproducible",
-			Usage:  "Create a reproducible image.",
-			EnvVar: "PLUGIN_REPRODUCIBLE",
-		},
-		cli.BoolFlag{
-			Name:   "single-snapshot",
-			Usage:  "Only create a single snapshot of the image.",
-			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
-		},
-		cli.BoolFlag{
-			Name:   "skip-push-permission-check",
-			Usage:  "Skip permission check when pushing.",
-			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
-		},
-		cli.BoolFlag{
-			Name:   "skip-tls-verify-pull",
-			Usage:  "Skip TLS verification when pulling.",
-			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
-		},
-		cli.BoolFlag{
-			Name:   "skip-tls-verify-registry",
-			Usage:  "Skip TLS verification when connecting to a registry.",
-			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
-		},
-		cli.BoolFlag{
-			Name:   "use-new-run",
-			Usage:  "Skip TLS verification when connecting to a registry.",
-			EnvVar: "PLUGIN_USE_NEW_RUN",
-		},
-		cli.BoolFlag{
-			Name:   "ignore-var-run",
-			Usage:  "Ignore the /var/run directory during build.",
-			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
-		},
-		cli.StringFlag{
-			Name:   "ignore-path",
-			Usage:  "Path to ignore during the build.",
-			EnvVar: "PLUGIN_IGNORE_PATH",
-		},
-		cli.IntFlag{
-			Name:   "image-fs-extract-retry",
-			Usage:  "Number of retries for extracting filesystem layers.",
-			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
-		},
-		cli.IntFlag{
-			Name:   "image-download-retry",
-			Usage:  "Number of retries for downloading base images.",
-			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
-		},
-	}
-
-	if err := app.Run(os.Args); err != nil {
-		logrus.Fatal(err)
-	}
-}
-
-func run(c *cli.Context) error {
-	noPush := c.Bool("no-push")
-	jsonKey := c.String("json-key")
-
-	// JSON key may not be set in the following cases:
-	// 1. Image does not need to be pushed to GCR.
-	// 2. Workload identity is set on GKE in which pod will inherit the credentials via service account.
-	if jsonKey != "" {
-		if err := setupGCRAuth(jsonKey); err != nil {
-			return err
-		}
-
-		// setup docker config only when base image registry is specified
-		if c.String("base-image-registry") != ""{
-			if err := setDockerAuth(
-				c.String("base-image-username"),
-				c.String("base-image-password"),
-				c.String("base-image-registry"),
-			); err != nil {
-				return errors.Wrap(err, "failed to create docker config")
-			}
-		}
-	}
-
-	plugin := kaniko.Plugin{
-		Build: kaniko.Build{
-			DroneCommitRef:              c.String("drone-commit-ref"),
-			DroneRepoBranch:             c.String("drone-repo-branch"),
-			Dockerfile:                  c.String("dockerfile"),
-			Context:                     c.String("context"),
-			Tags:                        c.StringSlice("tags"),
-			AutoTag:                     c.Bool("auto-tag"),
-			AutoTagSuffix:               c.String("auto-tag-suffix"),
-			ExpandTag:                   c.Bool("expand-tag"),
-			Args:                        c.StringSlice("args"),
-			Target:                      c.String("target"),
-			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
-			Mirrors:                     c.StringSlice("registry-mirrors"),
-			Labels:                      c.StringSlice("custom-labels"),
-			SnapshotMode:                c.String("snapshot-mode"),
-			EnableCache:                 c.Bool("enable-cache"),
-			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
-			CacheTTL:                    c.Int("cache-ttl"),
-			DigestFile:                  defaultDigestFile,
-			NoPush:                      noPush,
-			Verbosity:                   c.String("verbosity"),
-			Platform:                    c.String("platform"),
-			SkipUnusedStages:            c.Bool("skip-unused-stages"),
-			CacheDir:                    c.String("cache-dir"),
-			CacheCopyLayers:             c.Bool("cache-copy-layers"),
-			CacheRunLayers:              c.Bool("cache-run-layers"),
-			Cleanup:                     c.Bool("cleanup"),
-			ContextSubPath:              c.String("context-sub-path"),
-			CustomPlatform:              c.String("custom-platform"),
-			Force:                       c.Bool("force"),
-			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
-			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
-			Insecure:                    c.Bool("insecure"),
-			InsecurePull:                c.Bool("insecure-pull"),
-			InsecureRegistry:            c.String("insecure-registry"),
-			Label:                       c.String("label"),
-			LogFormat:                   c.String("log-format"),
-			LogTimestamp:                c.Bool("log-timestamp"),
-			OCILayoutPath:               c.String("oci-layout-path"),
-			PushRetry:                   c.Int("push-retry"),
-			RegistryCertificate:         c.String("registry-certificate"),
-			RegistryClientCert:          c.String("registry-client-cert"),
-			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
-			Reproducible:                c.Bool("reproducible"),
-			SingleSnapshot:              c.Bool("single-snapshot"),
-			SkipTLSVerify:               c.Bool("skip-tls-verify"),
-			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
-			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
-			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
-			UseNewRun:                   c.Bool("use-new-run"),
-			IgnorePath:                  c.String("ignore-path"),
-			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
-			ImageDownloadRetry:          c.Int("image-download-retry"),
-		},
-		Artifact: kaniko.Artifact{
-			Tags:         c.StringSlice("tags"),
-			Repo:         c.String("repo"),
-			Registry:     c.String("registry"),
-			ArtifactFile: c.String("artifact-file"),
-			RegistryType: artifact.GCR,
-		},
-	}
-	if c.IsSet("compressed-caching") {
-		flag := c.Bool("compressed-caching")
-		plugin.Build.CompressedCaching = &flag
-	}
-	if c.IsSet("ignore-var-run") {
-		flag := c.Bool("ignore-var-run")
-		plugin.Build.IgnoreVarRun = &flag
-	}
-	return plugin.Exec()
-}
-
-func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) (error) {
-	dockerConfig := docker.NewConfig()
-	dockerRegistryCreds := docker.RegistryCredentials{
-		Registry: dockerRegistry,
-		Username: dockerUsername,
-		Password: dockerPassword,
-	}
-	credentials := []docker.RegistryCredentials{dockerRegistryCreds}
-	return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
-}
-
-func setupGCRAuth(jsonKey string) error {
-	err := ioutil.WriteFile(gcrKeyPath, []byte(jsonKey), 0644)
-	if err != nil {
-		return errors.Wrap(err, "failed to write GCR JSON key")
-	}
-
-	err = os.Setenv(gcrEnvVariable, gcrKeyPath)
-	if err != nil {
-		return errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", gcrEnvVariable))
-	}
-	return nil
-}

