feat: [CI-19349]: Added oidc support for ACR (#154)

* feat: [CI-18693]: Added oidc support for ACR

* feat: [CI-19349]: error handling

* feat: [CI-19349]: Refactored the code and added cli flags

* feat: [CI-19349]: Added test cases

* Update cmd/kaniko-acr/main.go

* Update cmd/kaniko-acr/main.go

* Update cmd/kaniko-acr/main.go

* feat: [CI-19349]: changed the variable names

* feat: [CI-18693]: Added error handling

* feat: [CI-19349]: removed redundant code

---------

Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>

.drone.yml

@@ -1,10 +1,17 @@
 kind: pipeline
-type: docker
+type: vm
 name: default
 
+pool:
+  use: ubuntu
+
+platform:
+  os: linux
+  arch: amd64
+
 steps:
 - name: build
-  image: golang
+  image: golang:1.22.4
   commands:
   - go test ./...
   - sh scripts/build.sh
@@ -14,30 +21,468 @@ steps:
   settings:
     repo: plugins/kaniko
     auto_tag: true
-    dockerfile: docker/gcr/Dockerfile.linux.amd64
+    auto_tag_suffix: linux-amd64
+    daemon_off: false
+    dockerfile: docker/docker/Dockerfile.linux.amd64
     username:
       from_secret: docker_username
     password:
       from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
 
 - name: gcr
   image: plugins/docker
   settings:
     repo: plugins/kaniko-gcr
     auto_tag: true
+    auto_tag_suffix: linux-amd64
+    daemon_off: false
     dockerfile: docker/gcr/Dockerfile.linux.amd64
     username:
       from_secret: docker_username
     password:
       from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: gar
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-amd64
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.amd64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
 
 - name: ecr
   image: plugins/docker
   settings:
     repo: plugins/kaniko-ecr
     auto_tag: true
+    auto_tag_suffix: linux-amd64
+    daemon_off: false
     dockerfile: docker/ecr/Dockerfile.linux.amd64
     username:
       from_secret: docker_username
     password:
       from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: acr
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-acr
+    auto_tag: true
+    auto_tag_suffix: linux-amd64
+    daemon_off: false
+    dockerfile: docker/acr/Dockerfile.linux.amd64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: docker-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko
+    auto_tag: true
+    auto_tag_suffix: linux-amd64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/docker/Dockerfile.linux.amd64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: gcr-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gcr
+    auto_tag: true
+    auto_tag_suffix: linux-amd64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/gcr/Dockerfile.linux.amd64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: gar-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-amd64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.amd64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
+
+- name: ecr-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-ecr
+    auto_tag: true
+    auto_tag_suffix: linux-amd64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/ecr/Dockerfile.linux.amd64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+---
+kind: pipeline
+type: vm
+name: arm
+
+pool:
+  use: ubuntu_arm64
+
+steps:
+- name: build
+  image: golang:1.22.4
+  commands:
+  - go test ./...
+  - sh scripts/build.sh
+
+- name: docker
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko
+    auto_tag: true
+    auto_tag_suffix: linux-arm64
+    daemon_off: false
+    dockerfile: docker/docker/Dockerfile.linux.arm64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: gcr
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gcr
+    auto_tag: true
+    auto_tag_suffix: linux-arm64
+    daemon_off: false
+    dockerfile: docker/gcr/Dockerfile.linux.arm64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: gar
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-arm64
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.arm64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
+
+- name: ecr
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-ecr
+    auto_tag: true
+    auto_tag_suffix: linux-arm64
+    daemon_off: false
+    dockerfile: docker/ecr/Dockerfile.linux.arm64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: acr
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-acr
+    auto_tag: true
+    auto_tag_suffix: linux-arm64
+    daemon_off: false
+    dockerfile: docker/acr/Dockerfile.linux.arm64
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: docker-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko
+    auto_tag: true
+    auto_tag_suffix: linux-arm64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/docker/Dockerfile.linux.arm64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: gcr-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gcr
+    auto_tag: true
+    auto_tag_suffix: linux-arm64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/gcr/Dockerfile.linux.arm64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+
+- name: gar-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-gar
+    auto_tag: true
+    auto_tag_suffix: linux-arm64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/gar/Dockerfile.linux.arm64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+        - pull_request
+
+- name: ecr-kaniko-v1-9
+  image: plugins/docker
+  settings:
+    repo: plugins/kaniko-ecr
+    auto_tag: true
+    auto_tag_suffix: linux-arm64-kaniko1.9.1
+    daemon_off: false
+    dockerfile: docker/ecr/Dockerfile.linux.arm64.kaniko1.9.1
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      exclude:
+      - pull_request
+---
+kind: pipeline
+type: vm
+name: notifications-docker
+
+pool:
+  use: ubuntu
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+- name: manifest-docker
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: true
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/docker/manifest.tmpl
+    username:
+      from_secret: docker_username
+
+- name: manifest-gcr
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: true
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/gcr/manifest.tmpl
+    username:
+      from_secret: docker_username
+
+- name: manifest-gar
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: true
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/gar/manifest.tmpl
+    username:
+      from_secret: docker_username
+
+- name: manifest-acr
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: true
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/acr/manifest.tmpl
+    username:
+      from_secret: docker_username
+
+- name: manifest-ecr
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: true
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/ecr/manifest.tmpl
+    username:
+      from_secret: docker_username
+
+trigger:
+  ref:
+  - refs/heads/main
+  - "refs/tags/**"
+
+depends_on:
+- default
+- arm
+
+---
+kind: pipeline
+type: vm
+name: notifications-docker-kaniko1-8
+
+pool:
+  use: ubuntu
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+- name: manifest-docker
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: false
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/docker/manifest-kaniko1.9.1.tmpl
+    username:
+      from_secret: docker_username
+
+- name: manifest-gcr
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: false
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/gcr/manifest-kaniko1.9.1.tmpl
+    username:
+      from_secret: docker_username
+
+- name: manifest-gar
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: false
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/gar/manifest-kaniko1.9.1.tmpl
+    username:
+      from_secret: docker_username
+
+- name: manifest-ecr
+  pull: always
+  image: plugins/manifest
+  settings:
+    auto_tag: false
+    ignore_missing: true
+    password:
+      from_secret: docker_password
+    spec: docker/ecr/manifest-kaniko1.9.1.tmpl
+    username:
+      from_secret: docker_username
+
+trigger:
+  ref:
+  - refs/heads/main
+  - "refs/tags/**"
+
+depends_on:
+- default
+- arm

