fix: [CI-11358]: fix kaniko executor Vulnerabilities

* fix: [CI-10165]: Add additional kaniko args

* fix: [CI-10165]: support additional kaniko args

* fix: [CI-10165]: Add bool parse logic

.drone.yml

@@ -1,10 +1,17 @@
 kind: pipeline
-type: docker
+type: vm
 name: default
 
+pool:
+  use: ubuntu
+
+platform:
+  os: linux
+  arch: amd64
+
 steps:
 - name: build
-  image: golang:1.18
+  image: golang:1.22
   commands:
   - go test ./...
   - sh scripts/build.sh
@@ -43,6 +50,23 @@ steps:
       exclude:
       - pull_request
 
+- name: gar
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-amd64
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.amd64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
+
 - name: ecr
   image: plugins/docker
   settings:
@@ -111,6 +135,22 @@ steps:
       exclude:
       - pull_request
 
+- name: gar-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-amd64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.amd64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
 
 - name: ecr-kaniko-v1-9
   image: plugins/docker
@@ -130,16 +170,15 @@ steps:
       - pull_request
 ---
 kind: pipeline
-type: docker
+type: vm
 name: arm
 
-platform:
-  os: linux
-  arch: arm64
+pool:
+  use: ubuntu_arm64
 
 steps:
 - name: build
-  image: golang:1.18
+  image: golang:1.22
   commands:
   - go test ./...
   - sh scripts/build.sh
@@ -178,6 +217,23 @@ steps:
       exclude:
       - pull_request
 
+- name: gar
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-arm64
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.arm64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
+
 - name: ecr
   image: plugins/docker
   settings:
@@ -246,6 +302,22 @@ steps:
       exclude:
       - pull_request
 
+- name: gar-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-arm64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.arm64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
 
 - name: ecr-kaniko-v1-9
   image: plugins/docker
@@ -265,9 +337,12 @@ steps:
       - pull_request
 ---
 kind: pipeline
-type: docker
+type: vm
 name: notifications-docker
 
+pool:
+  use: ubuntu
+
 platform:
   os: linux
   arch: amd64
@@ -297,6 +372,18 @@ steps:
     username:
       from_secret: docker_username
 
+- name: manifest-gar
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: true
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/gar/manifest.tmpl
+    username:
+      from_secret: docker_username
+
 - name: manifest-acr
   pull: always
   image: plugins/manifest
@@ -332,9 +419,12 @@ depends_on:
 
 ---
 kind: pipeline
-type: docker
+type: vm
 name: notifications-docker-kaniko1-8
 
+pool:
+  use: ubuntu
+
 platform:
   os: linux
   arch: amd64
@@ -364,6 +454,18 @@ steps:
     username:
       from_secret: docker_username
 
+- name: manifest-gar
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: false
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/gar/manifest-kaniko1.9.1.tmpl
+    username:
+      from_secret: docker_username
+
 - name: manifest-ecr
   pull: always
   image: plugins/manifest

cmd/kaniko-acr/main.go

@@ -37,6 +37,7 @@ var (
 	ACRCertPath   = "/kaniko/acr-cert.pem"
 	pluginVersion = "unknown"
 	username      = "00000000-0000-0000-0000-000000000000"
+	maxPageCount  = 1000 // maximum count of pages to cycle through before we break out
 )
 
 func main() {
@@ -206,6 +207,157 @@ func main() {
 			Usage:  "build only used stages",
 			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
 		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringSliceFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -232,28 +384,58 @@ func run(c *cli.Context) error {
 
 	plugin := kaniko.Plugin{
 		Build: kaniko.Build{
-			DroneCommitRef:   c.String("drone-commit-ref"),
-			DroneRepoBranch:  c.String("drone-repo-branch"),
-			Dockerfile:       c.String("dockerfile"),
-			Context:          c.String("context"),
-			Tags:             c.StringSlice("tags"),
-			AutoTag:          c.Bool("auto-tag"),
-			AutoTagSuffix:    c.String("auto-tag-suffix"),
-			ExpandTag:        c.Bool("expand-tag"),
-			Args:             c.StringSlice("args"),
-			Target:           c.String("target"),
-			Repo:             c.String("repo"),
-			Mirrors:          c.StringSlice("registry-mirrors"),
-			Labels:           c.StringSlice("custom-labels"),
-			SnapshotMode:     c.String("snapshot-mode"),
-			EnableCache:      c.Bool("enable-cache"),
-			CacheRepo:        fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
-			CacheTTL:         c.Int("cache-ttl"),
-			DigestFile:       defaultDigestFile,
-			NoPush:           noPush,
-			Verbosity:        c.String("verbosity"),
-			Platform:         c.String("platform"),
-			SkipUnusedStages: c.Bool("skip-unused-stages"),
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			Target:                      c.String("target"),
+			Repo:                        c.String("repo"),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
 		Artifact: kaniko.Artifact{
 			Tags:         c.StringSlice("tags"),
@@ -263,6 +445,14 @@ func run(c *cli.Context) error {
 			RegistryType: artifact.Docker,
 		},
 	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
+	}
 	return plugin.Exec()
 }
 
