fix: [CI-14845]: support for build args which has comma seperated values

* feat: [Ci-14242]: add oidc support for ecr

* fix: [CI-14242]: error handling for oidc kakniko-ecr

.drone.yml

@@ -1,10 +1,17 @@
 kind: pipeline
-type: docker
+type: vm
 name: default
 
+pool:
+  use: ubuntu
+
+platform:
+  os: linux
+  arch: amd64
+
 steps:
 - name: build
-  image: golang:1.18
+  image: golang:1.22.4
   commands:
   - go test ./...
   - sh scripts/build.sh
@@ -43,6 +50,23 @@ steps:
       exclude:
       - pull_request
 
+- name: gar
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-amd64
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.amd64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
+
 - name: ecr
   image: plugins/docker
   settings:
@@ -77,14 +101,14 @@ steps:
       exclude:
       - pull_request
 
-- name: docker-kaniko-v1-8
+- name: docker-kaniko-v1-9
   image: plugins/docker
   settings:
     repo: plugins/kaniko
     auto_tag: true
-    auto_tag_suffix: linux-amd64-kaniko1.8.1
+    auto_tag_suffix: linux-amd64-kaniko1.9.1
     daemon_off: false
-    dockerfile: docker/docker/Dockerfile.linux.amd64.kaniko1.8.1
+    dockerfile: docker/docker/Dockerfile.linux.amd64.kaniko1.9.1
     username:
       from_secret: docker_username
     password:
@@ -94,14 +118,14 @@ steps:
       exclude:
       - pull_request
 
-- name: gcr-kaniko-v1-8
+- name: gcr-kaniko-v1-9
   image: plugins/docker
   settings:
     repo: plugins/kaniko-gcr
     auto_tag: true
-    auto_tag_suffix: linux-amd64-kaniko1.8.1
+    auto_tag_suffix: linux-amd64-kaniko1.9.1
     daemon_off: false
-    dockerfile: docker/gcr/Dockerfile.linux.amd64.kaniko1.8.1
+    dockerfile: docker/gcr/Dockerfile.linux.amd64.kaniko1.9.1
     username:
       from_secret: docker_username
     password:
@@ -111,15 +135,31 @@ steps:
       exclude:
       - pull_request
 
+- name: gar-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-amd64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.amd64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
 
-- name: ecr-kaniko-v1-8
+- name: ecr-kaniko-v1-9
   image: plugins/docker
   settings:
     repo: plugins/kaniko-ecr
     auto_tag: true
-    auto_tag_suffix: linux-amd64-kaniko1.8.1
+    auto_tag_suffix: linux-amd64-kaniko1.9.1
     daemon_off: false
-    dockerfile: docker/ecr/Dockerfile.linux.amd64.kaniko1.8.1
+    dockerfile: docker/ecr/Dockerfile.linux.amd64.kaniko1.9.1
     username:
       from_secret: docker_username
     password:
@@ -130,16 +170,15 @@ steps:
       - pull_request
 ---
 kind: pipeline
-type: docker
+type: vm
 name: arm
 
-platform:
-  os: linux
-  arch: arm64
+pool:
+  use: ubuntu_arm64
 
 steps:
 - name: build
-  image: golang:1.18
+  image: golang:1.22.4
   commands:
   - go test ./...
   - sh scripts/build.sh
@@ -178,6 +217,23 @@ steps:
       exclude:
       - pull_request
 
+- name: gar
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-arm64
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.arm64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
+
 - name: ecr
   image: plugins/docker
   settings:
@@ -212,14 +268,14 @@ steps:
       exclude:
       - pull_request
 
-- name: docker-kaniko-v1-8
+- name: docker-kaniko-v1-9
   image: plugins/docker
   settings:
     repo: plugins/kaniko
     auto_tag: true
-    auto_tag_suffix: linux-arm64-kaniko1.8.1
+    auto_tag_suffix: linux-arm64-kaniko1.9.1
     daemon_off: false
-    dockerfile: docker/docker/Dockerfile.linux.arm64.kaniko1.8.1
+    dockerfile: docker/docker/Dockerfile.linux.arm64.kaniko1.9.1
     username:
       from_secret: docker_username
     password:
@@ -229,14 +285,14 @@ steps:
       exclude:
       - pull_request
 
-- name: gcr-kaniko-v1-8
+- name: gcr-kaniko-v1-9
   image: plugins/docker
   settings:
     repo: plugins/kaniko-gcr
     auto_tag: true
-    auto_tag_suffix: linux-arm64-kaniko1.8.1
+    auto_tag_suffix: linux-arm64-kaniko1.9.1
     daemon_off: false
-    dockerfile: docker/gcr/Dockerfile.linux.arm64.kaniko1.8.1
+    dockerfile: docker/gcr/Dockerfile.linux.arm64.kaniko1.9.1
     username:
       from_secret: docker_username
     password:
@@ -246,15 +302,31 @@ steps:
       exclude:
       - pull_request
 
+- name: gar-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-arm64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.arm64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
 
-- name: ecr-kaniko-v1-8
+- name: ecr-kaniko-v1-9
   image: plugins/docker
   settings:
     repo: plugins/kaniko-ecr
     auto_tag: true
-    auto_tag_suffix: linux-arm64-kaniko1.8.1
+    auto_tag_suffix: linux-arm64-kaniko1.9.1
     daemon_off: false
-    dockerfile: docker/ecr/Dockerfile.linux.arm64.kaniko1.8.1
+    dockerfile: docker/ecr/Dockerfile.linux.arm64.kaniko1.9.1
     username:
       from_secret: docker_username
     password:
@@ -265,9 +337,12 @@ steps:
       - pull_request
 ---
 kind: pipeline
-type: docker
+type: vm
 name: notifications-docker
 
+pool:
+  use: ubuntu
+
 platform:
   os: linux
   arch: amd64
@@ -297,6 +372,18 @@ steps:
     username:
       from_secret: docker_username
 
+- name: manifest-gar
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: true
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/gar/manifest.tmpl
+    username:
+      from_secret: docker_username
+
 - name: manifest-acr
   pull: always
   image: plugins/manifest
@@ -332,9 +419,12 @@ depends_on:
 
 ---
 kind: pipeline
-type: docker
+type: vm
 name: notifications-docker-kaniko1-8
 
+pool:
+  use: ubuntu
+
 platform:
   os: linux
   arch: amd64
@@ -348,7 +438,7 @@ steps:
     ignore_missing: true
     password:
       from_secret: docker_password
-    spec: docker/docker/manifest-kaniko1.8.1.tmpl
+    spec: docker/docker/manifest-kaniko1.9.1.tmpl
     username:
       from_secret: docker_username
 
@@ -360,7 +450,19 @@ steps:
     ignore_missing: true
     password:
       from_secret: docker_password
-    spec: docker/gcr/manifest-kaniko1.8.1.tmpl
+    spec: docker/gcr/manifest-kaniko1.9.1.tmpl
+    username:
+      from_secret: docker_username
+
+- name: manifest-gar
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: false
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/gar/manifest-kaniko1.9.1.tmpl
     username:
       from_secret: docker_username
 
@@ -372,7 +474,7 @@ steps:
     ignore_missing: true
     password:
       from_secret: docker_password
-    spec: docker/ecr/manifest-kaniko1.8.1.tmpl
+    spec: docker/ecr/manifest-kaniko1.9.1.tmpl
     username:
       from_secret: docker_username
 

README.md

@@ -2,7 +2,13 @@
 
 Drone kaniko plugin uses [kaniko](https://github.com/GoogleContainerTools/kaniko) to build and publish Docker images to a container registry.
 
-Plugin images are published with 1.6.0 as well as 1.8.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.8.1` uses 1.8.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gcr images as well.
+Plugin images are published with 1.6.0 as well as 1.9.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.9.1` uses 1.9.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gcr images as well.
+
+Run the following script to install git-leaks support to this repo.
+```
+chmod +x ./git-hooks/install.sh
+./git-hooks/install.sh
+```
 
 ## Build
 

cmd/kaniko-acr/main.go

@@ -23,12 +23,11 @@ import (
 )
 
 const (
-	dockerPath         string = "/kaniko/.docker"
 	clientIdEnv        string = "AZURE_CLIENT_ID"
 	clientSecretKeyEnv string = "AZURE_CLIENT_SECRET"
+	dockerConfigPath   string = "/kaniko/.docker"
 	tenantKeyEnv       string = "AZURE_TENANT_ID"
 	certPathEnv        string = "AZURE_CLIENT_CERTIFICATE_PATH"
-	dockerConfigPath   string = "/kaniko/.docker"
 	defaultDigestFile  string = "/kaniko/digest-file"
 	finalUrl           string = "https://portal.azure.com/#view/Microsoft_Azure_ContainerRegistries/TagMetadataBlade/registryId/"
 )
@@ -37,6 +36,7 @@ var (
 	ACRCertPath   = "/kaniko/acr-cert.pem"
 	pluginVersion = "unknown"
 	username      = "00000000-0000-0000-0000-000000000000"
+	maxPageCount  = 1000 // maximum count of pages to cycle through before we break out
 )
 
 func main() {
@@ -121,6 +121,21 @@ func main() {
 			Usage:  "ACR registry",
 			EnvVar: "PLUGIN_REGISTRY",
 		},
+		cli.StringFlag{
+			Name:   "base-image-registry",
+			Usage:  "Docker registry for base image",
+			EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "base-image-username",
+			Usage:  "Docker username for base image registry",
+			EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
+		},
+		cli.StringFlag{
+			Name:   "base-image-password",
+			Usage:  "Docker password for base image registry",
+			EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
+		},
 		cli.StringSliceFlag{
 			Name:   "registry-mirrors",
 			Usage:  "docker registry mirrors",
@@ -206,6 +221,157 @@ func main() {
 			Usage:  "build only used stages",
 			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
 		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringSliceFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -224,6 +390,9 @@ func run(c *cli.Context) error {
 		c.String("client-secret"),
 		c.String("subscription-id"),
 		registry,
+		c.String("base-image-username"),
+		c.String("base-image-password"),
+		c.String("base-image-registry"),
 		noPush,
 	)
 	if err != nil {
@@ -232,28 +401,58 @@ func run(c *cli.Context) error {
 
 	plugin := kaniko.Plugin{
 		Build: kaniko.Build{
-			DroneCommitRef:   c.String("drone-commit-ref"),
-			DroneRepoBranch:  c.String("drone-repo-branch"),
-			Dockerfile:       c.String("dockerfile"),
-			Context:          c.String("context"),
-			Tags:             c.StringSlice("tags"),
-			AutoTag:          c.Bool("auto-tag"),
-			AutoTagSuffix:    c.String("auto-tag-suffix"),
-			ExpandTag:        c.Bool("expand-tag"),
-			Args:             c.StringSlice("args"),
-			Target:           c.String("target"),
-			Repo:             c.String("repo"),
-			Mirrors:          c.StringSlice("registry-mirrors"),
-			Labels:           c.StringSlice("custom-labels"),
-			SnapshotMode:     c.String("snapshot-mode"),
-			EnableCache:      c.Bool("enable-cache"),
-			CacheRepo:        fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
-			CacheTTL:         c.Int("cache-ttl"),
-			DigestFile:       defaultDigestFile,
-			NoPush:           noPush,
-			Verbosity:        c.String("verbosity"),
-			Platform:         c.String("platform"),
-			SkipUnusedStages: c.Bool("skip-unused-stages"),
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			Target:                      c.String("target"),
+			Repo:                        c.String("repo"),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
 		Artifact: kaniko.Artifact{
 			Tags:         c.StringSlice("tags"),
@@ -263,11 +462,19 @@ func run(c *cli.Context) error {
 			RegistryType: artifact.Docker,
 		},
 	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
+	}
 	return plugin.Exec()
 }
 
 func setupAuth(tenantId, clientId, cert,
-	clientSecret, subscriptionId, registry string, noPush bool) (string, error) {
+	clientSecret, subscriptionId, registry, dockerUsername, dockerPassword, dockerRegistry string, noPush bool) (string, error) {
 	if registry == "" {
 		return "", fmt.Errorf("registry must be specified")
 	}
@@ -284,8 +491,9 @@ func setupAuth(tenantId, clientId, cert,
 		if err != nil {
 			return "", errors.Wrap(err, "failed to fetch ACR Token")
 		}
-		err = docker.CreateDockerCfgFile(username, token, registry, dockerConfigPath)
-		if err != nil {
+
+		// setup docker config for azure registry and base image docker registry
+		if err := setDockerAuth(username, token, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
 			return "", errors.Wrap(err, "failed to create docker config")
 		}
 		return publicUrl, nil
@@ -407,32 +615,75 @@ func getPublicUrl(token, registryUrl, subscriptionId string) (string, error) {
 	}
 