docker/acr/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
 
-ENV KANIKO_VERSION=1.23.2
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/amd64/kaniko-acr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-acr"]

docker/acr/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.23.0
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
 
 ENV HOME /root
 ENV USER root
 
-ENV KANIKO_VERSION=1.23.0
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/arm64/kaniko-acr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-acr"]

docker/docker/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
 
-ENV KANIKO_VERSION=1.23.2
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/amd64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/docker/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
 
 ENV HOME /root
 ENV USER root
 
-ENV KANIKO_VERSION=1.23.2
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/arm64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/ecr/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
 
-ENV KANIKO_VERSION=1.23.2
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/amd64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/ecr/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
 
 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.23.2
+ENV KANIKO_VERSION=1.25.0
 
 ADD release/linux/arm64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/gar/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
 
-ENV KANIKO_VERSION=1.23.2
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/amd64/kaniko-gar /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
 
 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.23.2
+ENV KANIKO_VERSION=1.25.0
 
 ADD release/linux/arm64/kaniko-gar /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gcr/Dockerfile.linux.amd64

@@ -1,5 +0,0 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
-
-ENV KANIKO_VERSION=1.23.2
-ADD release/linux/amd64/kaniko-gcr /kaniko/
-ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/Dockerfile.linux.amd64.kaniko1.9.1

@@ -1,5 +0,0 @@
-FROM gcr.io/kaniko-project/executor:v1.9.1
-
-ENV KANIKO_VERSION=1.9.1
-ADD release/linux/amd64/kaniko-gcr /kaniko/
-ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/Dockerfile.linux.arm64

@@ -1,8 +0,0 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
-
-ENV HOME /root
-ENV USER root
-ENV KANIKO_VERSION=1.23.2
-
-ADD release/linux/arm64/kaniko-gcr /kaniko/
-ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/Dockerfile.linux.arm64.kaniko1.9.1

@@ -1,5 +0,0 @@
-FROM gcr.io/kaniko-project/executor:v1.9.1
-
-ENV KANIKO_VERSION=1.9.1
-ADD release/linux/arm64/kaniko-gcr /kaniko/
-ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/manifest-kaniko1.9.1.tmpl