@@ -407,32 +597,56 @@ func getPublicUrl(token, registryUrl, subscriptionId string) (string, error) {
 	}
 
 	registry := strings.Split(registryUrl, ".")[0]
-	burl := "https://management.azure.com/subscriptions/" +
+	baseURL := "https://management.azure.com/subscriptions/" +
 		subscriptionId + "/resources?$filter=resourceType%20eq%20'Microsoft.ContainerRegistry/registries'%20and%20name%20eq%20'" +
 		registry + "'&api-version=2021-04-01&$select=id"
 
 	method := "GET"
 	client := &http.Client{}
-	req, err := http.NewRequest(method, burl, nil)
-	if err != nil {
-		fmt.Println(err)
-		return "", errors.Wrap(err, "failed to create request for getting container registry setting")
+
+	cnt := 0
+
+	for {
+		// this is just in case we end up cycling through nextLink's infinitely.
+		// this should not happen - added as a precaution.
+		if cnt > maxPageCount {
+			break
+		}
+		cnt++
+		req, err := http.NewRequest(method, baseURL, nil)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to create request for getting container registry setting")
+		}
+
+		req.Header.Add("Authorization", "Bearer "+token)
+		res, err := client.Do(req)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to send request for getting container registry setting")
+		}
+		defer res.Body.Close()
+
+		var response strct
+		err = json.NewDecoder(res.Body).Decode(&response)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to send request for getting container registry setting")
+		}
+
+		if len(response.Value) > 0 {
+			if response.Value[0].ID == "" { // should not happen
+				return "", errors.New("received empty registry ID from /subscriptions API")
+			}
+			return finalUrl + encodeParam(response.Value[0].ID), nil
+		}
+
+		if response.NextLink == "" {
+			// No more pages, break the loop
+			break
+		}
+
+		baseURL = response.NextLink
 	}
 
-	req.Header.Add("Authorization", "Bearer "+token)
-	res, err := client.Do(req)
-	if err != nil {
-		fmt.Println(err)
-		return "", errors.Wrap(err, "failed to send request for getting container registry setting")
-	}
-	defer res.Body.Close()
-
-	var response strct
-	err = json.NewDecoder(res.Body).Decode(&response)
-	if err != nil {
-		return "", errors.Wrap(err, "failed to send request for getting container registry setting")
-	}
-	return finalUrl + encodeParam(response.Value[0].ID), nil
+	return "", errors.New("did not receive any registry information from /subscriptions API")
 }
 
 func encodeParam(s string) string {
@@ -443,4 +657,5 @@ type strct struct {
 	Value []struct {
 		ID string `json:"id"`
 	} `json:"value"`
+	NextLink string `json:"nextLink"` // for pagination
 }

cmd/kaniko-docker/main.go

@@ -176,6 +176,11 @@ func main() {
 			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
 			EnvVar: "PLUGIN_NO_PUSH",
 		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH",
+		},
 		cli.StringFlag{
 			Name:   "verbosity",
 			Usage:  "Set this flag with value as oneof <panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
@@ -191,6 +196,162 @@ func main() {
 			Usage:  "build only used stages",
 			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
 		},
+		cli.StringFlag{
+			Name:   "output-file",
+			Usage:  "Output file location that will be generated by the plugin. This file will include information of the output that are exported by the plugin.",
+			EnvVar: "DRONE_OUTPUT",
+		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -217,29 +378,60 @@ func run(c *cli.Context) error {
 
 	plugin := kaniko.Plugin{
 		Build: kaniko.Build{
-			DroneCommitRef:   c.String("drone-commit-ref"),
-			DroneRepoBranch:  c.String("drone-repo-branch"),
-			Dockerfile:       c.String("dockerfile"),
-			Context:          c.String("context"),
-			Tags:             c.StringSlice("tags"),
-			AutoTag:          c.Bool("auto-tag"),
-			AutoTagSuffix:    c.String("auto-tag-suffix"),
-			ExpandTag:        c.Bool("expand-tag"),
-			Args:             c.StringSlice("args"),
-			Target:           c.String("target"),
-			Repo:             buildRepo(c.String("registry"), c.String("repo"), c.Bool("expand-repo")),
-			Mirrors:          c.StringSlice("registry-mirrors"),
-			Labels:           c.StringSlice("custom-labels"),
-			SkipTlsVerify:    c.Bool("skip-tls-verify"),
-			SnapshotMode:     c.String("snapshot-mode"),
-			EnableCache:      c.Bool("enable-cache"),
-			CacheRepo:        buildRepo(c.String("registry"), c.String("cache-repo"), c.Bool("expand-repo")),
-			CacheTTL:         c.Int("cache-ttl"),
-			DigestFile:       defaultDigestFile,
-			NoPush:           noPush,
-			Verbosity:        c.String("verbosity"),
-			Platform:         c.String("platform"),
-			SkipUnusedStages: c.Bool("skip-unused-stages"),
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			Target:                      c.String("target"),
+			Repo:                        buildRepo(c.String("registry"), c.String("repo"), c.Bool("expand-repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SkipTlsVerify:               c.Bool("skip-tls-verify"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   buildRepo(c.String("registry"), c.String("cache-repo"), c.Bool("expand-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			TarPath:                     c.String("tar-path"),
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
 		Artifact: kaniko.Artifact{
 			Tags:         c.StringSlice("tags"),
@@ -248,6 +440,17 @@ func run(c *cli.Context) error {
 			ArtifactFile: c.String("artifact-file"),
 			RegistryType: artifact.Docker,
 		},
+		Output: kaniko.Output{
+			OutputFile: c.String("output-file"),
+		},
+	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
 	}
 	return plugin.Exec()
 }

cmd/kaniko-ecr/main.go

@@ -17,6 +17,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
+	ecrpublicv1 "github.com/aws/aws-sdk-go/service/ecrpublic"
 	"github.com/aws/smithy-go"
 	"github.com/hashicorp/go-version"
 	"github.com/joho/godotenv"
@@ -233,6 +234,157 @@ func main() {
 			Usage:  "build only used stages",
 			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
 		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -245,6 +397,8 @@ func run(c *cli.Context) error {
 	registry := c.String("registry")
 	region := c.String("region")
 	noPush := c.Bool("no-push")
+	assumeRole := c.String("assume-role")
+	externalId := c.String("external-id")
 
 	dockerConfig, err := createDockerConfig(
 		c.String("docker-registry"),
@@ -253,8 +407,8 @@ func run(c *cli.Context) error {
 		c.String("access-key"),
 		c.String("secret-key"),
 		registry,
-		c.String("assume-role"),
-		c.String("external-id"),
+		assumeRole,
+		externalId,
 		region,
 		noPush,
 	)
@@ -273,7 +427,7 @@ func run(c *cli.Context) error {
 