 	registry := strings.Split(registryUrl, ".")[0]
-	burl := "https://management.azure.com/subscriptions/" +
+	baseURL := "https://management.azure.com/subscriptions/" +
 		subscriptionId + "/resources?$filter=resourceType%20eq%20'Microsoft.ContainerRegistry/registries'%20and%20name%20eq%20'" +
 		registry + "'&api-version=2021-04-01&$select=id"
 
 	method := "GET"
 	client := &http.Client{}
-	req, err := http.NewRequest(method, burl, nil)
-	if err != nil {
-		fmt.Println(err)
-		return "", errors.Wrap(err, "failed to create request for getting container registry setting")
+
+	cnt := 0
+
+	for {
+		// this is just in case we end up cycling through nextLink's infinitely.
+		// this should not happen - added as a precaution.
+		if cnt > maxPageCount {
+			break
+		}
+		cnt++
+		req, err := http.NewRequest(method, baseURL, nil)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to create request for getting container registry setting")
+		}
+
+		req.Header.Add("Authorization", "Bearer "+token)
+		res, err := client.Do(req)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to send request for getting container registry setting")
+		}
+		defer res.Body.Close()
+
+		var response strct
+		err = json.NewDecoder(res.Body).Decode(&response)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to send request for getting container registry setting")
+		}
+
+		if len(response.Value) > 0 {
+			if response.Value[0].ID == "" { // should not happen
+				return "", errors.New("received empty registry ID from /subscriptions API")
+			}
+			return finalUrl + encodeParam(response.Value[0].ID), nil
+		}
+
+		if response.NextLink == "" {
+			// No more pages, break the loop
+			break
+		}
+
+		baseURL = response.NextLink
 	}
 
-	req.Header.Add("Authorization", "Bearer "+token)
-	res, err := client.Do(req)
-	if err != nil {
-		fmt.Println(err)
-		return "", errors.Wrap(err, "failed to send request for getting container registry setting")
-	}
-	defer res.Body.Close()
+	return "", errors.New("did not receive any registry information from /subscriptions API")
+}
 
-	var response strct
-	err = json.NewDecoder(res.Body).Decode(&response)
-	if err != nil {
-		return "", errors.Wrap(err, "failed to send request for getting container registry setting")
+func setDockerAuth(username, password, registry, dockerUsername, dockerPassword, dockerRegistry string) error {
+	dockerConfig := docker.NewConfig()
+	pushToRegistryCreds := docker.RegistryCredentials{
+		Registry: registry,
+		Username: username,
+		Password: password,
 	}
-	return finalUrl + encodeParam(response.Value[0].ID), nil
+
+	pullFromRegistryCreds := docker.RegistryCredentials{
+		Registry: dockerRegistry,
+		Username: dockerUsername,
+		Password: dockerPassword,
+	}
+
+	credentials := []docker.RegistryCredentials{pushToRegistryCreds, pullFromRegistryCreds}
+	return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
+
 }
 
 func encodeParam(s string) string {
@@ -443,4 +694,5 @@ type strct struct {
 	Value []struct {
 		ID string `json:"id"`
 	} `json:"value"`
+	NextLink string `json:"nextLink"` // for pagination
 }

cmd/kaniko-acr/main_test.go

@@ -0,0 +1,156 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	v2RegistryURL string = "https://index.docker.io/v2/" // v2 registry is not supported
+)
+
+func TestCreateDockerConfigWithBaseRegistry(t *testing.T) {
+	username := "user1"
+	password := "pass1"
+	registry := "azurecr.io"
+	dockerUsername := "dockeruser"
+	dockerPassword := "dockerpass"
+	dockerRegistry := "https://index.docker.io/v1/"
+	privateRegistry := "privateDockerRegistry"
+	privateRegistryUsername := "priaveUsername"
+	privateRegistryPassword := "privatePassword"
+
+	credentials := []docker.RegistryCredentials{
+		{
+			Registry: registry,
+			Username: username,
+			Password: password,
+		},
+		{
+			Registry: dockerRegistry,
+			Username: dockerUsername,
+			Password: dockerPassword,
+		},
+		{
+			Registry: privateRegistry,
+			Username: privateRegistryUsername,
+			Password: privateRegistryPassword,
+		},
+	}
+
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	assert.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	config := docker.NewConfig()
+	err = config.CreateDockerConfig(credentials, tempDir)
+	assert.NoError(t, err)
+
+	expectedAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(username + ":" + password))}
+	assert.Equal(t, expectedAuth, config.Auths[registry])
+
+	expectedDockerAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(dockerUsername + ":" + dockerPassword))}
+	assert.Equal(t, expectedDockerAuth, config.Auths[dockerRegistry])
+
+	configPath := filepath.Join(tempDir, "config.json")
+	data, err := ioutil.ReadFile(configPath)
+	assert.NoError(t, err)
+
+	var configFromFile docker.Config
+	err = json.Unmarshal(data, &configFromFile)
+	assert.NoError(t, err)
+
+	assert.Equal(t, config.Auths, configFromFile.Auths)
+
+	err = config.CreateDockerConfig([]docker.RegistryCredentials{
+		{
+			Registry: registry,
+			Username: "",
+			Password: password,
+		},
+	}, tempDir)
+	assert.EqualError(t, err, "Username must be specified for registry: "+registry)
+
+	err = config.CreateDockerConfig([]docker.RegistryCredentials{
+		{
+			Registry: registry,
+			Username: username,
+			Password: "",
+		},
+	}, tempDir)
+	assert.EqualError(t, err, "Password must be specified for registry: "+registry)
+
+	// v1 registry but without username password
+	err = config.CreateDockerConfig([]docker.RegistryCredentials{
+		{
+			Registry: registry,
+			Username: username,
+			Password: password,
+		},
+		{
+			Registry: dockerRegistry,
+			Username: "",
+			Password: "",
+		},
+	}, tempDir)
+	assert.EqualError(t, err, "Username must be specified for registry: "+dockerRegistry)
+
+	// private base registry without username/password
+	err = config.CreateDockerConfig([]docker.RegistryCredentials{
+		{
+			Registry: privateRegistry,
+			Username: "",
+			Password: "",
+		},
+	}, tempDir)
+	assert.EqualError(t, err, "Username must be specified for registry: "+privateRegistry)
+
+}
+
+func TestCreateDockerConfigWithoutBaseRegistry(t *testing.T) {
+	username := "user1"
+	password := "pass1"
+	registry := "azurecr.io"
+
+	credentials := []docker.RegistryCredentials{
+		{
+			Registry: registry,
+			Username: username,
+			Password: password,
+		},
+	}
+
+	// Create a temporary directory
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	assert.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	config := docker.NewConfig()
+	err = config.CreateDockerConfig(credentials, tempDir)
+	assert.NoError(t, err)
+
+	expectedAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(username + ":" + password))}
+	assert.Equal(t, expectedAuth, config.Auths[registry])
+
+	// Check the contents of the config.json file
+	configPath := filepath.Join(tempDir, "config.json")
+	data, err := ioutil.ReadFile(configPath)
+	assert.NoError(t, err)
+
+	var configFromFile docker.Config
+	err = json.Unmarshal(data, &configFromFile)
+	assert.NoError(t, err)
+
+	assert.Equal(t, config.Auths, configFromFile.Auths)
+
+	// Check if the public Docker Hub auth is not set
+	_, exists := config.Auths[""]
+	assert.False(t, exists)
+}

cmd/kaniko-docker/main.go

@@ -1,9 +1,6 @@
 package main
 
 import (
-	"encoding/base64"
-	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"
 
@@ -14,6 +11,7 @@ import (
 
 	kaniko "github.com/drone/drone-kaniko"
 	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/docker"
 )
 
 const (
@@ -21,9 +19,7 @@ const (
 	dockerPath       string = "/kaniko/.docker"
 	dockerConfigPath string = "/kaniko/.docker/config.json"
 
-	v1RegistryURL    string = "https://index.docker.io/v1/" // Default registry
-	v2RegistryURL    string = "https://index.docker.io/v2/" // v2 registry is not supported
-	v2HubRegistryURL string = "https://registry.hub.docker.com/v2/"
+	v1RegistryURL string = "https://index.docker.io/v1/" // Default registry
 
 	defaultDigestFile string = "/kaniko/digest-file"
 )
@@ -91,9 +87,9 @@ func main() {
 			EnvVar: "PLUGIN_AUTO_TAG",
 		},
 		cli.StringFlag{
-			Name:   "dockerconfig-override",
-			Usage:  "use provided docker config override for docker auth",
-			EnvVar: "PLUGIN_DOCKERCONFIG_OVERRIDE",
+			Name:   "dockerconfig",
+			Usage:  "docker json dockerconfig",
+			EnvVar: "PLUGIN_CONFIG",
 		},
 		cli.StringFlag{
 			Name:   "auto-tag-suffix",
@@ -122,10 +118,15 @@ func main() {
 		},
 		cli.StringFlag{
 			Name:   "registry",
-			Usage:  "docker registry",
+			Usage:  "docker registry of registry to push image to",
 			Value:  v1RegistryURL,
 			EnvVar: "PLUGIN_REGISTRY",
 		},
+		cli.StringFlag{
+			Name:   "base-image-registry",
+			Usage:  "Docker registry for base image",
+			EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
+		},
 		cli.StringSliceFlag{
 			Name:   "registry-mirrors",
 			Usage:  "docker registry mirrors",
@@ -133,14 +134,24 @@ func main() {
 		},
 		cli.StringFlag{
 			Name:   "username",
-			Usage:  "docker username",
+			Usage:  "docker username of registry to push image to",
 			EnvVar: "PLUGIN_USERNAME",
 		},
+		cli.StringFlag{
+			Name:   "base-image-username",
+			Usage:  "Docker username for base image registry",
+			EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
+		},
 		cli.StringFlag{
 			Name:   "password",
-			Usage:  "docker password",
+			Usage:  "docker password of registry to push image to",
 			EnvVar: "PLUGIN_PASSWORD",
 		},
+		cli.StringFlag{
+			Name:   "base-image-password",
+			Usage:  "Docker password for base image registry",
+			EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
+		},
 		cli.BoolFlag{
 			Name:   "skip-tls-verify",
 			Usage:  "Skip registry tls verify",
@@ -176,6 +187,11 @@ func main() {
 			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
 			EnvVar: "PLUGIN_NO_PUSH",
 		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH",
+		},
 		cli.StringFlag{
 			Name:   "verbosity",
 			Usage:  "Set this flag with value as oneof <panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
@@ -191,6 +207,162 @@ func main() {
 			Usage:  "build only used stages",
 			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
 		},
+		cli.StringFlag{
+			Name:   "output-file",
+			Usage:  "Output file location that will be generated by the plugin. This file will include information of the output that are exported by the plugin.",
+			EnvVar: "DRONE_OUTPUT",
+		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -201,45 +373,84 @@ func main() {
 func run(c *cli.Context) error {
 	username := c.String("username")
 	noPush := c.Bool("no-push")
-	configOverride := c.String("dockerconfig-override")
-
-	// if configOverride is provided, use this for docker auth
+	configOverride := c.String("dockerconfig")
+	// if configOverride is provided, use this directly to write to docker config file
 	if len(configOverride) > 0 {
-		if err := writeDockerCfgFile([]byte(c.String("dockerconfig-override"))); err != nil {
+		if err := docker.WriteDockerConfig([]byte(configOverride), dockerPath); err != nil {
 			return err
 		}
 	} else if !noPush || username != "" {
-		// setup auth when pushing or credentials are defined and docker config override is false
-		if err := createDockerCfgFile(username, c.String("password"), c.String("registry")); err != nil {
-			return err
+		// setup auth when pushing/pulling or credentials are defined and docker config override is false
+		err := setDockerAuth(
+			c.String("username"),
+			c.String("password"),
+			c.String("registry"),
+			c.String("base-image-username"),
+			c.String("base-image-password"),
+			c.String("base-image-registry"),
+		)
+		if err != nil {
+			return errors.Wrap(err, "failed to create docker config")
 		}
 	}
 