@@ -1,18 +0,0 @@
-image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
-{{#if build.tags}}
-tags:
-{{#each build.tags}}
-  - {{this}}
-{{/each}}
-{{/if}}
-manifests:
-  -
-    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
-    platform:
-      architecture: amd64
-      os: linux
-  -
-    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
-    platform:
-      architecture: arm64
-      os: linux

docker/gcr/manifest.tmpl

@@ -1,18 +0,0 @@
-image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
-{{#if build.tags}}
-tags:
-{{#each build.tags}}
-  - {{this}}
-{{/each}}
-{{/if}}
-manifests:
-  -
-    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
-    platform:
-      architecture: amd64
-      os: linux
-  -
-    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
-    platform:
-      architecture: arm64
-      os: linux

go.mod

@@ -10,15 +10,15 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.8
 	github.com/aws/smithy-go v1.12.0
 	github.com/coreos/go-semver v0.3.0
-	github.com/google/go-cmp v0.5.9
-	github.com/google/go-containerregistry v0.20.2
+	github.com/google/go-cmp v0.6.0
+	github.com/google/go-containerregistry v0.20.3
 	github.com/hashicorp/go-version v1.6.0
 	github.com/joho/godotenv v1.4.0
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.3
-	github.com/stretchr/testify v1.8.4
-	github.com/urfave/cli v1.22.12
-	golang.org/x/mod v0.17.0
+	github.com/stretchr/testify v1.9.0
+	github.com/urfave/cli v1.22.15
+	golang.org/x/mod v0.22.0
 )
 
 require (
@@ -32,31 +32,32 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v27.1.1+incompatible // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/cli v27.5.0+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/klauspost/compress v1.16.5 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/vbatts/tar-split v0.11.3 // indirect
+	github.com/vbatts/tar-split v0.11.6 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-go 1.22.4
+go 1.23.0
+
+toolchain go1.23.8

go.sum

@@ -6,7 +6,7 @@ github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
 github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3 h1:TsFCaaF5tR4XN8b4zLVl/J4qMb0nf80Q4CXcpXDNJDY=
 github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4=
-github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/aws/aws-sdk-go v1.44.52 h1:kHLbYJj59C7VrsLM4gm7pxsvaNIvhXCCIDYEFFoQ+VE=
 github.com/aws/aws-sdk-go v1.44.52/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns=
@@ -35,35 +35,34 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 h1:yOfILxyjmtr2ubRkRJldlHDFBhf5
 github.com/aws/aws-sdk-go-v2/service/sts v1.16.9/go.mod h1:O1IvkYxr+39hRf960Us6j0x1P8pDqhTX+oXM5kQNl/Y=
 github.com/aws/smithy-go v1.12.0 h1:gXpeZel/jPoWQ7OEmLIgCUnhkFftqNfwWUwAHSlp1v0=
 github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
-github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
 github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
-github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
-github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
-github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
-github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
+github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvDaFkLctbGM=
+github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
+github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
+github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo=
-github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI=
+github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -75,12 +74,8 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=
 github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
-github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
-github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
-github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
@@ -88,61 +83,56 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk
 github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
-github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/urfave/cli v1.22.12 h1:igJgVw1JdKH+trcLWLeLwZjU9fEfPesQ+9/e4MQ44S8=
-github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8=
-github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck=
-github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM=
+github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0=
+github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs=
+github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI=
 golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