 	// only create repository when pushing and create-repository is true
 	if !noPush && c.Bool("create-repository") {
-		if err := createRepository(region, repo, registry); err != nil {
+		if err := createRepository(region, repo, registry, assumeRole, externalId); err != nil {
 			return err
 		}
 	}
@@ -283,7 +437,7 @@ func run(c *cli.Context) error {
 		if err != nil {
 			logrus.Fatal(err)
 		}
-		if err := uploadLifeCyclePolicy(region, repo, string(contents)); err != nil {
+		if err := uploadLifeCyclePolicy(region, repo, string(contents), assumeRole, externalId); err != nil {
 			logrus.Fatal(fmt.Sprintf("error uploading ECR lifecycle policy: %v", err))
 		}
 	}
@@ -293,35 +447,65 @@ func run(c *cli.Context) error {
 		if err != nil {
 			logrus.Fatal(err)
 		}
-		if err := uploadRepositoryPolicy(region, repo, registry, string(contents)); err != nil {
+		if err := uploadRepositoryPolicy(region, repo, registry, string(contents), assumeRole, externalId); err != nil {
 			logrus.Fatal(fmt.Sprintf("error uploading ECR lifecycle policy: %v", err))
 		}
 	}
 
 	plugin := kaniko.Plugin{
 		Build: kaniko.Build{
-			DroneCommitRef:   c.String("drone-commit-ref"),
-			DroneRepoBranch:  c.String("drone-repo-branch"),
-			Dockerfile:       c.String("dockerfile"),
-			Context:          c.String("context"),
-			Tags:             c.StringSlice("tags"),
-			AutoTag:          c.Bool("auto-tag"),
-			AutoTagSuffix:    c.String("auto-tag-suffix"),
-			ExpandTag:        c.Bool("expand-tag"),
-			Args:             c.StringSlice("args"),
-			Target:           c.String("target"),
-			Repo:             fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
-			Mirrors:          c.StringSlice("registry-mirrors"),
-			Labels:           c.StringSlice("custom-labels"),
-			SnapshotMode:     c.String("snapshot-mode"),
-			EnableCache:      c.Bool("enable-cache"),
-			CacheRepo:        fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
-			CacheTTL:         c.Int("cache-ttl"),
-			DigestFile:       defaultDigestFile,
-			NoPush:           noPush,
-			Verbosity:        c.String("verbosity"),
-			Platform:         c.String("platform"),
-			SkipUnusedStages: c.Bool("skip-unused-stages"),
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			Target:                      c.String("target"),
+			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
 		Artifact: kaniko.Artifact{
 			Tags:         c.StringSlice("tags"),
@@ -331,6 +515,14 @@ func run(c *cli.Context) error {
 			RegistryType: artifact.ECR,
 		},
 	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
+	}
 	return plugin.Exec()
 }
 
@@ -383,7 +575,7 @@ func createDockerConfig(dockerRegistry, dockerUsername, dockerPassword, accessKe
 	return dockerConfig, nil
 }
 
-func createRepository(region, repo, registry string) error {
+func createRepository(region, repo, registry, assumeRole, externalId string) error {
 	if registry == "" {
 		return fmt.Errorf("registry must be specified")
 	}
@@ -392,22 +584,29 @@ func createRepository(region, repo, registry string) error {
 		return fmt.Errorf("repo must be specified")
 	}
 
-	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
-	if err != nil {
-		return errors.Wrap(err, "failed to load aws config")
-	}
-
 	var createErr error
 
-	//create public repo
-	//if registry string starts with public domain (ex: public.ecr.aws/example-registry)
-	if isRegistryPublic(registry) {
-		svc := ecrpublic.NewFromConfig(cfg)
-		_, createErr = svc.CreateRepository(context.TODO(), &ecrpublic.CreateRepositoryInput{RepositoryName: &repo})
-		//create private repo
+	if assumeRole != "" {
+		if isRegistryPublic(registry) {
+			_, createErr = getAssumeRoleEcrPublicSvc(region, assumeRole, externalId).CreateRepository(&ecrpublicv1.CreateRepositoryInput{RepositoryName: &repo})
+		} else {
+			_, createErr = getAssumeRoleEcrSvc(region, assumeRole, externalId).CreateRepository(&ecrv1.CreateRepositoryInput{RepositoryName: &repo})
+		}
 	} else {
-		svc := ecr.NewFromConfig(cfg)
-		_, createErr = svc.CreateRepository(context.TODO(), &ecr.CreateRepositoryInput{RepositoryName: &repo})
+		cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
+		if err != nil {
+			return errors.Wrap(err, "failed to load aws config")
+		}
+		//create public repo
+		//if registry string starts with public domain (ex: public.ecr.aws/example-registry)
+		if isRegistryPublic(registry) {
+			svc := ecrpublic.NewFromConfig(cfg)
+			_, createErr = svc.CreateRepository(context.TODO(), &ecrpublic.CreateRepositoryInput{RepositoryName: &repo})
+			//create private repo
+		} else {
+			svc := ecr.NewFromConfig(cfg)
+			_, createErr = svc.CreateRepository(context.TODO(), &ecr.CreateRepositoryInput{RepositoryName: &repo})
+		}
 	}
 
 	var apiError smithy.APIError
@@ -418,46 +617,67 @@ func createRepository(region, repo, registry string) error {
 	return nil
 }
 
-func uploadLifeCyclePolicy(region, repo, lifecyclePolicy string) (err error) {
-	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
-	if err != nil {
-		return errors.Wrap(err, "failed to load aws config")
-	}
+func uploadLifeCyclePolicy(region, repo, lifecyclePolicy, assumeRole, externalId string) (err error) {
+	if assumeRole != "" {
+		input := &ecrv1.PutLifecyclePolicyInput{
+			LifecyclePolicyText: aws.String(lifecyclePolicy),
+			RepositoryName:      aws.String(repo),
+		}
+		_, err = getAssumeRoleEcrSvc(region, assumeRole, externalId).PutLifecyclePolicy(input)
+	} else {
+		cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
+		if err != nil {
+			return errors.Wrap(err, "failed to load aws config")
+		}
 