 	plugin := kaniko.Plugin{
 		Build: kaniko.Build{
-			DroneCommitRef:   c.String("drone-commit-ref"),
-			DroneRepoBranch:  c.String("drone-repo-branch"),
-			Dockerfile:       c.String("dockerfile"),
-			Context:          c.String("context"),
-			Tags:             c.StringSlice("tags"),
-			AutoTag:          c.Bool("auto-tag"),
-			AutoTagSuffix:    c.String("auto-tag-suffix"),
-			ExpandTag:        c.Bool("expand-tag"),
-			Args:             c.StringSlice("args"),
-			Target:           c.String("target"),
-			Repo:             buildRepo(c.String("registry"), c.String("repo"), c.Bool("expand-repo")),
-			Mirrors:          c.StringSlice("registry-mirrors"),
-			Labels:           c.StringSlice("custom-labels"),
-			SkipTlsVerify:    c.Bool("skip-tls-verify"),
-			SnapshotMode:     c.String("snapshot-mode"),
-			EnableCache:      c.Bool("enable-cache"),
-			CacheRepo:        buildRepo(c.String("registry"), c.String("cache-repo"), c.Bool("expand-repo")),
-			CacheTTL:         c.Int("cache-ttl"),
-			DigestFile:       defaultDigestFile,
-			NoPush:           noPush,
-			Verbosity:        c.String("verbosity"),
-			Platform:         c.String("platform"),
-			SkipUnusedStages: c.Bool("skip-unused-stages"),
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			Target:                      c.String("target"),
+			Repo:                        buildRepo(c.String("registry"), c.String("repo"), c.Bool("expand-repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SkipTlsVerify:               c.Bool("skip-tls-verify"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   buildRepo(c.String("registry"), c.String("cache-repo"), c.Bool("expand-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			TarPath:                     c.String("tar-path"),
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+
+			ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:  c.Int("image-download-retry"),
 		},
 		Artifact: kaniko.Artifact{
 			Tags:         c.StringSlice("tags"),
@@ -248,49 +459,40 @@ func run(c *cli.Context) error {
 			ArtifactFile: c.String("artifact-file"),
 			RegistryType: artifact.Docker,
 		},
+		Output: kaniko.Output{
+			OutputFile: c.String("output-file"),
+		},
+	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
 	}
 	return plugin.Exec()
 }
 
-// Create the docker config file for authentication
-func createDockerCfgFile(username, password, registry string) error {
-	if username == "" {
-		return fmt.Errorf("Username must be specified")
-	}
-	if password == "" {
-		return fmt.Errorf("Password must be specified")
-	}
-	if registry == "" {
-		return fmt.Errorf("Registry must be specified")
+func setDockerAuth(username, password, registry, baseImageUsername, baseImagePassword, baseImageRegistry string) error {
+	dockerConfig := docker.NewConfig()
+	pushToRegistryCreds := docker.RegistryCredentials{
+		Registry: registry,
+		Username: username,
+		Password: password,
 	}
+	credentials := []docker.RegistryCredentials{pushToRegistryCreds}
 
-	if registry == v2RegistryURL || registry == v2HubRegistryURL {
-		fmt.Println("Docker v2 registry is not supported in kaniko. Refer issue: https://github.com/GoogleContainerTools/kaniko/issues/1209")
-		fmt.Printf("Using v1 registry instead: %s\n", v1RegistryURL)
-		registry = v1RegistryURL
+	if baseImageRegistry != "" {
+		pullFromRegistryCreds := docker.RegistryCredentials{
+			Registry: baseImageRegistry,
+			Username: baseImageUsername,
+			Password: baseImagePassword,
+		}
+		credentials = append(credentials, pullFromRegistryCreds)
 	}
-
-	authBytes := []byte(fmt.Sprintf("%s:%s", username, password))
-	encodedString := base64.StdEncoding.EncodeToString(authBytes)
-	jsonBytes := []byte(fmt.Sprintf(`{"auths": {"%s": {"auth": "%s"}}}`, registry, encodedString))
-
-	if err := writeDockerCfgFile(jsonBytes); err != nil {
-		return errors.Wrap(err, "failed to write docker config file")
-	}
-	return nil
-}
-
-// Write json bytes in the docker config file
-func writeDockerCfgFile(jsonBytes []byte) error {
-	err := os.MkdirAll(dockerPath, 0600)
-	if err != nil {
-		return errors.Wrap(err, fmt.Sprintf("failed to create %s directory", dockerPath))
-	}
-	err = ioutil.WriteFile(dockerConfigPath, jsonBytes, 0644)
-	if err != nil {
-		return errors.Wrap(err, "failed to create docker config file")
-	}
-	return nil
+	// Creates docker config for both the regustries used for authentication
+	return dockerConfig.CreateDockerConfig(credentials, dockerPath)
 }
 
 func buildRepo(registry, repo string, expandRepo bool) string {

cmd/kaniko-docker/main_test.go

@@ -1,6 +1,12 @@
 package main
 
-import "testing"
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/drone/drone-kaniko/pkg/docker"
+)
 
 func Test_buildRepo(t *testing.T) {
 	tests := []struct {
@@ -35,3 +41,83 @@ func Test_buildRepo(t *testing.T) {
 		})
 	}
 }
+
+func TestCreateDockerConfig(t *testing.T) {
+	config := docker.NewConfig()
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	if err != nil {
+		t.Fatalf("Failed to create temporary directory: %v", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	tests := []struct {
+		name        string
+		credentials []docker.RegistryCredentials
+		wantErr     bool
+	}{
+		{
+			name: "valid credentials",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v1/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "v2 registry",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v2/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "docker registry credentials",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v1/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+				{
+					Registry: "https://docker.io",
+					Username: "dockeruser",
+					Password: "dockerpassword",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "empty docker registry",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v1/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+				{
+					Registry: "https://docker.io",
+					Username: "dockeruser",
+					Password: "",
+				},
+			},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := config.CreateDockerConfig(tt.credentials, tempDir)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("CreateDockerConfig() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+		})
+	}
+}

cmd/kaniko-ecr/custom_string_slice.go

@@ -0,0 +1,33 @@
+package main
+
+import (
+	"strings"
+)
+
+// CustomStringSliceFlag is like a regular StringSlice flag but with
+// semicolon as a delimiter
+type CustomStringSliceFlag struct {
+	Value []string
+}
+
+func (f *CustomStringSliceFlag) GetValue() []string {
+	if f.Value == nil {
+		return make([]string, 0)
+	}
+	return f.Value
+}
+
+func (f *CustomStringSliceFlag) String() string {
+	if f.Value == nil {
+		return ""
+	}
+	return strings.Join(f.Value, ";")
+}
+
+func (f *CustomStringSliceFlag) Set(v string) error {
+	for _, s := range strings.Split(v, ";") {
+		s = strings.TrimSpace(s)
+		f.Value = append(f.Value, s)
+	}
+	return nil
+}

cmd/kaniko-ecr/main.go

@@ -3,11 +3,11 @@ package main
 import (
 	"context"
 	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
@@ -17,6 +17,8 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
+	ecrpublicv1 "github.com/aws/aws-sdk-go/service/ecrpublic"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/aws/smithy-go"
 	"github.com/hashicorp/go-version"
 	"github.com/joho/godotenv"
@@ -31,10 +33,11 @@ import (
 
 const (
 	accessKeyEnv     string = "AWS_ACCESS_KEY_ID"
+	dockerConfigPath string = "/kaniko/.docker"
 	secretKeyEnv     string = "AWS_SECRET_ACCESS_KEY"
-	dockerConfigPath string = "/kaniko/.docker/config.json"
 	ecrPublicDomain  string = "public.ecr.aws"
 	kanikoVersionEnv string = "KANIKO_VERSION"
+	sessionKeyEnv    string = "AWS_SESSION_TOKEN"
 
 	oneDotEightVersion string = "1.8.0"
 	defaultDigestFile  string = "/kaniko/digest-file"
@@ -64,15 +67,20 @@ func main() {
 			Value:  "Dockerfile",
 			EnvVar: "PLUGIN_DOCKERFILE",
 		},
+		cli.StringFlag{
+			Name:   "docker-registry",
+			Usage:  "Docker registry for base image",
+			EnvVar: "PLUGIN_DOCKER_REGISTRY,DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY",
+		},
 		cli.StringFlag{
 			Name:   "docker-username",
-			Usage:  "docker username",
-			EnvVar: "PLUGIN_USERNAME,DOCKER_USERNAME",
+			Usage:  "Docker username for base image registry",
+			EnvVar: "PLUGIN_USERNAME,PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
 		},
 		cli.StringFlag{
 			Name:   "docker-password",
-			Usage:  "docker password",
-			EnvVar: "PLUGIN_PASSWORD,DOCKER_PASSWORD",
+			Usage:  "Docker password for base image registry",
+			EnvVar: "PLUGIN_PASSWORD,PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
 		},
 		cli.StringFlag{
 			Name:   "context",
@@ -117,6 +125,17 @@ func main() {
 			Usage:  "build args",
 			EnvVar: "PLUGIN_BUILD_ARGS",
 		},
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(CustomStringSliceFlag),
+		},
+		cli.BoolFlag{
+			Name:   "plugin-multiple-build-agrs",
+			Usage:  "plugin multiple build agrs",
+			EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
+		},
 		cli.StringFlag{
 			Name:   "target",
 			Usage:  "build target",
@@ -228,6 +247,162 @@ func main() {
 			Usage:  "build only used stages",
 			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
 		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "oidc-token-id",
+			Usage:  "OIDC token for assuming role via web identity",
+			EnvVar: "PLUGIN_OIDC_TOKEN_ID",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -240,34 +415,31 @@ func run(c *cli.Context) error {
 	registry := c.String("registry")
 	region := c.String("region")
 	noPush := c.Bool("no-push")
+	assumeRole := c.String("assume-role")
+	externalId := c.String("external-id")
+	oidcToken := c.String("oidc-token-id")
 
-	dockerConfig, err := createDockerConfig(
+	// setup docker config for azure registry and base image docker registry
+	err := setDockerAuth(
+		c.String("docker-registry"),
 		c.String("docker-username"),
 		c.String("docker-password"),
 		c.String("access-key"),
 		c.String("secret-key"),
 		registry,
-		c.String("assume-role"),
-		c.String("external-id"),
+		assumeRole,
+		externalId,
 		region,
 		noPush,
+		oidcToken,
 	)
 	if err != nil {
-		return err
-	}
-
-	jsonBytes, err := json.Marshal(dockerConfig)
-	if err != nil {
-		return err
-	}
-
-	if err := ioutil.WriteFile(dockerConfigPath, jsonBytes, 0644); err != nil {
-		return err
+		return errors.Wrap(err, "failed to create docker config")
 	}
 
 	// only create repository when pushing and create-repository is true
 	if !noPush && c.Bool("create-repository") {
-		if err := createRepository(region, repo, registry); err != nil {
+		if err := createRepository(region, repo, registry, assumeRole, externalId); err != nil {
 			return err
 		}
 	}
@@ -277,7 +449,7 @@ func run(c *cli.Context) error {
 		if err != nil {
 			logrus.Fatal(err)
 		}
-		if err := uploadLifeCyclePolicy(region, repo, string(contents)); err != nil {
+		if err := uploadLifeCyclePolicy(region, repo, string(contents), assumeRole, externalId); err != nil {
 			logrus.Fatal(fmt.Sprintf("error uploading ECR lifecycle policy: %v", err))
 		}
 	}
@@ -287,35 +459,67 @@ func run(c *cli.Context) error {
 		if err != nil {
 			logrus.Fatal(err)
 		}
-		if err := uploadRepositoryPolicy(region, repo, registry, string(contents)); err != nil {
+		if err := uploadRepositoryPolicy(region, repo, registry, string(contents), assumeRole, externalId); err != nil {
 			logrus.Fatal(fmt.Sprintf("error uploading ECR lifecycle policy: %v", err))
 		}
 	}
 
 	plugin := kaniko.Plugin{
 		Build: kaniko.Build{
-			DroneCommitRef:   c.String("drone-commit-ref"),
-			DroneRepoBranch:  c.String("drone-repo-branch"),
-			Dockerfile:       c.String("dockerfile"),
-			Context:          c.String("context"),
-			Tags:             c.StringSlice("tags"),
-			AutoTag:          c.Bool("auto-tag"),
-			AutoTagSuffix:    c.String("auto-tag-suffix"),
-			ExpandTag:        c.Bool("expand-tag"),
-			Args:             c.StringSlice("args"),
-			Target:           c.String("target"),
-			Repo:             fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
-			Mirrors:          c.StringSlice("registry-mirrors"),
-			Labels:           c.StringSlice("custom-labels"),
-			SnapshotMode:     c.String("snapshot-mode"),
-			EnableCache:      c.Bool("enable-cache"),
-			CacheRepo:        fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
-			CacheTTL:         c.Int("cache-ttl"),
-			DigestFile:       defaultDigestFile,
-			NoPush:           noPush,
-			Verbosity:        c.String("verbosity"),
-			Platform:         c.String("platform"),
-			SkipUnusedStages: c.Bool("skip-unused-stages"),
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			ArgsNew:                     c.Generic("args-new").(*CustomStringSliceFlag).GetValue(),
+			IsMultipleBuildArgs:         c.Bool("plugin-multiple-build-agrs"),
+			Target:                      c.String("target"),
+			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
 		Artifact: kaniko.Artifact{
 			Tags:         c.StringSlice("tags"),
@@ -325,40 +529,77 @@ func run(c *cli.Context) error {
 			RegistryType: artifact.ECR,
 		},
 	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
+	}
 	return plugin.Exec()
 }
 