internal/azure/tokenutil.go

@@ -0,0 +1,72 @@
+package azure
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+const DefaultResource = "https://management.azure.com/"
+const defaultAuthorityHost = "https://login.microsoftonline.com"
+const defaultHTTPTimeout = 30 * time.Second
+
+// GetAADAccessTokenViaClientAssertion exchanges an external OIDC ID token for an Azure AD access token
+
+func GetAADAccessTokenViaClientAssertion(ctx context.Context, tenantID, clientID, oidcToken, authorityHost string) (string, error) {
+	resource := DefaultResource
+
+	form := url.Values{
+		"client_id":             {clientID},
+		"scope":                 {resource + ".default"},
+		"grant_type":            {"client_credentials"},
+		"client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},
+		"client_assertion":      {oidcToken},
+	}
+	base := authorityHost
+	if strings.TrimSpace(base) == "" {
+		base = defaultAuthorityHost
+	}
+	base = strings.TrimRight(base, "/")
+	endpoint := fmt.Sprintf("%s/%s/oauth2/v2.0/token", base, tenantID)
+	client := &http.Client{Timeout: defaultHTTPTimeout}
+	req, err := http.NewRequestWithContext(ctx, "POST", endpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		var aadErr struct {
+			Error            string `json:"error"`
+			ErrorDescription string `json:"error_description"`
+		}
+		limited := io.LimitedReader{R: resp.Body, N: 4096}
+		_ = json.NewDecoder(&limited).Decode(&aadErr)
+		if aadErr.Error != "" {
+			return "", fmt.Errorf("AAD token request failed: status=%d, error=%s", resp.StatusCode, aadErr.Error)
+		}
+		return "", fmt.Errorf("AAD token request failed: status=%d", resp.StatusCode)
+	}
+	var payload struct {
+		AccessToken string `json:"access_token"`
+		TokenType   string `json:"token_type"`
+		ExpiresIn   int    `json:"expires_in"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
+		return "", err
+	}
+	if payload.AccessToken == "" {
+		return "", fmt.Errorf("AAD token response missing access_token")
+	}
+	return payload.AccessToken, nil
+}

internal/azure/tokenutil_test.go

@@ -0,0 +1,103 @@
+package azure
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestGetAADAccessTokenViaClientAssertion_Success(t *testing.T) {
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			t.Fatalf("expected POST, got %s", r.Method)
+		}
+		if ct := r.Header.Get("Content-Type"); !strings.Contains(ct, "application/x-www-form-urlencoded") {
+			t.Fatalf("expected form content-type, got %s", ct)
+		}
+		if err := r.ParseForm(); err != nil {
+			t.Fatalf("failed parsing form: %v", err)
+		}
+		assertEq(t, r.Form.Get("client_id"), "client")
+		assertEq(t, r.Form.Get("grant_type"), "client_credentials")
+		assertEq(t, r.Form.Get("client_assertion_type"), "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
+		assertEq(t, r.Form.Get("client_assertion"), "idtoken")
+		assertEq(t, r.Form.Get("scope"), DefaultResource+".default")
+
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"access_token":"AT","token_type":"Bearer","expires_in":3600}`))
+	}))
+	defer ts.Close()
+
+	tok, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if tok != "AT" {
+		t.Fatalf("expected access token AT, got %q", tok)
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_400WithErrorField(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		_, _ = w.Write([]byte(`{"error":"invalid_client","error_description":"bad"}`))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil || !strings.Contains(err.Error(), "status=400") || !strings.Contains(err.Error(), "invalid_client") {
+		t.Fatalf("expected 400 with invalid_client error, got %v", err)
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_400WithoutErrorField(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusBadRequest)
+		_, _ = w.Write([]byte("{}"))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil || !strings.Contains(err.Error(), "status=400") {
+		t.Fatalf("expected 400 error, got %v", err)
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_MalformedJSON(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte("not-json"))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil {
+		t.Fatalf("expected JSON decode error, got nil")
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_MissingAccessToken(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"token_type":"Bearer","expires_in":3600}`))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil || !strings.Contains(err.Error(), "missing access_token") {
+		t.Fatalf("expected missing access_token error, got %v", err)
+	}
+}
+
+func assertEq(t *testing.T, got, want string) {
+	t.Helper()
+	if got != want {
+		t.Fatalf("mismatch: got=%q want=%q", got, want)
+	}
+}

kaniko.go

@@ -49,41 +49,42 @@ type (
 		Target              string   // Docker build target
 		Verbosity           string   // Log level
 