-	svc := ecr.NewFromConfig(cfg)
+		svc := ecr.NewFromConfig(cfg)
 
-	input := &ecr.PutLifecyclePolicyInput{
-		LifecyclePolicyText: aws.String(lifecyclePolicy),
-		RepositoryName:      aws.String(repo),
+		input := &ecr.PutLifecyclePolicyInput{
+			LifecyclePolicyText: aws.String(lifecyclePolicy),
+			RepositoryName:      aws.String(repo),
+		}
+		_, err = svc.PutLifecyclePolicy(context.TODO(), input)
 	}
-	_, err = svc.PutLifecyclePolicy(context.TODO(), input)
 
 	return err
 }
 
-func uploadRepositoryPolicy(region, repo, registry, repositoryPolicy string) (err error) {
-	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
-	if err != nil {
-		return errors.Wrap(err, "failed to load aws config")
-	}
-
-	if isRegistryPublic(registry) {
-		svc := ecrpublic.NewFromConfig(cfg)
-
-		input := &ecrpublic.SetRepositoryPolicyInput{
-			PolicyText:     aws.String(repositoryPolicy),
-			RepositoryName: aws.String(repo),
+func uploadRepositoryPolicy(region, repo, registry, repositoryPolicy, assumeRole, externalId string) (err error) {
+	if assumeRole != "" {
+		if isRegistryPublic(registry) {
+			input := &ecrpublicv1.SetRepositoryPolicyInput{
+				PolicyText:     aws.String(repositoryPolicy),
+				RepositoryName: aws.String(repo),
+			}
+			_, err = getAssumeRoleEcrPublicSvc(region, assumeRole, externalId).SetRepositoryPolicy(input)
+		} else {
+			input := &ecrv1.SetRepositoryPolicyInput{
+				PolicyText:     aws.String(repositoryPolicy),
+				RepositoryName: aws.String(repo),
+			}
+			_, err = getAssumeRoleEcrSvc(region, assumeRole, externalId).SetRepositoryPolicy(input)
 		}
-		_, err = svc.SetRepositoryPolicy(context.TODO(), input)
 	} else {
-
-		svc := ecr.NewFromConfig(cfg)
-
-		input := &ecr.SetRepositoryPolicyInput{
-			PolicyText:     aws.String(repositoryPolicy),
-			RepositoryName: aws.String(repo),
+		cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
+		if err != nil {
+			return errors.Wrap(err, "failed to load aws config")
+		}
+
+		if isRegistryPublic(registry) {
+			svc := ecrpublic.NewFromConfig(cfg)
+			input := &ecrpublic.SetRepositoryPolicyInput{
+				PolicyText:     aws.String(repositoryPolicy),
+				RepositoryName: aws.String(repo),
+			}
+			_, err = svc.SetRepositoryPolicy(context.TODO(), input)
+		} else {
+			svc := ecr.NewFromConfig(cfg)
+			input := &ecr.SetRepositoryPolicyInput{
+				PolicyText:     aws.String(repositoryPolicy),
+				RepositoryName: aws.String(repo),
+			}
+			_, err = svc.SetRepositoryPolicy(context.TODO(), input)
 		}
-		_, err = svc.SetRepositoryPolicy(context.TODO(), input)
 	}
 
 	return err
@@ -507,6 +727,36 @@ func getAuthInfo(svc *ecrv1.ECR) (username, password, registry string, err error
 	return
 }
 
+func getAssumeRoleEcrSvc(region, assumeRole, externalId string) *ecrv1.ECR {
+	sess, err := session.NewSession(&awsv1.Config{Region: &region})
+	if err != nil {
+		logrus.Fatal(err, "failed to create aws session")
+	}
+
+	return ecrv1.New(sess, &awsv1.Config{
+		Credentials: stscreds.NewCredentials(sess, assumeRole, func(p *stscreds.AssumeRoleProvider) {
+			if externalId != "" {
+				p.ExternalID = &externalId
+			}
+		}),
+	})
+}
+
+func getAssumeRoleEcrPublicSvc(region, assumeRole, externalId string) *ecrpublicv1.ECRPublic {
+	sess, err := session.NewSession(&awsv1.Config{Region: &region})
+	if err != nil {
+		logrus.Fatal(err, "failed to create aws session")
+	}
+
+	return ecrpublicv1.New(sess, &awsv1.Config{
+		Credentials: stscreds.NewCredentials(sess, assumeRole, func(p *stscreds.AssumeRoleProvider) {
+			if externalId != "" {
+				p.ExternalID = &externalId
+			}
+		}),
+	})
+}
+
 func isRegistryPublic(registry string) bool {
 	return strings.HasPrefix(registry, ecrPublicDomain)
 }