-func createDockerConfig(dockerUsername, dockerPassword, accessKey, secretKey,
-	registry, assumeRole, externalId, region string, noPush bool) (*docker.Config, error) {
+func setDockerAuth(dockerRegistry, dockerUsername, dockerPassword, accessKey, secretKey,
+	registry, assumeRole, externalId, region string, noPush bool, oidcToken string) error {
 	dockerConfig := docker.NewConfig()
-
-	if dockerUsername != "" {
-		dockerConfig.SetAuth(docker.RegistryV1, dockerUsername, dockerPassword)
+	credentials := []docker.RegistryCredentials{}
+	// set docker credentials for base image registry
+	if dockerRegistry != "" {
+		pullFromRegistryCreds := docker.RegistryCredentials{
+			Registry: dockerRegistry,
+			Username: dockerUsername,
+			Password: dockerPassword,
+		}
+		credentials = append(credentials, pullFromRegistryCreds)
 	}
 
-	if assumeRole != "" {
+	if assumeRole != "" && oidcToken != "" {
+		oidcAccessKey, oidcSecretKey, oidcSessionKey, err := getOidcCreds(oidcToken, assumeRole)
+		if err != nil {
+			return err
+		}
+
+		_ = os.Setenv(accessKeyEnv, oidcAccessKey)
+		_ = os.Setenv(secretKeyEnv, oidcSecretKey)
+		_ = os.Setenv(sessionKeyEnv, oidcSessionKey)
+
+		// kaniko-executor >=1.8.0 does not require additional cred helper logic for ECR,
+		// as it discovers ECR repositories automatically and acts accordingly.
+		if isKanikoVersionBelowOneDotEight(os.Getenv(kanikoVersionEnv)) {
+			dockerConfig.SetCredHelper(ecrPublicDomain, "ecr-login")
+			dockerConfig.SetCredHelper(registry, "ecr-login")
+		}
+
+	} else if assumeRole != "" {
 		var err error
 		username, password, registry, err := getAssumeRoleCreds(region, assumeRole, externalId, "")
 		if err != nil {
-			return nil, err
+			return err
 		}
-		dockerConfig.SetAuth(registry, username, password)
+		pushToRegistryCreds := docker.RegistryCredentials{
+			Registry: registry,
+			Username: username,
+			Password: password,
+		}
+		credentials = append(credentials, pushToRegistryCreds)
+
 	} else if !noPush || accessKey != "" {
 		// only setup auth when pushing or credentials are defined
 		if registry == "" {
-			return nil, fmt.Errorf("registry must be specified")
+			return fmt.Errorf("registry must be specified")
 		}
 
 		// If IAM role is used, access key & secret key are not required
 		if accessKey != "" && secretKey != "" {
 			err := os.Setenv(accessKeyEnv, accessKey)
 			if err != nil {
-				return nil, errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", accessKeyEnv))
+				return errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", accessKeyEnv))
 			}
 
 			err = os.Setenv(secretKeyEnv, secretKey)
 			if err != nil {
-				return nil, errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", secretKeyEnv))
+				return errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", secretKeyEnv))
 			}
 		}
 
@@ -369,11 +610,10 @@ func createDockerConfig(dockerUsername, dockerPassword, accessKey, secretKey,
 			dockerConfig.SetCredHelper(registry, "ecr-login")
 		}
 	}
-
-	return dockerConfig, nil
+	return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
 }
 
-func createRepository(region, repo, registry string) error {
+func createRepository(region, repo, registry, assumeRole, externalId string) error {
 	if registry == "" {
 		return fmt.Errorf("registry must be specified")
 	}
@@ -382,22 +622,29 @@ func createRepository(region, repo, registry string) error {
 		return fmt.Errorf("repo must be specified")
 	}
 
-	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
-	if err != nil {
-		return errors.Wrap(err, "failed to load aws config")
-	}
-
 	var createErr error
 
-	//create public repo
-	//if registry string starts with public domain (ex: public.ecr.aws/example-registry)
-	if isRegistryPublic(registry) {
-		svc := ecrpublic.NewFromConfig(cfg)
-		_, createErr = svc.CreateRepository(context.TODO(), &ecrpublic.CreateRepositoryInput{RepositoryName: &repo})
-		//create private repo
+	if assumeRole != "" {
+		if isRegistryPublic(registry) {
+			_, createErr = getAssumeRoleEcrPublicSvc(region, assumeRole, externalId).CreateRepository(&ecrpublicv1.CreateRepositoryInput{RepositoryName: &repo})
+		} else {
+			_, createErr = getAssumeRoleEcrSvc(region, assumeRole, externalId).CreateRepository(&ecrv1.CreateRepositoryInput{RepositoryName: &repo})
+		}
 	} else {
-		svc := ecr.NewFromConfig(cfg)
-		_, createErr = svc.CreateRepository(context.TODO(), &ecr.CreateRepositoryInput{RepositoryName: &repo})
+		cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
+		if err != nil {
+			return errors.Wrap(err, "failed to load aws config")
+		}
+		//create public repo
+		//if registry string starts with public domain (ex: public.ecr.aws/example-registry)
+		if isRegistryPublic(registry) {
+			svc := ecrpublic.NewFromConfig(cfg)
+			_, createErr = svc.CreateRepository(context.TODO(), &ecrpublic.CreateRepositoryInput{RepositoryName: &repo})
+			//create private repo
+		} else {
+			svc := ecr.NewFromConfig(cfg)
+			_, createErr = svc.CreateRepository(context.TODO(), &ecr.CreateRepositoryInput{RepositoryName: &repo})
+		}
 	}
 
 	var apiError smithy.APIError
@@ -408,46 +655,67 @@ func createRepository(region, repo, registry string) error {
 	return nil
 }
 
-func uploadLifeCyclePolicy(region, repo, lifecyclePolicy string) (err error) {
-	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
-	if err != nil {
-		return errors.Wrap(err, "failed to load aws config")
-	}
+func uploadLifeCyclePolicy(region, repo, lifecyclePolicy, assumeRole, externalId string) (err error) {
+	if assumeRole != "" {
+		input := &ecrv1.PutLifecyclePolicyInput{
+			LifecyclePolicyText: aws.String(lifecyclePolicy),
+			RepositoryName:      aws.String(repo),
+		}
+		_, err = getAssumeRoleEcrSvc(region, assumeRole, externalId).PutLifecyclePolicy(input)
+	} else {
+		cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
+		if err != nil {
+			return errors.Wrap(err, "failed to load aws config")
+		}
 
-	svc := ecr.NewFromConfig(cfg)
+		svc := ecr.NewFromConfig(cfg)
 
-	input := &ecr.PutLifecyclePolicyInput{
-		LifecyclePolicyText: aws.String(lifecyclePolicy),
-		RepositoryName:      aws.String(repo),
+		input := &ecr.PutLifecyclePolicyInput{
+			LifecyclePolicyText: aws.String(lifecyclePolicy),
+			RepositoryName:      aws.String(repo),
+		}
+		_, err = svc.PutLifecyclePolicy(context.TODO(), input)
 	}
-	_, err = svc.PutLifecyclePolicy(context.TODO(), input)
 
 	return err
 }
 
-func uploadRepositoryPolicy(region, repo, registry, repositoryPolicy string) (err error) {
-	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
-	if err != nil {
-		return errors.Wrap(err, "failed to load aws config")
-	}
-
-	if isRegistryPublic(registry) {
-		svc := ecrpublic.NewFromConfig(cfg)
-
-		input := &ecrpublic.SetRepositoryPolicyInput{
-			PolicyText:     aws.String(repositoryPolicy),
-			RepositoryName: aws.String(repo),
+func uploadRepositoryPolicy(region, repo, registry, repositoryPolicy, assumeRole, externalId string) (err error) {
+	if assumeRole != "" {
+		if isRegistryPublic(registry) {
+			input := &ecrpublicv1.SetRepositoryPolicyInput{
+				PolicyText:     aws.String(repositoryPolicy),
+				RepositoryName: aws.String(repo),
+			}
+			_, err = getAssumeRoleEcrPublicSvc(region, assumeRole, externalId).SetRepositoryPolicy(input)
+		} else {
+			input := &ecrv1.SetRepositoryPolicyInput{
+				PolicyText:     aws.String(repositoryPolicy),
+				RepositoryName: aws.String(repo),
+			}
+			_, err = getAssumeRoleEcrSvc(region, assumeRole, externalId).SetRepositoryPolicy(input)
 		}
-		_, err = svc.SetRepositoryPolicy(context.TODO(), input)
 	} else {
-
-		svc := ecr.NewFromConfig(cfg)
-
-		input := &ecr.SetRepositoryPolicyInput{
-			PolicyText:     aws.String(repositoryPolicy),
-			RepositoryName: aws.String(repo),
+		cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
+		if err != nil {
+			return errors.Wrap(err, "failed to load aws config")
+		}
+
+		if isRegistryPublic(registry) {
+			svc := ecrpublic.NewFromConfig(cfg)
+			input := &ecrpublic.SetRepositoryPolicyInput{
+				PolicyText:     aws.String(repositoryPolicy),
+				RepositoryName: aws.String(repo),
+			}
+			_, err = svc.SetRepositoryPolicy(context.TODO(), input)
+		} else {
+			svc := ecr.NewFromConfig(cfg)
+			input := &ecr.SetRepositoryPolicyInput{
+				PolicyText:     aws.String(repositoryPolicy),
+				RepositoryName: aws.String(repo),
+			}
+			_, err = svc.SetRepositoryPolicy(context.TODO(), input)
 		}
-		_, err = svc.SetRepositoryPolicy(context.TODO(), input)
 	}
 
 	return err
@@ -469,7 +737,7 @@ func getAssumeRoleCreds(region, roleArn, externalId, roleSessionName string) (st
 
 	username, password, registry, err := getAuthInfo(svc)
 	if err != nil {
-		return "", "", "", errors.Wrap(err, "failed to get ECR auth")
+		return "", "", "", errors.Wrap(err, "failed to get ECR auth: no basic auth credentials")
 	}
 	return username, password, registry, nil
 }
@@ -497,6 +765,36 @@ func getAuthInfo(svc *ecrv1.ECR) (username, password, registry string, err error
 	return
 }
 
+func getAssumeRoleEcrSvc(region, assumeRole, externalId string) *ecrv1.ECR {
+	sess, err := session.NewSession(&awsv1.Config{Region: &region})
+	if err != nil {
+		logrus.Fatal(err, "failed to create aws session")
+	}
+
+	return ecrv1.New(sess, &awsv1.Config{
+		Credentials: stscreds.NewCredentials(sess, assumeRole, func(p *stscreds.AssumeRoleProvider) {
+			if externalId != "" {
+				p.ExternalID = &externalId
+			}
+		}),
+	})
+}
+
+func getAssumeRoleEcrPublicSvc(region, assumeRole, externalId string) *ecrpublicv1.ECRPublic {
+	sess, err := session.NewSession(&awsv1.Config{Region: &region})
+	if err != nil {
+		logrus.Fatal(err, "failed to create aws session")
+	}
+
+	return ecrpublicv1.New(sess, &awsv1.Config{
+		Credentials: stscreds.NewCredentials(sess, assumeRole, func(p *stscreds.AssumeRoleProvider) {
+			if externalId != "" {
+				p.ExternalID = &externalId
+			}
+		}),
+	})
+}
+
 func isRegistryPublic(registry string) bool {
 	return strings.HasPrefix(registry, ecrPublicDomain)
 }
@@ -513,3 +811,37 @@ func isKanikoVersionBelowOneDotEight(v string) bool {
 
 	return currVer.LessThan(oneEightVer)
 }
+
+func getOidcCreds(oidcToken, assumeRole string) (string, string, string, error) {
+	// Create a new session
+	sess, err := session.NewSession()
+	if err != nil {
+		return "", "", "", fmt.Errorf("failed to create AWS session: %w", err)
+	}
+
+	// Create a new STS client
+	svc := sts.New(sess)
+
+	// Prepare the input parameters for the STS call
+	duration := int64(time.Hour / time.Second)
+	input := &sts.AssumeRoleWithWebIdentityInput{
+		RoleArn:          aws.String(assumeRole),
+		RoleSessionName:  aws.String("kaniko-ecr-oidc"),
+		WebIdentityToken: aws.String(oidcToken),
+		DurationSeconds:  aws.Int64(duration),
+	}
+
+	// Call the AssumeRoleWithWebIdentity function
+	result, err := svc.AssumeRoleWithWebIdentity(input)
+	if err != nil {
+		return "", "", "", fmt.Errorf("failed to assume role with web identity: %w", err)
+	}
+
+	// Check if credentials exist in the result
+	if result.Credentials == nil {
+		return "", "", "", errors.New("no credentials returned by AssumeRoleWithWebIdentity")
+	}
+
+	// Return the credentials
+	return *result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken, nil
+}

cmd/kaniko-ecr/main_test.go

@@ -1,101 +1,45 @@
 package main
 
 import (
+	"encoding/base64"
+	"io/ioutil"
 	"os"
-	"reflect"
 	"testing"
 