-		Cache                       bool   // Enable or disable caching during the build process.
-		CacheDir                    string // Directory to store cached layers.
-		CacheCopyLayers             bool   // Enable or disable copying layers from the cache.
-		CacheRunLayers              bool   // Enable or disable running layers from the cache.
-		Cleanup                     bool   // Enable or disable cleanup of temporary files.
-		CompressedCaching           *bool  // Enable or disable compressed caching.
-		ContextSubPath              string // Sub-path within the context to build.
-		CustomPlatform              string // Platform to use for building.
-		Force                       bool   // Force building the image even if it already exists.
-		Git                         bool   // Branch to clone if build context is a git repository .
-		ImageNameWithDigestFile     string // Write image name with digest to a file.
-		ImageNameTagWithDigestFile  string // Write image name with tag and digest to a file.
-		Insecure                    bool   // Allow connecting to registries without TLS.
-		InsecurePull                bool   // Allow insecure pulls from the registry.
-		InsecureRegistry            string // Use plain HTTP for registry communication.
-		Label                       string // Add metadata to an image.
-		LogFormat                   string // Set the log format for build output.
-		LogTimestamp                bool   // Show timestamps in build output.
-		OCILayoutPath               string // Directory to store OCI layout.
-		PushRetry                   int    // Number of times to retry pushing an image.
-		RegistryCertificate         string // Path to a file containing a registry certificate.
-		RegistryClientCert          string // Path to a file containing a registry client certificate.
-		RegistryMirror              string // Mirror for registry pulls.
-		SkipDefaultRegistryFallback bool   // Skip Docker Hub and default registry fallback.
-		Reproducible                bool   // Create a reproducible image.
-		SingleSnapshot              bool   // Only create a single snapshot of the image.
-		SkipTLSVerify               bool   // Skip TLS verification when connecting to the registry.
-		SkipPushPermissionCheck     bool   // Skip permission check when pushing.
-		SkipTLSVerifyPull           bool   // Skip TLS verification when pulling.
-		SkipTLSVerifyRegistry       bool   // Skip TLS verification when connecting to a registry.
-		UseNewRun                   bool   // Use the new container runtime (`runc`) for builds.
-		IgnoreVarRun                *bool  // Ignore `/var/run` when copying from the context.
-		IgnorePath                  string // Ignore files matching the specified path pattern.
-		ImageFSExtractRetry         int    // Number of times to retry extracting the image filesystem.
-		ImageDownloadRetry          int    // Number of times to retry downloading layers.
+		Cache                       bool     // Enable or disable caching during the build process.
+		CacheDir                    string   // Directory to store cached layers.
+		CacheCopyLayers             bool     // Enable or disable copying layers from the cache.
+		CacheRunLayers              bool     // Enable or disable running layers from the cache.
+		Cleanup                     bool     // Enable or disable cleanup of temporary files.
+		CompressedCaching           *bool    // Enable or disable compressed caching.
+		ContextSubPath              string   // Sub-path within the context to build.
+		CustomPlatform              string   // Platform to use for building.
+		Force                       bool     // Force building the image even if it already exists.
+		Git                         bool     // Branch to clone if build context is a git repository .
+		ImageNameWithDigestFile     string   // Write image name with digest to a file.
+		ImageNameTagWithDigestFile  string   // Write image name with tag and digest to a file.
+		Insecure                    bool     // Allow connecting to registries without TLS.
+		InsecurePull                bool     // Allow insecure pulls from the registry.
+		InsecureRegistry            string   // Use plain HTTP for registry communication.
+		Label                       string   // Add metadata to an image.
+		LogFormat                   string   // Set the log format for build output.
+		LogTimestamp                bool     // Show timestamps in build output.
+		OCILayoutPath               string   // Directory to store OCI layout.
+		PushRetry                   int      // Number of times to retry pushing an image.
+		RegistryCertificate         string   // Path to a file containing a registry certificate.
+		RegistryClientCert          string   // Path to a file containing a registry client certificate.
+		RegistryMirror              string   // Mirror for registry pulls.
+		SkipDefaultRegistryFallback bool     // Skip Docker Hub and default registry fallback.
+		Reproducible                bool     // Create a reproducible image.
+		SingleSnapshot              bool     // Only create a single snapshot of the image.
+		SkipTLSVerify               bool     // Skip TLS verification when connecting to the registry.
+		SkipPushPermissionCheck     bool     // Skip permission check when pushing.
+		SkipTLSVerifyPull           bool     // Skip TLS verification when pulling.
+		SkipTLSVerifyRegistry       bool     // Skip TLS verification when connecting to a registry.
+		UseNewRun                   bool     // Use the new container runtime (`runc`) for builds.
+		IgnoreVarRun                *bool    // Ignore `/var/run` when copying from the context.
+		IgnorePath                  string   // Ignore files matching the specified path pattern.
+		IgnorePaths                 []string // Ignore files matching the specified path pattern.
+		ImageFSExtractRetry         int      // Number of times to retry extracting the image filesystem.
+		ImageDownloadRetry          int      // Number of times to retry downloading layers.
 	}
 
 	// Artifact defines content of artifact file
@@ -448,6 +449,15 @@ func (p Plugin) Exec() error {
 		cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", p.Build.IgnorePath))
 	}
 