cmd/kaniko-gar/main.go

@@ -0,0 +1,423 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/joho/godotenv"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli"
+
+	kaniko "github.com/drone/drone-kaniko"
+	"github.com/drone/drone-kaniko/pkg/artifact"
+)
+
+const (
+	// GAR JSON key file path
+	garKeyPath     string = "/kaniko/config.json"
+	garEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
+
+	defaultDigestFile string = "/kaniko/digest-file"
+)
+
+var (
+	version = "unknown"
+)
+
+func main() {
+	// Load env-file if it exists first
+	if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
+		if err := godotenv.Load(env); err != nil {
+			logrus.Fatal(err)
+		}
+	}
+
+	app := cli.NewApp()
+	app.Name = "kaniko gar plugin"
+	app.Usage = "kaniko gar plugin"
+	app.Action = run
+	app.Version = version
+	app.Flags = []cli.Flag{
+		cli.StringFlag{
+			Name:   "dockerfile",
+			Usage:  "build dockerfile",
+			Value:  "Dockerfile",
+			EnvVar: "PLUGIN_DOCKERFILE",
+		},
+		cli.StringFlag{
+			Name:   "context",
+			Usage:  "build context",
+			Value:  ".",
+			EnvVar: "PLUGIN_CONTEXT",
+		},
+		cli.StringFlag{
+			Name:   "drone-commit-ref",
+			Usage:  "git commit ref passed by Drone",
+			EnvVar: "DRONE_COMMIT_REF",
+		},
+		cli.StringFlag{
+			Name:   "drone-repo-branch",
+			Usage:  "git repository default branch passed by Drone",
+			EnvVar: "DRONE_REPO_BRANCH",
+		},
+		cli.StringSliceFlag{
+			Name:     "tags",
+			Usage:    "build tags",
+			Value:    &cli.StringSlice{"latest"},
+			EnvVar:   "PLUGIN_TAGS",
+			FilePath: ".tags",
+		},
+		cli.BoolFlag{
+			Name:   "expand-tag",
+			Usage:  "enable for semver tagging",
+			EnvVar: "PLUGIN_EXPAND_TAG",
+		},
+		cli.BoolFlag{
+			Name:   "auto-tag",
+			Usage:  "enable auto generation of build tags",
+			EnvVar: "PLUGIN_AUTO_TAG",
+		},
+		cli.StringFlag{
+			Name:   "auto-tag-suffix",
+			Usage:  "the suffix of auto build tags",
+			EnvVar: "PLUGIN_AUTO_TAG_SUFFIX",
+		},
+		cli.StringSliceFlag{
+			Name:   "args",
+			Usage:  "build args",
+			EnvVar: "PLUGIN_BUILD_ARGS",
+		},
+		cli.StringFlag{
+			Name:   "target",
+			Usage:  "build target",
+			EnvVar: "PLUGIN_TARGET",
+		},
+		cli.StringFlag{
+			Name:   "repo",
+			Usage:  "gar repository",
+			EnvVar: "PLUGIN_REPO",
+		},
+		cli.StringSliceFlag{
+			Name:   "custom-labels",
+			Usage:  "additional k=v labels",
+			EnvVar: "PLUGIN_CUSTOM_LABELS",
+		},
+		cli.StringFlag{
+			Name:   "registry",
+			Usage:  "gar registry",
+			EnvVar: "PLUGIN_REGISTRY",
+		},
+		cli.StringSliceFlag{
+			Name:   "registry-mirrors",
+			Usage:  "docker registry mirrors",
+			EnvVar: "PLUGIN_REGISTRY_MIRRORS",
+		},
+		cli.StringFlag{
+			Name:   "json-key",
+			Usage:  "docker username",
+			EnvVar: "PLUGIN_JSON_KEY",
+		},
+		cli.StringFlag{
+			Name:   "snapshot-mode",
+			Usage:  "Specify one of full, redo or time as snapshot mode",
+			EnvVar: "PLUGIN_SNAPSHOT_MODE",
+		},
+		cli.BoolFlag{
+			Name:   "enable-cache",
+			Usage:  "Set this flag to opt into caching with kaniko",
+			EnvVar: "PLUGIN_ENABLE_CACHE",
+		},
+		cli.StringFlag{
+			Name:   "cache-repo",
+			Usage:  "Remote repository that will be used to store cached layers. Cache repo should be present in specified registry. enable-cache needs to be set to use this flag",
+			EnvVar: "PLUGIN_CACHE_REPO",
+		},
+		cli.IntFlag{
+			Name:   "cache-ttl",
+			Usage:  "Cache timeout in hours. Defaults to two weeks.",
+			EnvVar: "PLUGIN_CACHE_TTL",
+		},
+		cli.StringFlag{
+			Name:   "artifact-file",
+			Usage:  "Artifact file location that will be generated by the plugin. This file will include information of docker images that are uploaded by the plugin.",
+			EnvVar: "PLUGIN_ARTIFACT_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "no-push",
+			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
+			EnvVar: "PLUGIN_NO_PUSH",
+		},
+		cli.StringFlag{
+			Name:   "verbosity",
+			Usage:  "Set this flag as --verbosity=<panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
+			EnvVar: "PLUGIN_VERBOSITY",
+		},
+		cli.StringFlag{
+			Name:   "platform",
+			Usage:  "Allows to build with another default platform than the host, similarly to docker build --platform",
+			EnvVar: "PLUGIN_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "skip-unused-stages",
+			Usage:  "build only used stages",
+			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
+		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
+	}
+
+	if err := app.Run(os.Args); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+func run(c *cli.Context) error {
+	noPush := c.Bool("no-push")
+	jsonKey := c.String("json-key")
+
+	// JSON key may not be set in the following cases:
+	// 1. Image does not need to be pushed to GAR.
+	// 2. Workload identity is set on GKE in which pod will inherit the credentials via service account.
+	if jsonKey != "" {
+		if err := setupGARAuth(jsonKey); err != nil {
+			return err
+		}
+	}
+
+	plugin := kaniko.Plugin{
+		Build: kaniko.Build{
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			Target:                      c.String("target"),
+			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
+		},
+		Artifact: kaniko.Artifact{
+			Tags:         c.StringSlice("tags"),
+			Repo:         c.String("repo"),
+			Registry:     c.String("registry"),
+			ArtifactFile: c.String("artifact-file"),
+			RegistryType: artifact.GAR,
+		},
+	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
+	}
+	return plugin.Exec()
+}
+
+func setupGARAuth(jsonKey string) error {
+	err := ioutil.WriteFile(garKeyPath, []byte(jsonKey), 0644)
+	if err != nil {
+		return errors.Wrap(err, "failed to write GAR JSON key")
+	}
+
+	err = os.Setenv(garEnvVariable, garKeyPath)
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", garEnvVariable))
+	}
+	return nil
+}

cmd/kaniko-gcr/main.go

@@ -165,6 +165,157 @@ func main() {
 			Usage:  "build only used stages",
 			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
 		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -187,28 +338,58 @@ func run(c *cli.Context) error {
 