 	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/stretchr/testify/assert"
 )
 
-func TestCreateDockerConfig(t *testing.T) {
-	got, err := createDockerConfig(
-		"docker-username",
-		"docker-password",
-		"access-key",
-		"secret-key",
-		"ecr-registry",
-		"",
-		"",
-		"",
-		false,
-	)
-	if err != nil {
-		t.Error("failed to create docker config")
+func TestCreateDockerConfigForECRWithBaseRegistry(t *testing.T) {
+	accessKey := "access-key"
+	secretKey := "secret-key"
+	ecrRegistry := "ecr-registry"
+	dockerUsername := "dockeruser"
+	dockerPassword := "dockerpass"
+	dockerRegistry := "https://index.docker.io/v1/"
+
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	assert.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	config := docker.NewConfig()
+
+	pullFromRegistryCreds := docker.RegistryCredentials{
+		Registry: dockerRegistry,
+		Username: dockerUsername,
+		Password: dockerPassword,
+	}
+	credentials := []docker.RegistryCredentials{
+		{Registry: ecrRegistry, Username: accessKey, Password: secretKey},
+		pullFromRegistryCreds,
 	}
 
-	want := docker.NewConfig()
-	want.SetAuth(docker.RegistryV1, "docker-username", "docker-password")
-	want.SetCredHelper(docker.RegistryECRPublic, "ecr-login")
-	want.SetCredHelper("ecr-registry", "ecr-login")
+	err = config.CreateDockerConfig(credentials, tempDir)
+	assert.NoError(t, err)
 
-	if !reflect.DeepEqual(want, got) {
-		t.Errorf("not equal:\n  want: %#v\n   got: %#v", want, got)
-	}
-}
+	expectedECRAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(accessKey + ":" + secretKey))}
+	assert.Equal(t, expectedECRAuth, config.Auths[ecrRegistry])
 
-func TestCreateDockerConfigKanikoOneDotEight(t *testing.T) {
-	os.Setenv(kanikoVersionEnv, "1.8.1")
-	defer os.Setenv(kanikoVersionEnv, "")
-	got, err := createDockerConfig(
-		"docker-username",
-		"docker-password",
-		"access-key",
-		"secret-key",
-		"ecr-registry",
-		"",
-		"",
-		"",
-		false,
-	)
-	if err != nil {
-		t.Error("failed to create docker config")
-	}
-
-	want := docker.NewConfig()
-	want.SetAuth(docker.RegistryV1, "docker-username", "docker-password")
-
-	if !reflect.DeepEqual(want, got) {
-		t.Errorf("not equal:\n  want: %#v\n   got: %#v", want, got)
-	}
-}
-
-func TestVersionComparison(t *testing.T) {
-	tests := []struct {
-		title    string
-		version  string
-		expected bool
-	}{
-		{
-			title:    "Kaniko 1.6.0 version",
-			version:  "1.6.0",
-			expected: true,
-		},
-		{
-			title:    "Kaniko 1.8.0 version",
-			version:  "1.8.0",
-			expected: false,
-		},
-		{
-			title:    "Kaniko 1.8.1 version",
-			version:  "1.8.1",
-			expected: false,
-		},
-		{
-			title:    "Empty kaniko version",
-			version:  "",
-			expected: true,
-		},
-		{
-			title:    "Kaniko version 1.10.0",
-			version:  "1.10.0",
-			expected: false,
-		},
-	}
-	for _, test := range tests {
-		got := isKanikoVersionBelowOneDotEight(test.version)
-		if got != test.expected {
-			t.Fatalf("test name: %s, expected: %v, got: %v", test.title, test.expected, got)
-		}
-	}
-}
+	expectedDockerAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(dockerUsername + ":" + dockerPassword))}
+	assert.Equal(t, expectedDockerAuth, config.Auths[dockerRegistry])
+}

cmd/kaniko-gar/main.go

@@ -0,0 +1,462 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/joho/godotenv"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli"
+
+	kaniko "github.com/drone/drone-kaniko"
+	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/docker"
+)
+
+const (
+	dockerConfigPath string = "/kaniko/.docker"
+	// GAR JSON key file path
+	garKeyPath       string = "/kaniko/config.json"
+	garEnvVariable   string = "GOOGLE_APPLICATION_CREDENTIALS"
+
+	defaultDigestFile string = "/kaniko/digest-file"
+)
+
+var (
+	version = "unknown"
+)
+
+func main() {
+	// Load env-file if it exists first
+	if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
+		if err := godotenv.Load(env); err != nil {
+			logrus.Fatal(err)
+		}
+	}
+
+	app := cli.NewApp()
+	app.Name = "kaniko gar plugin"
+	app.Usage = "kaniko gar plugin"
+	app.Action = run
+	app.Version = version
+	app.Flags = []cli.Flag{
+		cli.StringFlag{
+			Name:   "dockerfile",
+			Usage:  "build dockerfile",
+			Value:  "Dockerfile",
+			EnvVar: "PLUGIN_DOCKERFILE",
+		},
+		cli.StringFlag{
+			Name:   "context",
+			Usage:  "build context",
+			Value:  ".",
+			EnvVar: "PLUGIN_CONTEXT",
+		},
+		cli.StringFlag{
+			Name:   "drone-commit-ref",
+			Usage:  "git commit ref passed by Drone",
+			EnvVar: "DRONE_COMMIT_REF",
+		},
+		cli.StringFlag{
+			Name:   "drone-repo-branch",
+			Usage:  "git repository default branch passed by Drone",
+			EnvVar: "DRONE_REPO_BRANCH",
+		},
+		cli.StringSliceFlag{
+			Name:     "tags",
+			Usage:    "build tags",
+			Value:    &cli.StringSlice{"latest"},
+			EnvVar:   "PLUGIN_TAGS",
+			FilePath: ".tags",
+		},
+		cli.BoolFlag{
+			Name:   "expand-tag",
+			Usage:  "enable for semver tagging",
+			EnvVar: "PLUGIN_EXPAND_TAG",
+		},
+		cli.BoolFlag{
+			Name:   "auto-tag",
+			Usage:  "enable auto generation of build tags",
+			EnvVar: "PLUGIN_AUTO_TAG",
+		},
+		cli.StringFlag{
+			Name:   "auto-tag-suffix",
+			Usage:  "the suffix of auto build tags",
+			EnvVar: "PLUGIN_AUTO_TAG_SUFFIX",
+		},
+		cli.StringSliceFlag{
+			Name:   "args",
+			Usage:  "build args",
+			EnvVar: "PLUGIN_BUILD_ARGS",
+		},
+		cli.StringFlag{
+			Name:   "target",
+			Usage:  "build target",
+			EnvVar: "PLUGIN_TARGET",
+		},
+		cli.StringFlag{
+			Name:   "repo",
+			Usage:  "gar repository",
+			EnvVar: "PLUGIN_REPO",
+		},
+		cli.StringSliceFlag{
+			Name:   "custom-labels",
+			Usage:  "additional k=v labels",
+			EnvVar: "PLUGIN_CUSTOM_LABELS",
+		},
+		cli.StringFlag{
+			Name:   "registry",
+			Usage:  "gar registry",
+			EnvVar: "PLUGIN_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "base-image-username",
+			Usage:  "Docker username for base image registry",
+			EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
+		},
+		cli.StringFlag{
+			Name:   "base-image-password",
+			Usage:  "Docker password for base image registry",
+			EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
+		},
+		cli.StringFlag{
+			Name:   "base-image-registry",
+			Usage:  "Docker registry for base image registry",
+			EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
+		},
+		cli.StringSliceFlag{
+			Name:   "registry-mirrors",
+			Usage:  "docker registry mirrors",
+			EnvVar: "PLUGIN_REGISTRY_MIRRORS",
+		},
+		cli.StringFlag{
+			Name:   "json-key",
+			Usage:  "docker username",
+			EnvVar: "PLUGIN_JSON_KEY",
+		},
+		cli.StringFlag{
+			Name:   "snapshot-mode",
+			Usage:  "Specify one of full, redo or time as snapshot mode",
+			EnvVar: "PLUGIN_SNAPSHOT_MODE",
+		},
+		cli.BoolFlag{
+			Name:   "enable-cache",
+			Usage:  "Set this flag to opt into caching with kaniko",
+			EnvVar: "PLUGIN_ENABLE_CACHE",
+		},
+		cli.StringFlag{
+			Name:   "cache-repo",
+			Usage:  "Remote repository that will be used to store cached layers. Cache repo should be present in specified registry. enable-cache needs to be set to use this flag",
+			EnvVar: "PLUGIN_CACHE_REPO",
+		},
+		cli.IntFlag{
+			Name:   "cache-ttl",
+			Usage:  "Cache timeout in hours. Defaults to two weeks.",
+			EnvVar: "PLUGIN_CACHE_TTL",
+		},
+		cli.StringFlag{
+			Name:   "artifact-file",
+			Usage:  "Artifact file location that will be generated by the plugin. This file will include information of docker images that are uploaded by the plugin.",
+			EnvVar: "PLUGIN_ARTIFACT_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "no-push",
+			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
+			EnvVar: "PLUGIN_NO_PUSH",
+		},
+		cli.StringFlag{
+			Name:   "verbosity",
+			Usage:  "Set this flag as --verbosity=<panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
+			EnvVar: "PLUGIN_VERBOSITY",
+		},
+		cli.StringFlag{
+			Name:   "platform",
+			Usage:  "Allows to build with another default platform than the host, similarly to docker build --platform",
+			EnvVar: "PLUGIN_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "skip-unused-stages",
+			Usage:  "build only used stages",
+			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
+		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
+	}
+
+	if err := app.Run(os.Args); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+func run(c *cli.Context) error {
+	noPush := c.Bool("no-push")
+	jsonKey := c.String("json-key")
+	// JSON key may not be set in the following cases:
+	// 1. Image does not need to be pushed to GAR.
+	// 2. Workload identity is set on GKE in which pod will inherit the credentials via service account.
+	if jsonKey != "" {
+		if err := setupGARAuth(jsonKey); err != nil {
+			return err
+		}
+
+		// setup docker config only when base image registry is specified
+		if c.String("base-image-registry") != ""{
+			if err := setDockerAuth(
+				c.String("base-image-username"),
+				c.String("base-image-password"),
+				c.String("base-image-registry"),
+			); err != nil {
+				return errors.Wrap(err, "failed to create docker config")
+			}
+		}
+	}
+
+	plugin := kaniko.Plugin{
+		Build: kaniko.Build{
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			Target:                      c.String("target"),
+			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
+		},
+		Artifact: kaniko.Artifact{
+			Tags:         c.StringSlice("tags"),
+			Repo:         c.String("repo"),
+			Registry:     c.String("registry"),
+			ArtifactFile: c.String("artifact-file"),
+			RegistryType: artifact.GAR,
+		},
+	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
+	}
+	return plugin.Exec()
+}
+
+func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) (error) {
+	dockerConfig := docker.NewConfig()
+	dockerRegistryCreds := docker.RegistryCredentials{
+		Registry: dockerRegistry,
+		Username: dockerUsername,
+		Password: dockerPassword,
+	}
+	credentials := []docker.RegistryCredentials{dockerRegistryCreds}
+
+	return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
+}
+
+func setupGARAuth(jsonKey string) error {
+	err := ioutil.WriteFile(garKeyPath, []byte(jsonKey), 0644)
+	if err != nil {
+		return errors.Wrap(err, "failed to write GAR JSON key")
+	}
+
+	err = os.Setenv(garEnvVariable, garKeyPath)
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", garEnvVariable))
+	}
+	return nil
+}