+	if p.Build.IgnorePaths != nil {
+		for _, path := range p.Build.IgnorePaths {
+			trimmed := strings.TrimSpace(path)
+			if trimmed != "" {
+				cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", trimmed))
+			}
+		}
+	}
+
 	if p.Build.ImageFSExtractRetry != 0 {
 		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-fs-extract-retry=%d", p.Build.ImageFSExtractRetry))
 	}
@@ -473,14 +483,13 @@ func (p Plugin) Exec() error {
 		}
 	}
 
-	if p.Output.OutputFile != "" {
-		var tarPath string
-		if p.Build.TarPath != "" {
-			tarPath = getTarPath(p.Build.TarPath)
-		}
-		if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile), tarPath); err != nil {
-			fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
-		}
+	p.Output.OutputFile = os.Getenv("DRONE_OUTPUT")
+	var tarPath string
+	if p.Build.TarPath != "" {
+		tarPath = getTarPath(p.Build.TarPath)
+	}
+	if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile), tarPath); err != nil {
+		fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
 	}
 
 	return nil

pkg/artifact/artifact.go

@@ -19,7 +19,6 @@ type RegistryTypeEnum string
 const (
 	Docker RegistryTypeEnum = "Docker"
 	ECR    RegistryTypeEnum = "ECR"
-	GCR    RegistryTypeEnum = "GCR"
 	GAR    RegistryTypeEnum = "GAR"
 )
 
@@ -75,3 +74,4 @@ func WritePluginArtifactFile(registryType RegistryTypeEnum, artifactFilePath, re
 	}
 	return nil
 }
+

pkg/docker/config_test.go

@@ -33,7 +33,7 @@ func TestConfig(t *testing.T) {
 			Password: "pass1",
 		},
 		{
-			Registry: "gcr.io",
+			Registry: "us-docker.pkg.dev",
 			Username: "user2",
 			Password: "pass2",
 		},

pkg/utils/custom_string_slice.go

@@ -1,4 +1,4 @@
-package main
+package utils
 
 import (
 	"strings"
@@ -10,6 +10,7 @@ type CustomStringSliceFlag struct {
 	Value []string
 }
 
+// GetValue returns the slice of strings stored in the flag
 func (f *CustomStringSliceFlag) GetValue() []string {
 	if f.Value == nil {
 		return make([]string, 0)
@@ -17,6 +18,7 @@ func (f *CustomStringSliceFlag) GetValue() []string {
 	return f.Value
 }
 
+// String returns a string representation of the flag
 func (f *CustomStringSliceFlag) String() string {
 	if f.Value == nil {
 		return ""
@@ -24,6 +26,7 @@ func (f *CustomStringSliceFlag) String() string {
 	return strings.Join(f.Value, ";")
 }
 
+// Set sets the value of the flag from a string
 func (f *CustomStringSliceFlag) Set(v string) error {
 	for _, s := range strings.Split(v, ";") {
 		s = strings.TrimSpace(s)

scripts/build.sh

@@ -10,19 +10,16 @@ set -e
 set -x
 
 # linux
-GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gcr    ./cmd/kaniko-gcr
 GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-acr    ./cmd/kaniko-acr
 GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-ecr    ./cmd/kaniko-ecr
 GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
 GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gar    ./cmd/kaniko-gar
 
-GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gcr    ./cmd/kaniko-gcr
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-acr    ./cmd/kaniko-acr
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-ecr    ./cmd/kaniko-ecr
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-docker ./cmd/kaniko-docker
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gar    ./cmd/kaniko-gar
 
-GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-gcr      ./cmd/kaniko-gcr
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-acr      ./cmd/kaniko-acr
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-ecr      ./cmd/kaniko-ecr
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-docker   ./cmd/kaniko-docker

scripts/docker.sh

@@ -14,13 +14,11 @@ set -e
 set -x
 
 # build the binary
-go build -o release/linux/amd64/kaniko-gcr    ./cmd/kaniko-gcr
 go build -o release/linux/amd64/kaniko-gar    ./cmd/kaniko-gar
 go build -o release/linux/amd64/kaniko-ecr    ./cmd/kaniko-ecr
 go build -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
 
 # build the docker image
-docker build -f docker/gcr/Dockerfile.linux.amd64    -t plugins/kaniko-gcr .
 docker build -f docker/gar/Dockerfile.linux.amd64    -t plugins/kaniko-gar .
 docker build -f docker/ecr/Dockerfile.linux.amd64    -t plugins/kaniko-ecr .
 docker build -f docker/docker/Dockerfile.linux.amd64 -t plugins/kaniko .