 	plugin := kaniko.Plugin{
 		Build: kaniko.Build{
-			DroneCommitRef:   c.String("drone-commit-ref"),
-			DroneRepoBranch:  c.String("drone-repo-branch"),
-			Dockerfile:       c.String("dockerfile"),
-			Context:          c.String("context"),
-			Tags:             c.StringSlice("tags"),
-			AutoTag:          c.Bool("auto-tag"),
-			AutoTagSuffix:    c.String("auto-tag-suffix"),
-			ExpandTag:        c.Bool("expand-tag"),
-			Args:             c.StringSlice("args"),
-			Target:           c.String("target"),
-			Repo:             fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
-			Mirrors:          c.StringSlice("registry-mirrors"),
-			Labels:           c.StringSlice("custom-labels"),
-			SnapshotMode:     c.String("snapshot-mode"),
-			EnableCache:      c.Bool("enable-cache"),
-			CacheRepo:        fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
-			CacheTTL:         c.Int("cache-ttl"),
-			DigestFile:       defaultDigestFile,
-			NoPush:           noPush,
-			Verbosity:        c.String("verbosity"),
-			Platform:         c.String("platform"),
-			SkipUnusedStages: c.Bool("skip-unused-stages"),
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			Target:                      c.String("target"),
+			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
 		Artifact: kaniko.Artifact{
 			Tags:         c.StringSlice("tags"),
@@ -218,6 +399,14 @@ func run(c *cli.Context) error {
 			RegistryType: artifact.GCR,
 		},
 	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
+	}
 	return plugin.Exec()
 }
 

docker/acr/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.9.1
+FROM gcr.io/kaniko-project/executor:v1.20.1
 
-ENV KANIKO_VERSION=1.9.1
+ENV KANIKO_VERSION=1.20.1
 ADD release/linux/amd64/kaniko-acr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-acr"]

docker/acr/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.9.1
+FROM gcr.io/kaniko-project/executor:v1.20.1
 
 ENV HOME /root
 ENV USER root
 
-ENV KANIKO_VERSION=1.9.1
+ENV KANIKO_VERSION=1.20.1
 ADD release/linux/arm64/kaniko-acr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-acr"]

docker/docker/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.9.1
+FROM gcr.io/kaniko-project/executor:v1.20.1
 
-ENV KANIKO_VERSION=1.9.1
+ENV KANIKO_VERSION=1.20.1
 ADD release/linux/amd64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/docker/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.9.1
+FROM gcr.io/kaniko-project/executor:v1.20.1
 
 ENV HOME /root
 ENV USER root
 
-ENV KANIKO_VERSION=1.9.1
+ENV KANIKO_VERSION=1.20.1
 ADD release/linux/arm64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/ecr/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.9.1
+FROM gcr.io/kaniko-project/executor:v1.20.1
 
-ENV KANIKO_VERSION=1.9.1
+ENV KANIKO_VERSION=1.20.1
 ADD release/linux/amd64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/ecr/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.9.1
+FROM gcr.io/kaniko-project/executor:v1.20.1
 
 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.9.1
+ENV KANIKO_VERSION=1.20.1
 
 ADD release/linux/arm64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/gar/Dockerfile.linux.amd64

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.20.1
+
+ENV KANIKO_VERSION=1.20.1
+ADD release/linux/amd64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/Dockerfile.linux.amd64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/amd64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/Dockerfile.linux.arm64

@@ -0,0 +1,8 @@
+FROM gcr.io/kaniko-project/executor:v1.20.1
+
+ENV HOME /root
+ENV USER root
+ENV KANIKO_VERSION=1.20.1
+
+ADD release/linux/arm64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/Dockerfile.linux.arm64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/arm64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/manifest-kaniko1.9.1.tmpl

@@ -0,0 +1,18 @@
+image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
+    platform:
+      architecture: arm64
+      os: linux

docker/gar/manifest.tmpl

@@ -0,0 +1,18 @@
+image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux

docker/gcr/Dockerfile.linux.amd64

@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.9.1
+FROM gcr.io/kaniko-project/executor:v1.20.1
 
-ENV KANIKO_VERSION=1.9.1
+ENV KANIKO_VERSION=1.20.1
 ADD release/linux/amd64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/Dockerfile.linux.arm64

@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.9.1
+FROM gcr.io/kaniko-project/executor:v1.20.1
 
 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.9.1
+ENV KANIKO_VERSION=1.20.1
 
 ADD release/linux/arm64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]

go.mod

@@ -1,6 +1,8 @@
 module github.com/drone/drone-kaniko
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
 	github.com/aws/aws-sdk-go v1.44.52
 	github.com/aws/aws-sdk-go-v2 v1.16.7
 	github.com/aws/aws-sdk-go-v2/config v1.15.14
@@ -18,8 +20,6 @@ require (
 )
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.12.9 // indirect
@@ -43,4 +43,4 @@ require (
 	golang.org/x/text v0.3.7 // indirect
 )
 
-go 1.18
+go 1.22

go.sum

@@ -43,9 +43,13 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
+github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
 github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
+github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -76,9 +80,9 @@ github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeV
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/urfave/cli v1.22.9 h1:cv3/KhXGBGjEXLC4bH0sLuJ9BewaAbpk5oyMOveu4pw=
 github.com/urfave/cli v1.22.9/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
@@ -93,8 +97,6 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220712014510-0a85c31ab51e h1:NHvCuwuS43lGnYhten69ZWqi2QOj/CiDNcKbVqwVoew=
-golang.org/x/sys v0.0.0-20220712014510-0a85c31ab51e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -103,5 +105,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