cmd/kaniko-gcr/main.go

@@ -12,12 +12,14 @@ import (
 
 	kaniko "github.com/drone/drone-kaniko"
 	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/docker"
 )
 
 const (
+	dockerConfigPath string = "/kaniko/.docker"
 	// GCR JSON key file path
-	gcrKeyPath     string = "/kaniko/config.json"
-	gcrEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
+	gcrKeyPath       string = "/kaniko/config.json"
+	gcrEnvVariable   string = "GOOGLE_APPLICATION_CREDENTIALS"
 
 	defaultDigestFile string = "/kaniko/digest-file"
 )
@@ -108,7 +110,22 @@ func main() {
 			Name:   "registry",
 			Usage:  "gcr registry",
 			Value:  "gcr.io",
-			EnvVar: "PLUGIN_REGISTRY",
+			EnvVar: "PLUGIN_REGISTRY,BASE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "base-image-username",
+			Usage:  "Docker username for base image registry",
+			EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
+		},
+		cli.StringFlag{
+			Name:   "base-image-password",
+			Usage:  "Docker password for base image registry",
+			EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
+		},
+		cli.StringFlag{
+			Name:   "base-image-registry",
+			Usage:  "Docker registry for base image registry",
+			EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
 		},
 		cli.StringSliceFlag{
 			Name:   "registry-mirrors",
@@ -165,6 +182,157 @@ func main() {
 			Usage:  "build only used stages",
 			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
 		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -183,32 +351,73 @@ func run(c *cli.Context) error {
 		if err := setupGCRAuth(jsonKey); err != nil {
 			return err
 		}
+
+		// setup docker config only when base image registry is specified
+		if c.String("base-image-registry") != ""{
+			if err := setDockerAuth(
+				c.String("base-image-username"),
+				c.String("base-image-password"),
+				c.String("base-image-registry"),
+			); err != nil {
+				return errors.Wrap(err, "failed to create docker config")
+			}
+		}
 	}
 
 	plugin := kaniko.Plugin{
 		Build: kaniko.Build{
-			DroneCommitRef:   c.String("drone-commit-ref"),
-			DroneRepoBranch:  c.String("drone-repo-branch"),
-			Dockerfile:       c.String("dockerfile"),
-			Context:          c.String("context"),
-			Tags:             c.StringSlice("tags"),
-			AutoTag:          c.Bool("auto-tag"),
-			AutoTagSuffix:    c.String("auto-tag-suffix"),
-			ExpandTag:        c.Bool("expand-tag"),
-			Args:             c.StringSlice("args"),
-			Target:           c.String("target"),
-			Repo:             fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
-			Mirrors:          c.StringSlice("registry-mirrors"),
-			Labels:           c.StringSlice("custom-labels"),
-			SnapshotMode:     c.String("snapshot-mode"),
-			EnableCache:      c.Bool("enable-cache"),
-			CacheRepo:        fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
-			CacheTTL:         c.Int("cache-ttl"),
-			DigestFile:       defaultDigestFile,
-			NoPush:           noPush,
-			Verbosity:        c.String("verbosity"),
-			Platform:         c.String("platform"),
-			SkipUnusedStages: c.Bool("skip-unused-stages"),
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			Target:                      c.String("target"),
+			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
 		Artifact: kaniko.Artifact{
 			Tags:         c.StringSlice("tags"),
@@ -218,9 +427,28 @@ func run(c *cli.Context) error {
 			RegistryType: artifact.GCR,
 		},
 	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
+	}
 	return plugin.Exec()
 }
 
+func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) (error) {
+	dockerConfig := docker.NewConfig()
+	dockerRegistryCreds := docker.RegistryCredentials{
+		Registry: dockerRegistry,
+		Username: dockerUsername,
+		Password: dockerPassword,
+	}
+	credentials := []docker.RegistryCredentials{dockerRegistryCreds}
+	return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
+}
+
 func setupGCRAuth(jsonKey string) error {
 	err := ioutil.WriteFile(gcrKeyPath, []byte(jsonKey), 0644)
 	if err != nil {

docker/acr/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor
+FROM gcr.io/kaniko-project/executor:v1.23.2
 
-ENV KANIKO_VERSION=1.8.1
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-acr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-acr"]

docker/acr/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.8.1
+FROM gcr.io/kaniko-project/executor:v1.23.0
 
 ENV HOME /root
 ENV USER root
 
-ENV KANIKO_VERSION=1.8.1
+ENV KANIKO_VERSION=1.23.0
 ADD release/linux/arm64/kaniko-acr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-acr"]

docker/docker/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.6.0
+FROM gcr.io/kaniko-project/executor:v1.23.2
 
-ENV KANIKO_VERSION=1.6.0
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/docker/Dockerfile.linux.amd64.kaniko1.9.1

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.8.1
+FROM gcr.io/kaniko-project/executor:v1.9.1
 
-ENV KANIKO_VERSION=1.8.1
+ENV KANIKO_VERSION=1.9.1
 ADD release/linux/amd64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/docker/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.6.0
+FROM gcr.io/kaniko-project/executor:v1.23.2
 
 ENV HOME /root
 ENV USER root
 
-ENV KANIKO_VERSION=1.6.0
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/arm64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/docker/Dockerfile.linux.arm64.kaniko1.9.1

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.8.1
+FROM gcr.io/kaniko-project/executor:v1.9.1
 
-ENV KANIKO_VERSION=1.8.1
+ENV KANIKO_VERSION=1.9.1
 ADD release/linux/arm64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/docker/manifest-kaniko1.9.1.tmpl

@@ -1,4 +1,4 @@
-image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.8.1{{else}}latest-kaniko1.8.1{{/if}}
+image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
 {{#if build.tags}}
 tags:
 {{#each build.tags}}
@@ -7,12 +7,12 @@ tags:
 {{/if}}
 manifests:
   -
-    image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.8.1
+    image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
     platform:
       architecture: amd64
       os: linux
   -
-    image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.8.1
+    image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
     platform:
       architecture: arm64
       os: linux

docker/ecr/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.6.0
+FROM gcr.io/kaniko-project/executor:v1.23.2
 
-ENV KANIKO_VERSION=1.6.0
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/ecr/Dockerfile.linux.amd64.kaniko1.9.1

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.8.1
+FROM gcr.io/kaniko-project/executor:v1.9.1
 
-ENV KANIKO_VERSION=1.8.1
+ENV KANIKO_VERSION=1.9.1
 ADD release/linux/amd64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/ecr/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.6.0
+FROM gcr.io/kaniko-project/executor:v1.23.2
 
 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.6.0
+ENV KANIKO_VERSION=1.23.2
 
 ADD release/linux/arm64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/ecr/Dockerfile.linux.arm64.kaniko1.9.1

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.8.1
+FROM gcr.io/kaniko-project/executor:v1.9.1
 
-ENV KANIKO_VERSION=1.8.1
+ENV KANIKO_VERSION=1.9.1
 ADD release/linux/arm64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/ecr/manifest-kaniko1.9.1.tmpl

@@ -1,4 +1,4 @@
-image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.8.1{{else}}latest-kaniko1.8.1{{/if}}
+image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
 {{#if build.tags}}
 tags:
 {{#each build.tags}}
@@ -7,12 +7,12 @@ tags:
 {{/if}}
 manifests:
   -
-    image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.8.1
+    image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
     platform:
       architecture: amd64
       os: linux
   -
-    image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.8.1
+    image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
     platform:
       architecture: arm64
       os: linux

docker/gar/Dockerfile.linux.amd64

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.23.2
+
+ENV KANIKO_VERSION=1.23.2
+ADD release/linux/amd64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/Dockerfile.linux.amd64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/amd64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/Dockerfile.linux.arm64

@@ -0,0 +1,8 @@
+FROM gcr.io/kaniko-project/executor:v1.23.2
+
+ENV HOME /root
+ENV USER root
+ENV KANIKO_VERSION=1.23.2
+
+ADD release/linux/arm64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/Dockerfile.linux.arm64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/arm64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/manifest-kaniko1.9.1.tmpl

@@ -0,0 +1,18 @@
+image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
+    platform:
+      architecture: arm64
+      os: linux

docker/gar/manifest.tmpl

@@ -0,0 +1,18 @@
+image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux

docker/gcr/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.6.0
+FROM gcr.io/kaniko-project/executor:v1.23.2
 
-ENV KANIKO_VERSION=1.6.0
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/Dockerfile.linux.amd64.kaniko1.9.1

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.8.1
+FROM gcr.io/kaniko-project/executor:v1.9.1
 
-ENV KANIKO_VERSION=1.8.1
+ENV KANIKO_VERSION=1.9.1
 ADD release/linux/amd64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.6.0
+FROM gcr.io/kaniko-project/executor:v1.23.2
 
 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.6.0
+ENV KANIKO_VERSION=1.23.2
 
 ADD release/linux/arm64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/Dockerfile.linux.arm64.kaniko1.9.1

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.8.1
+FROM gcr.io/kaniko-project/executor:v1.9.1
 
-ENV KANIKO_VERSION=1.8.1
+ENV KANIKO_VERSION=1.9.1
 ADD release/linux/arm64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/manifest-kaniko1.9.1.tmpl

@@ -1,4 +1,4 @@
-image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.8.1{{else}}latest-kaniko1.8.1{{/if}}
+image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
 {{#if build.tags}}
 tags:
 {{#each build.tags}}
@@ -7,12 +7,12 @@ tags:
 {{/if}}
 manifests:
   -
-    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.8.1
+    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
     platform:
       architecture: amd64
       os: linux
   -
-    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.8.1
+    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
     platform:
       architecture: arm64
       os: linux

git-hooks/README.md

@@ -0,0 +1,8 @@
+This document explains on how to install certain git hooks globally for all repositories in your machine.
+
+Step 1: git clone https://github.com/drone/drone-kaniko.git
+Step 2: cd git-hooks
+Step 3: Run install.sh
+
+"install.sh" script will create .git_template in the user directory and will put the git hook and its dependent scripts in it. Along with the .git_template folder, it will add 2 sections "init" and "hooks boolean" in the .gitconfig file in the same user's root directory.
+After running "install.sh" if you create/clone a new git repository then all the hooks will get install automatically for the git repository. In case of existing git repository copy the contents of ~/.git_template/hooks into the .git/hooks directory of existing git repository.