kaniko.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/output"
 	"github.com/drone/drone-kaniko/pkg/tagger"
 	"golang.org/x/mod/semver"
 )
@@ -38,6 +39,43 @@ type (
 		Verbosity        string   // Log level
 		Platform         string   // Allows to build with another default platform than the host, similarly to docker build --platform
 		SkipUnusedStages bool     // Build only used stages
+		TarPath          string   // Set this flag to save the image as a tarball at path
+
+		Cache                       bool   // Enable or disable caching during the build process.
+		CacheDir                    string // Directory to store cached layers.
+		CacheCopyLayers             bool   // Enable or disable copying layers from the cache.
+		CacheRunLayers              bool   // Enable or disable running layers from the cache.
+		Cleanup                     bool   // Enable or disable cleanup of temporary files.
+		CompressedCaching           *bool  // Enable or disable compressed caching.
+		ContextSubPath              string // Sub-path within the context to build.
+		CustomPlatform              string // Platform to use for building.
+		Force                       bool   // Force building the image even if it already exists.
+		Git                         bool   // Branch to clone if build context is a git repository .
+		ImageNameWithDigestFile     string // Write image name with digest to a file.
+		ImageNameTagWithDigestFile  string // Write image name with tag and digest to a file.
+		Insecure                    bool   // Allow connecting to registries without TLS.
+		InsecurePull                bool   // Allow insecure pulls from the registry.
+		InsecureRegistry            string // Use plain HTTP for registry communication.
+		Label                       string // Add metadata to an image.
+		LogFormat                   string // Set the log format for build output.
+		LogTimestamp                bool   // Show timestamps in build output.
+		OCILayoutPath               string // Directory to store OCI layout.
+		PushRetry                   int    // Number of times to retry pushing an image.
+		RegistryCertificate         string // Path to a file containing a registry certificate.
+		RegistryClientCert          string // Path to a file containing a registry client certificate.
+		RegistryMirror              string // Mirror for registry pulls.
+		SkipDefaultRegistryFallback bool   // Skip Docker Hub and default registry fallback.
+		Reproducible                bool   // Create a reproducible image.
+		SingleSnapshot              bool   // Only create a single snapshot of the image.
+		SkipTLSVerify               bool   // Skip TLS verification when connecting to the registry.
+		SkipPushPermissionCheck     bool   // Skip permission check when pushing.
+		SkipTLSVerifyPull           bool   // Skip TLS verification when pulling.
+		SkipTLSVerifyRegistry       bool   // Skip TLS verification when connecting to a registry.
+		UseNewRun                   bool   // Use the new container runtime (`runc`) for builds.
+		IgnoreVarRun                *bool  // Ignore `/var/run` when copying from the context.
+		IgnorePath                  string // Ignore files matching the specified path pattern.
+		ImageFSExtractRetry         int    // Number of times to retry extracting the image filesystem.
+		ImageDownloadRetry          int    // Number of times to retry downloading layers.
 	}
 
 	// Artifact defines content of artifact file
@@ -49,10 +87,16 @@ type (
 		ArtifactFile string                    // Artifact file location
 	}
 
+	// Output defines content of output file
+	Output struct {
+		OutputFile string // File where plugin output are saved
+	}
+
 	// Plugin defines the Docker plugin parameters.
 	Plugin struct {
 		Build    Build    // Docker build configuration
 		Artifact Artifact // Artifact file content
+		Output   Output   // Output file content
 	}
 )
 
@@ -148,14 +192,15 @@ func (p Plugin) Exec() error {
 		fmt.Sprintf("--context=dir://%s", p.Build.Context),
 	}
 
-	// Set the destination repository
-	if !p.Build.NoPush {
+	// Set the destination repository only when we push or save to tarball
+	if !p.Build.NoPush || p.Build.TarPath != "" {
 		for _, tag := range tags {
 			for _, label := range p.Build.labelsForTag(tag) {
 				cmdArgs = append(cmdArgs, fmt.Sprintf("--destination=%s:%s", p.Build.Repo, label))
 			}
 		}
 	}
+
 	// Set the build arguments
 	for _, arg := range p.Build.Args {
 		cmdArgs = append(cmdArgs, fmt.Sprintf("--build-arg=%s", arg))
@@ -212,6 +257,138 @@ func (p Plugin) Exec() error {
 		cmdArgs = append(cmdArgs, "--skip-unused-stages")
 	}
 