git-hooks/hooks/git-leaks-pre-commit.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS_PRE_COMMIT=s$(git config --bool hook.pre-commit.gitleak)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks protect --staged -v --exit-code=100
+STATUS=$?
+if [ $STATUS = 100  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+else
+    exit 0
+fi

git-hooks/hooks/git-leaks.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS=$(git config --bool hook.pre-push.gitleaks)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks detect -s ./ --log-level=debug --log-opts=-1 -v
+STATUS=$?
+if [ $STATUS != 0  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+    exit $STATUS
+else
+    exit 0
+fi

git-hooks/hooks/pre-commit

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks-pre-commit.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+if [ "`git config $GIT_LEAKS_PRE_COMMIT`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS_PRE_COMMIT '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS_PRE_COMMIT true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi

git-hooks/hooks/pre-push

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS=hook.pre-push.gitleaks
+if [ "`git config $GIT_LEAKS`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi

git-hooks/install.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+#Function to check if package is installed or not
+#args: $1: Name of the Package
+function check_package_installed() {
+  LOCAL_PACKAGE_NAME=$1
+  echo "Checking if $LOCAL_PACKAGE_NAME is installed or not..."
+  brew list $LOCAL_PACKAGE_NAME
+  if [ "$?" -eq 1 ];then
+    echo "Installing $LOCAL_PACKAGE_NAME package..."
+    brew install $LOCAL_PACKAGE_NAME
+  fi
+}
+
+function create_git_template() {
+    cd $BASEDIR
+    mkdir -p ~/.git_template/hooks
+    git config --global init.templatedir ${GIT_TEMPLATE}
+    git config --global --add $GIT_LEAKS true
+    git config --global --add $GIT_LEAKS_PRE_COMMIT true
+    find hooks/ -type f -exec cp "{}" ~/.git_template/hooks \;
+    #cp -f hooks/* ~/.git_template/hooks
+    cat ~/.gitconfig
+}
+
+GIT_TEMPLATE="~/.git_template"
+GIT_LEAKS=hook.pre-push.gitleaks
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+
+pushd `dirname $0` && BASEDIR=$(pwd -L) && popd
+
+echo This script will install hooks that run scripts that could be updated without notice.
+
+while true; do
+    read -p "Do you wish to install these hooks?" yn
+    case $yn in
+        [Yy]* ) check_package_installed "gitleaks";
+                break;;
+        [Nn]* ) exit;;
+        * ) echo "Please answer yes or no.";;
+    esac
+done
+
+create_git_template

go.mod

@@ -1,6 +1,8 @@
 module github.com/drone/drone-kaniko
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
 	github.com/aws/aws-sdk-go v1.44.52
 	github.com/aws/aws-sdk-go-v2 v1.16.7
 	github.com/aws/aws-sdk-go-v2/config v1.15.14
@@ -8,18 +10,17 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.8
 	github.com/aws/smithy-go v1.12.0
 	github.com/coreos/go-semver v0.3.0
-	github.com/google/go-cmp v0.5.8
+	github.com/google/go-cmp v0.5.9
 	github.com/hashicorp/go-version v1.6.0
 	github.com/joho/godotenv v1.4.0
 	github.com/pkg/errors v0.9.1
-	github.com/sirupsen/logrus v1.8.1
+	github.com/sirupsen/logrus v1.9.3
+	github.com/stretchr/testify v1.8.4
 	github.com/urfave/cli v1.22.9
-	golang.org/x/mod v0.5.1
+	golang.org/x/mod v0.17.0
 )
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.12.9 // indirect
@@ -30,17 +31,20 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
 	golang.org/x/net v0.0.0-20220725212005-46097bf591d3 // indirect
-	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
+	golang.org/x/sys v0.19.0 // indirect
 	golang.org/x/text v0.3.7 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-go 1.18
+go 1.22.4

go.sum

@@ -38,16 +38,21 @@ github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
+github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
 github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
+github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -73,35 +78,38 @@ github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/urfave/cli v1.22.9 h1:cv3/KhXGBGjEXLC4bH0sLuJ9BewaAbpk5oyMOveu4pw=
 github.com/urfave/cli v1.22.9/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
-golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220725212005-46097bf591d3 h1:2yWTtPWWRcISTw3/o+s/Y4UOMnQL71DWyToOANFusCg=
 golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY5RMuhpJ3cNnI0XpyFJD1iQRSM=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220712014510-0a85c31ab51e h1:NHvCuwuS43lGnYhten69ZWqi2QOj/CiDNcKbVqwVoew=
-golang.org/x/sys v0.0.0-20220712014510-0a85c31ab51e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

kaniko.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/output"
 	"github.com/drone/drone-kaniko/pkg/tagger"
 	"golang.org/x/mod/semver"
 )
@@ -15,29 +16,68 @@ import (
 type (
 	// Build defines Docker build parameters.
 	Build struct {
-		DroneCommitRef   string   // Drone git commit reference
-		DroneRepoBranch  string   // Drone repo branch
-		Dockerfile       string   // Docker build Dockerfile
-		Context          string   // Docker build context
-		Tags             []string // Docker build tags
-		AutoTag          bool     // Set this to auto detect tags from git commits and semver-tagged labels
-		AutoTagSuffix    string   // Suffix to append to the auto detect tags
-		ExpandTag        bool     // Set this to expand the `Tags` into semver-tagged labels
-		Args             []string // Docker build args
-		Target           string   // Docker build target
-		Repo             string   // Docker build repository
-		Mirrors          []string // Docker repository mirrors
-		Labels           []string // Label map
-		SkipTlsVerify    bool     // Docker skip tls certificate verify for registry
-		SnapshotMode     string   // Kaniko snapshot mode
-		EnableCache      bool     // Whether to enable kaniko cache
-		CacheRepo        string   // Remote repository that will be used to store cached layers
-		CacheTTL         int      // Cache timeout in hours
-		DigestFile       string   // Digest file location
-		NoPush           bool     // Set this flag if you only want to build the image, without pushing to a registry
-		Verbosity        string   // Log level
-		Platform         string   // Allows to build with another default platform than the host, similarly to docker build --platform
-		SkipUnusedStages bool     // Build only used stages
+		DroneCommitRef      string   // Drone git commit reference
+		DroneRepoBranch     string   // Drone repo branch
+		Dockerfile          string   // Docker build Dockerfile
+		Context             string   // Docker build context
+		Tags                []string // Docker build tags
+		AutoTag             bool     // Set this to auto detect tags from git commits and semver-tagged labels
+		AutoTagSuffix       string   // Suffix to append to the auto detect tags
+		ExpandTag           bool     // Set this to expand the `Tags` into semver-tagged labels
+		Args                []string // Docker build args
+		ArgsNew             []string // docker build args with comma seperated values
+		IsMultipleBuildArgs bool     // env variable for fallback for docker build args
+		Target              string   // Docker build target
+		Repo                string   // Docker build repository
+		Mirrors             []string // Docker repository mirrors
+		Labels              []string // Label map
+		SkipTlsVerify       bool     // Docker skip tls certificate verify for registry
+		SnapshotMode        string   // Kaniko snapshot mode
+		EnableCache         bool     // Whether to enable kaniko cache
+		CacheRepo           string   // Remote repository that will be used to store cached layers
+		CacheTTL            int      // Cache timeout in hours
+		DigestFile          string   // Digest file location
+		NoPush              bool     // Set this flag if you only want to build the image, without pushing to a registry
+		Verbosity           string   // Log level
+		Platform            string   // Allows to build with another default platform than the host, similarly to docker build --platform
+		SkipUnusedStages    bool     // Build only used stages
+		TarPath             string   // Set this flag to save the image as a tarball at path
+
+		Cache                       bool   // Enable or disable caching during the build process.
+		CacheDir                    string // Directory to store cached layers.
+		CacheCopyLayers             bool   // Enable or disable copying layers from the cache.
+		CacheRunLayers              bool   // Enable or disable running layers from the cache.
+		Cleanup                     bool   // Enable or disable cleanup of temporary files.
+		CompressedCaching           *bool  // Enable or disable compressed caching.
+		ContextSubPath              string // Sub-path within the context to build.
+		CustomPlatform              string // Platform to use for building.
+		Force                       bool   // Force building the image even if it already exists.
+		Git                         bool   // Branch to clone if build context is a git repository .
+		ImageNameWithDigestFile     string // Write image name with digest to a file.
+		ImageNameTagWithDigestFile  string // Write image name with tag and digest to a file.
+		Insecure                    bool   // Allow connecting to registries without TLS.
+		InsecurePull                bool   // Allow insecure pulls from the registry.
+		InsecureRegistry            string // Use plain HTTP for registry communication.
+		Label                       string // Add metadata to an image.
+		LogFormat                   string // Set the log format for build output.
+		LogTimestamp                bool   // Show timestamps in build output.
+		OCILayoutPath               string // Directory to store OCI layout.
+		PushRetry                   int    // Number of times to retry pushing an image.
+		RegistryCertificate         string // Path to a file containing a registry certificate.
+		RegistryClientCert          string // Path to a file containing a registry client certificate.
+		RegistryMirror              string // Mirror for registry pulls.
+		SkipDefaultRegistryFallback bool   // Skip Docker Hub and default registry fallback.
+		Reproducible                bool   // Create a reproducible image.
+		SingleSnapshot              bool   // Only create a single snapshot of the image.
+		SkipTLSVerify               bool   // Skip TLS verification when connecting to the registry.
+		SkipPushPermissionCheck     bool   // Skip permission check when pushing.
+		SkipTLSVerifyPull           bool   // Skip TLS verification when pulling.
+		SkipTLSVerifyRegistry       bool   // Skip TLS verification when connecting to a registry.
+		UseNewRun                   bool   // Use the new container runtime (`runc`) for builds.
+		IgnoreVarRun                *bool  // Ignore `/var/run` when copying from the context.
+		IgnorePath                  string // Ignore files matching the specified path pattern.
+		ImageFSExtractRetry         int    // Number of times to retry extracting the image filesystem.
+		ImageDownloadRetry          int    // Number of times to retry downloading layers.
 	}
 
 	// Artifact defines content of artifact file
@@ -49,10 +89,16 @@ type (
 		ArtifactFile string                    // Artifact file location
 	}
 
+	// Output defines content of output file
+	Output struct {
+		OutputFile string // File where plugin output are saved
+	}
+
 	// Plugin defines the Docker plugin parameters.
 	Plugin struct {
 		Build    Build    // Docker build configuration
 		Artifact Artifact // Artifact file content
+		Output   Output   // Output file content
 	}
 )
 
@@ -148,17 +194,24 @@ func (p Plugin) Exec() error {
 		fmt.Sprintf("--context=dir://%s", p.Build.Context),
 	}
 
-	// Set the destination repository
-	if !p.Build.NoPush {
+	// Set the destination repository only when we push or save to tarball
+	if !p.Build.NoPush || p.Build.TarPath != "" {
 		for _, tag := range tags {
 			for _, label := range p.Build.labelsForTag(tag) {
 				cmdArgs = append(cmdArgs, fmt.Sprintf("--destination=%s:%s", p.Build.Repo, label))
 			}
 		}
 	}
+
 	// Set the build arguments
-	for _, arg := range p.Build.Args {
-		cmdArgs = append(cmdArgs, fmt.Sprintf("--build-arg=%s", arg))
+	if p.Build.IsMultipleBuildArgs {
+		for _, arg := range p.Build.ArgsNew {
+			cmdArgs = append(cmdArgs, "--build-arg", arg)
+		}
+	} else {
+		for _, arg := range p.Build.Args {
+			cmdArgs = append(cmdArgs, "--build-arg", arg)
+		}
 	}
 	// Set the labels
 	for _, label := range p.Build.Labels {
@@ -177,7 +230,7 @@ func (p Plugin) Exec() error {
 	}
 
 	if p.Build.SnapshotMode != "" {
-		cmdArgs = append(cmdArgs, fmt.Sprintf("--snapshotMode=%s", p.Build.SnapshotMode))
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--snapshot-mode=%s", p.Build.SnapshotMode))
 	}
 
 	if p.Build.EnableCache {
@@ -212,6 +265,138 @@ func (p Plugin) Exec() error {
 		cmdArgs = append(cmdArgs, "--skip-unused-stages")
 	}
 