+	if p.Build.TarPath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--tar-path=%s", p.Build.TarPath))
+	}
+
+	if p.Build.CacheCopyLayers {
+		cmdArgs = append(cmdArgs, "--cache-copy-layers")
+	}
+
+	if p.Build.CacheRunLayers {
+		cmdArgs = append(cmdArgs, "--cache-run-layers=true")
+	}
+
+	if p.Build.Cleanup {
+		cmdArgs = append(cmdArgs, "--cleanup=true")
+	}
+
+	if p.Build.CompressedCaching != nil {
+		if *p.Build.CompressedCaching {
+			cmdArgs = append(cmdArgs, "--compressed-caching=true")
+		} else {
+			cmdArgs = append(cmdArgs, "--compressed-caching=false")
+		}
+	}
+
+	if p.Build.ContextSubPath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--context-sub-path=%s", p.Build.ContextSubPath))
+	}
+
+	if p.Build.CustomPlatform != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--custom-platform=%s", p.Build.CustomPlatform))
+	}
+
+	if p.Build.Force {
+		cmdArgs = append(cmdArgs, "--force")
+	}
+
+	if p.Build.Git {
+		cmdArgs = append(cmdArgs, "--git")
+	}
+
+	if p.Build.ImageNameWithDigestFile != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-name-with-digest-file=%s", p.Build.ImageNameWithDigestFile))
+	}
+
+	if p.Build.ImageNameTagWithDigestFile != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-name-tag-with-digest-file=%s", p.Build.ImageNameTagWithDigestFile))
+	}
+
+	if p.Build.Insecure {
+		cmdArgs = append(cmdArgs, "--insecure")
+	}
+
+	if p.Build.InsecurePull {
+		cmdArgs = append(cmdArgs, "--insecure-pull")
+	}
+
+	if p.Build.InsecureRegistry != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--insecure-registry=%s", p.Build.InsecureRegistry))
+	}
+
+	if p.Build.LogFormat != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--log-format=%s", p.Build.LogFormat))
+	}
+
+	if p.Build.LogTimestamp {
+		cmdArgs = append(cmdArgs, "--log-timestamp")
+	}
+
+	if p.Build.OCILayoutPath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--oci-layout-path=%s", p.Build.OCILayoutPath))
+	}
+
+	if p.Build.PushRetry != 0 {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--push-retry=%d", p.Build.PushRetry))
+	}
+
+	if p.Build.RegistryCertificate != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--registry-certificate=%s", p.Build.RegistryCertificate))
+	}
+
+	if p.Build.RegistryClientCert != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--registry-client-cert=%s", p.Build.RegistryClientCert))
+	}
+
+	if p.Build.SkipDefaultRegistryFallback {
+		cmdArgs = append(cmdArgs, "--skip-default-registry-fallback")
+	}
+
+	if p.Build.Reproducible {
+		cmdArgs = append(cmdArgs, "--reproducible")
+	}
+
+	if p.Build.SingleSnapshot {
+		cmdArgs = append(cmdArgs, "--single-snapshot")
+	}
+
+	if p.Build.SkipPushPermissionCheck {
+		cmdArgs = append(cmdArgs, "--skip-push-permission-check")
+	}
+
+	if p.Build.SkipTLSVerifyPull {
+		cmdArgs = append(cmdArgs, "--skip-tls-verify-pull")
+	}
+
+	if p.Build.SkipTLSVerifyRegistry {
+		cmdArgs = append(cmdArgs, "--skip-tls-verify-registry")
+	}
+
+	if p.Build.UseNewRun {
+		cmdArgs = append(cmdArgs, "--use-new-run")
+	}
+
+	if p.Build.IgnoreVarRun != nil {
+		if *p.Build.IgnoreVarRun {
+			cmdArgs = append(cmdArgs, "--ignore-var-run=true")
+		} else {
+			cmdArgs = append(cmdArgs, "--ignore-var-run=false")
+		}
+	}
+
+	if p.Build.IgnorePath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", p.Build.IgnorePath))
+	}
+
+	if p.Build.ImageFSExtractRetry != 0 {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-fs-extract-retry=%d", p.Build.ImageFSExtractRetry))
+	}
+
+	if p.Build.ImageDownloadRetry != 0 {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-download-retry=%d", p.Build.ImageDownloadRetry))
+	}
+
 	cmd := exec.Command("/kaniko/executor", cmdArgs...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
@@ -223,19 +400,29 @@ func (p Plugin) Exec() error {
 	}
 
 	if p.Build.DigestFile != "" && p.Artifact.ArtifactFile != "" {
-		content, err := ioutil.ReadFile(p.Build.DigestFile)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "failed to read digest file contents at path: %s with error: %s\n", p.Build.DigestFile, err)
-		}
-		err = artifact.WritePluginArtifactFile(p.Artifact.RegistryType, p.Artifact.ArtifactFile, p.Artifact.Registry, p.Artifact.Repo, string(content), p.Artifact.Tags)
+		err = artifact.WritePluginArtifactFile(p.Artifact.RegistryType, p.Artifact.ArtifactFile, p.Artifact.Registry, p.Artifact.Repo, getDigest(p.Build.DigestFile), p.Artifact.Tags)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "failed to write plugin artifact file at path: %s with error: %s\n", p.Artifact.ArtifactFile, err)
 		}
 	}
 
+	if p.Output.OutputFile != "" {
+		if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile)); err != nil {
+			fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
+		}
+	}
+
 	return nil
 }
 
+func getDigest(digestFile string) string {
+	content, err := ioutil.ReadFile(digestFile)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to read digest file contents at path: %s with error: %s\n", digestFile, err)
+	}
+	return string(content)
+}
+
 // trace writes each command to stdout with the command wrapped in an xml
 // tag so that it can be extracted and displayed in the logs.
 func trace(cmd *exec.Cmd) {

pkg/artifact/artifact.go

@@ -20,6 +20,7 @@ const (
 	Docker RegistryTypeEnum = "Docker"
 	ECR    RegistryTypeEnum = "ECR"
 	GCR    RegistryTypeEnum = "GCR"
+	GAR    RegistryTypeEnum = "GAR"
 )
 
 type (

pkg/output/output.go

@@ -0,0 +1,12 @@
+package output
+
+import (
+	"github.com/joho/godotenv"
+)
+
+func WritePluginOutputFile(outputFilePath, digest string) error {
+	output := map[string]string{
+		"digest": digest,
+	}
+	return godotenv.Write(output, outputFilePath)
+}

scripts/build.sh

@@ -14,13 +14,16 @@ GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gcr    ./cmd/kani
 GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-acr    ./cmd/kaniko-acr
 GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-ecr    ./cmd/kaniko-ecr
 GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
+GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gar    ./cmd/kaniko-gar
 
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gcr    ./cmd/kaniko-gcr
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-acr    ./cmd/kaniko-acr
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-ecr    ./cmd/kaniko-ecr
 GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-docker ./cmd/kaniko-docker
+GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gar    ./cmd/kaniko-gar
 
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-gcr      ./cmd/kaniko-gcr
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-acr      ./cmd/kaniko-acr
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-ecr      ./cmd/kaniko-ecr
 GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-docker   ./cmd/kaniko-docker
+GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-gar      ./cmd/kaniko-gar

scripts/docker.sh

@@ -15,10 +15,12 @@ set -x
 
 # build the binary
 go build -o release/linux/amd64/kaniko-gcr    ./cmd/kaniko-gcr
+go build -o release/linux/amd64/kaniko-gar    ./cmd/kaniko-gar
 go build -o release/linux/amd64/kaniko-ecr    ./cmd/kaniko-ecr
 go build -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
 
 # build the docker image
 docker build -f docker/gcr/Dockerfile.linux.amd64    -t plugins/kaniko-gcr .
+docker build -f docker/gar/Dockerfile.linux.amd64    -t plugins/kaniko-gar .
 docker build -f docker/ecr/Dockerfile.linux.amd64    -t plugins/kaniko-ecr .
 docker build -f docker/docker/Dockerfile.linux.amd64 -t plugins/kaniko .