+	if p.Build.TarPath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--tar-path=%s", p.Build.TarPath))
+	}
+
+	if p.Build.CacheCopyLayers {
+		cmdArgs = append(cmdArgs, "--cache-copy-layers")
+	}
+
+	if p.Build.CacheRunLayers {
+		cmdArgs = append(cmdArgs, "--cache-run-layers=true")
+	}
+
+	if p.Build.Cleanup {
+		cmdArgs = append(cmdArgs, "--cleanup=true")
+	}
+
+	if p.Build.CompressedCaching != nil {
+		if *p.Build.CompressedCaching {
+			cmdArgs = append(cmdArgs, "--compressed-caching=true")
+		} else {
+			cmdArgs = append(cmdArgs, "--compressed-caching=false")
+		}
+	}
+
+	if p.Build.ContextSubPath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--context-sub-path=%s", p.Build.ContextSubPath))
+	}
+
+	if p.Build.CustomPlatform != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--custom-platform=%s", p.Build.CustomPlatform))
+	}
+
+	if p.Build.Force {
+		cmdArgs = append(cmdArgs, "--force")
+	}
+
+	if p.Build.Git {
+		cmdArgs = append(cmdArgs, "--git")
+	}
+
+	if p.Build.ImageNameWithDigestFile != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-name-with-digest-file=%s", p.Build.ImageNameWithDigestFile))
+	}
+
+	if p.Build.ImageNameTagWithDigestFile != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-name-tag-with-digest-file=%s", p.Build.ImageNameTagWithDigestFile))
+	}
+
+	if p.Build.Insecure {
+		cmdArgs = append(cmdArgs, "--insecure")
+	}
+
+	if p.Build.InsecurePull {
+		cmdArgs = append(cmdArgs, "--insecure-pull")
+	}
+
+	if p.Build.InsecureRegistry != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--insecure-registry=%s", p.Build.InsecureRegistry))
+	}
+
+	if p.Build.LogFormat != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--log-format=%s", p.Build.LogFormat))
+	}
+
+	if p.Build.LogTimestamp {
+		cmdArgs = append(cmdArgs, "--log-timestamp")
+	}
+
+	if p.Build.OCILayoutPath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--oci-layout-path=%s", p.Build.OCILayoutPath))
+	}
+
+	if p.Build.PushRetry != 0 {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--push-retry=%d", p.Build.PushRetry))
+	}
+
+	if p.Build.RegistryCertificate != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--registry-certificate=%s", p.Build.RegistryCertificate))
+	}
+
+	if p.Build.RegistryClientCert != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--registry-client-cert=%s", p.Build.RegistryClientCert))
+	}
+
+	if p.Build.SkipDefaultRegistryFallback {
+		cmdArgs = append(cmdArgs, "--skip-default-registry-fallback")
+	}
+
+	if p.Build.Reproducible {
+		cmdArgs = append(cmdArgs, "--reproducible")
+	}
+
+	if p.Build.SingleSnapshot {
+		cmdArgs = append(cmdArgs, "--single-snapshot")
+	}
+
+	if p.Build.SkipPushPermissionCheck {
+		cmdArgs = append(cmdArgs, "--skip-push-permission-check")
+	}
+
+	if p.Build.SkipTLSVerifyPull {
+		cmdArgs = append(cmdArgs, "--skip-tls-verify-pull")
+	}
+
+	if p.Build.SkipTLSVerifyRegistry {
+		cmdArgs = append(cmdArgs, "--skip-tls-verify-registry")
+	}
+
+	if p.Build.UseNewRun {
+		cmdArgs = append(cmdArgs, "--use-new-run")
+	}
+
+	if p.Build.IgnoreVarRun != nil {
+		if *p.Build.IgnoreVarRun {
+			cmdArgs = append(cmdArgs, "--ignore-var-run=true")
+		} else {
+			cmdArgs = append(cmdArgs, "--ignore-var-run=false")
+		}
+	}
+
+	if p.Build.IgnorePath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", p.Build.IgnorePath))
+	}
+
+	if p.Build.ImageFSExtractRetry != 0 {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-fs-extract-retry=%d", p.Build.ImageFSExtractRetry))
+	}
+
+	if p.Build.ImageDownloadRetry != 0 {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-download-retry=%d", p.Build.ImageDownloadRetry))
+	}
+
 	cmd := exec.Command("/kaniko/executor", cmdArgs...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
@@ -223,19 +408,29 @@ func (p Plugin) Exec() error {
 	}
 
 	if p.Build.DigestFile != "" && p.Artifact.ArtifactFile != "" {
-		content, err := ioutil.ReadFile(p.Build.DigestFile)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "failed to read digest file contents at path: %s with error: %s\n", p.Build.DigestFile, err)
-		}
-		err = artifact.WritePluginArtifactFile(p.Artifact.RegistryType, p.Artifact.ArtifactFile, p.Artifact.Registry, p.Artifact.Repo, string(content), p.Artifact.Tags)
+		err = artifact.WritePluginArtifactFile(p.Artifact.RegistryType, p.Artifact.ArtifactFile, p.Artifact.Registry, p.Artifact.Repo, getDigest(p.Build.DigestFile), p.Artifact.Tags)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "failed to write plugin artifact file at path: %s with error: %s\n", p.Artifact.ArtifactFile, err)
 		}
 	}
 
+	if p.Output.OutputFile != "" {
+		if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile)); err != nil {
+			fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
+		}
+	}
+
 	return nil
 }
 
+func getDigest(digestFile string) string {
+	content, err := ioutil.ReadFile(digestFile)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to read digest file contents at path: %s with error: %s\n", digestFile, err)
+	}
+	return string(content)
+}
+
 // trace writes each command to stdout with the command wrapped in an xml
 // tag so that it can be extracted and displayed in the logs.
 func trace(cmd *exec.Cmd) {

pkg/artifact/artifact.go

@@ -20,6 +20,7 @@ const (
 	Docker RegistryTypeEnum = "Docker"
 	ECR    RegistryTypeEnum = "ECR"
 	GCR    RegistryTypeEnum = "GCR"
+	GAR    RegistryTypeEnum = "GAR"
 )
 
 type (

pkg/docker/config.go

@@ -2,7 +2,18 @@ package docker
 
 import (
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/pkg/errors"
+)
+
+const (
+	v2HubRegistryURL string = "https://registry.hub.docker.com/v2/"
+	v1RegistryURL    string = "https://index.docker.io/v1/" // Default registry
+	v2RegistryURL    string = "https://index.docker.io/v2/" // v2 registry is not supported
 )
 
 type (
@@ -12,19 +23,25 @@ type (
 
 	Config struct {
 		Auths       map[string]Auth   `json:"auths"`
-		CredHelpers map[string]string `json:"credHelpers"`
+		CredHelpers map[string]string `json:"credHelpers,omitempty"`
 	}
 )
 
+type RegistryCredentials struct {
+	Registry string
+	Username string
+	Password string
+}
+
 func NewConfig() *Config {
 	return &Config{
-		Auths:       map[string]Auth{},
-		CredHelpers: map[string]string{},
+		Auths:       make(map[string]Auth),
+		CredHelpers: make(map[string]string),
 	}
 }
 
 func (c *Config) SetAuth(registry, username, password string) {
-	authBytes := []byte(fmt.Sprintf("%s:%s", username, password))
+	authBytes := []byte(username + ":" + password)
 	encodedString := base64.StdEncoding.EncodeToString(authBytes)
 	c.Auths[registry] = Auth{Auth: encodedString}
 }
@@ -32,3 +49,49 @@ func (c *Config) SetAuth(registry, username, password string) {
 func (c *Config) SetCredHelper(registry, helper string) {
 	c.CredHelpers[registry] = helper
 }
+
+func (c *Config) CreateDockerConfig(credentials []RegistryCredentials, dockerPath string) error {
+	for _, cred := range credentials {
+		if cred.Registry != "" {
+			// update v2 docker registry to v1
+			if cred.Registry == v2RegistryURL || cred.Registry == v2HubRegistryURL {
+				fmt.Printf("Docker v2 registry '%s' is not supported in kaniko. Refer issue: https://github.com/GoogleContainerTools/kaniko/issues/1209\n", cred.Registry)
+				fmt.Printf("Using v1 registry instead: %s\n", v1RegistryURL)
+				cred.Registry = v1RegistryURL
+			}
+
+			if cred.Username == "" {
+				return fmt.Errorf("Username must be specified for registry: %s", cred.Registry)
+			}
+			if cred.Password == "" {
+				return fmt.Errorf("Password must be specified for registry: %s", cred.Registry)
+			}
+			c.SetAuth(cred.Registry, cred.Username, cred.Password)
+		}
+	}
+	jsonBytes, err := json.Marshal(c)
+	if err != nil {
+		return errors.Wrap(err, "failed to serialize docker config json")
+	}
+	if err := WriteDockerConfig(jsonBytes, dockerPath); err != nil {
+		return errors.Wrap(err, fmt.Sprintf("failed to write docker config to path: %s", dockerPath))
+	}
+	return nil
+}
+
+func WriteDockerConfig(data []byte, path string) (string error) {
+	err := os.MkdirAll(path, 0600)
+	if err != nil {
+		if !os.IsExist(err) {
+			return errors.Wrap(err, fmt.Sprintf("failed to create %s directory", path))
+		}
+	}
+
+	filePath := path + "/config.json"
+
+	err = ioutil.WriteFile(filePath, data, 0644)
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("failed to create docker config file at %s", path))
+	}
+	return nil
+}

pkg/docker/config_test.go

@@ -2,24 +2,54 @@ package docker
 
 import (
 	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestConfig(t *testing.T) {
 	c := NewConfig()
+	assert.NotNil(t, c.Auths)
+	assert.NotNil(t, c.CredHelpers)
 
 	c.SetAuth(RegistryV1, "test", "password")
+	expectedAuth := Auth{Auth: "dGVzdDpwYXNzd29yZA=="}
+	assert.Equal(t, expectedAuth, c.Auths[RegistryV1])
+
 	c.SetCredHelper(RegistryECRPublic, "ecr-login")
+	assert.Equal(t, "ecr-login", c.CredHelpers[RegistryECRPublic])
 
-	bytes, err := json.Marshal(c)
-	if err != nil {
-		t.Error("json marshal failed")
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	assert.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	credentials := []RegistryCredentials{
+		{
+			Registry: "https://index.docker.io/v1/",
+			Username: "user1",
+			Password: "pass1",
+		},
+		{
+			Registry: "gcr.io",
+			Username: "user2",
+			Password: "pass2",
+		},
 	}
 
-	want := `{"auths":{"https://index.docker.io/v1/":{"auth":"dGVzdDpwYXNzd29yZA=="}},"credHelpers":{"public.ecr.aws":"ecr-login"}}`
-	got := string(bytes)
+	err = c.CreateDockerConfig(credentials, tempDir)
+	assert.NoError(t, err)
 
-	if want != got {
-		t.Errorf("unexpected json output:\n  want: %s\n   got: %s", want, got)
-	}
+	configPath := filepath.Join(tempDir, "config.json")
+	data, err := ioutil.ReadFile(configPath)
+	assert.NoError(t, err)
+
+	var configFromFile Config
+	err = json.Unmarshal(data, &configFromFile)
+	assert.NoError(t, err)
+
+	assert.Equal(t, c.Auths, configFromFile.Auths)
+	assert.Equal(t, c.CredHelpers, configFromFile.CredHelpers)
 }

pkg/docker/docker_file.go

@@ -1,35 +0,0 @@
-package docker
-
-import (
-	"encoding/base64"
-	"fmt"
-	"io/ioutil"
-	"os"
-
-	"github.com/pkg/errors"
-)
-
-// Create the docker config file for authentication
-func CreateDockerCfgFile(username, password, registry, path string) error {
-	if username == "" {
-		return fmt.Errorf("Username must be specified")
-	}
-	if password == "" {
-		return fmt.Errorf("Password must be specified")
-	}
-
-	err := os.MkdirAll(path, 0600)
-	if err != nil {
-		return errors.Wrap(err, fmt.Sprintf("failed to create %s directory", path))
-	}
-
-	authBytes := []byte(fmt.Sprintf("%s:%s", username, password))
-	encodedString := base64.StdEncoding.EncodeToString(authBytes)
-	jsonBytes := []byte(fmt.Sprintf(`{"auths": {"%s": {"auth": "%s"}}}`, "https://"+registry, encodedString))
-	filePath := path + "/config.json"
-	err = ioutil.WriteFile(filePath, jsonBytes, 0644)
-	if err != nil {
-		return errors.Wrap(err, "failed to create docker config file")
-	}
-	return nil
-}

pkg/output/output.go

@@ -0,0 +1,12 @@
+package output
+
+import (
+	"github.com/joho/godotenv"
+)
+
+func WritePluginOutputFile(outputFilePath, digest string) error {
+	output := map[string]string{
+		"digest": digest,
+	}
+	return godotenv.Write(output, outputFilePath)
+}

scripts/build.sh

@@ -14,13 +14,16 @@ GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gcr    ./cmd/kani
 GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-acr    ./cmd/kaniko-acr
 GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-ecr    ./cmd/kaniko-ecr
 GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
+GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gar    ./cmd/kaniko-gar
 
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gcr    ./cmd/kaniko-gcr
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-acr    ./cmd/kaniko-acr
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-ecr    ./cmd/kaniko-ecr
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-docker ./cmd/kaniko-docker
+GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gar    ./cmd/kaniko-gar
 
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-gcr      ./cmd/kaniko-gcr
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-acr      ./cmd/kaniko-acr
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-ecr      ./cmd/kaniko-ecr
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-docker   ./cmd/kaniko-docker
+GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-gar      ./cmd/kaniko-gar

scripts/docker.sh

@@ -15,10 +15,12 @@ set -x
 
 # build the binary
 go build -o release/linux/amd64/kaniko-gcr    ./cmd/kaniko-gcr
+go build -o release/linux/amd64/kaniko-gar    ./cmd/kaniko-gar
 go build -o release/linux/amd64/kaniko-ecr    ./cmd/kaniko-ecr
 go build -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
 
 # build the docker image
 docker build -f docker/gcr/Dockerfile.linux.amd64    -t plugins/kaniko-gcr .
+docker build -f docker/gar/Dockerfile.linux.amd64    -t plugins/kaniko-gar .
 docker build -f docker/ecr/Dockerfile.linux.amd64    -t plugins/kaniko-ecr .
 docker build -f docker/docker/Dockerfile.linux.amd64 -t plugins/kaniko .