.gitignore

@@ -1,3 +1,5 @@
 release
 coverage.out
 vendor
+.idea
+.vscode

.harness/eventPR.yaml

@@ -0,0 +1,14 @@
+inputSet:
+  name: event-PR
+  identifier: eventPR
+  orgIdentifier: default
+  projectIdentifier: Drone_Plugins
+  pipeline:
+    identifier: dronekanikoharness
+    properties:
+      ci:
+        codebase:
+          build:
+            type: PR
+            spec:
+              number: <+trigger.prNumber>

.harness/eventPush.yaml

@@ -0,0 +1,14 @@
+inputSet:
+  name: event-Push
+  identifier: eventPush
+  orgIdentifier: default
+  projectIdentifier: Drone_Plugins
+  pipeline:
+    identifier: dronekanikoharness
+    properties:
+      ci:
+        codebase:
+          build:
+            type: branch
+            spec:
+              branch: <+trigger.branch>

.harness/eventTag.yaml

@@ -0,0 +1,14 @@
+inputSet:
+  name: event-Tag
+  identifier: eventTag
+  orgIdentifier: default
+  projectIdentifier: Drone_Plugins
+  pipeline:
+    identifier: dronekanikoharness
+    properties:
+      ci:
+        codebase:
+          build:
+            type: tag
+            spec:
+              tag: <+trigger.tag>

.harness/harness.yaml

@@ -0,0 +1,656 @@
+pipeline:
+  name: drone-kaniko-harness
+  identifier: dronekanikoharness
+  projectIdentifier: Drone_Plugins
+  orgIdentifier: default
+  tags: {}
+  properties:
+    ci:
+      codebase:
+        connectorRef: GitHub_Drone_Org
+        repoName: drone-kaniko
+        build: <+input>
+        sparseCheckout: []
+  stages:
+    - parallel:
+        - stage:
+            name: linux-amd64
+            identifier: linuxamd64
+            description: ""
+            type: CI
+            spec:
+              cloneCodebase: true
+              caching:
+                enabled: false
+                paths: []
+              platform:
+                os: Linux
+                arch: Amd64
+              runtime:
+                type: Cloud
+                spec: {}
+              execution:
+                steps:
+                  - step:
+                      type: Run
+                      name: Build Binary
+                      identifier: Build
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: golang:1.23.0
+                        shell: Sh
+                        command: |-
+                          go test ./...
+                          sh scripts/build.sh
+                  - parallel:
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag
+                          identifier: BuildAndPushDockerTag
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-amd64
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gcr
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: _<+matrix.repo>
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag_Kaniko
+                          identifier: BuildAndPushDockerTag_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-amd64-kaniko1.9.1
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: <+matrix.repo>
+                  - parallel:
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch
+                          identifier: BuildAndPushDockerBranch
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-amd64
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gcr
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: <+matrix.repo>
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch_Kaniko
+                          identifier: BuildAndPushDockerBranch_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-amd64-kaniko1.9.1
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: _<+matrix.repo>
+            when:
+              pipelineStatus: Success
+        - stage:
+            name: linux-arm64
+            identifier: linuxarm64
+            description: ""
+            type: CI
+            spec:
+              cloneCodebase: true
+              caching:
+                enabled: false
+                paths: []
+              platform:
+                os: Linux
+                arch: Arm64
+              runtime:
+                type: Cloud
+                spec: {}
+              execution:
+                steps:
+                  - step:
+                      type: Run
+                      name: Build Binary
+                      identifier: Build_and_Test
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: golang:1.23.0
+                        shell: Sh
+                        command: |-
+                          go test ./...
+                          sh scripts/build.sh
+                  - parallel:
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag
+                          identifier: BuildAndPushDockerTag
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-arm64
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gcr
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: _<+matrix.repo>
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag_Kaniko
+                          identifier: BuildAndPushDockerTag_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-arm64-kaniko1.9.1
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: _<+matrix.repo>
+                  - parallel:
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch
+                          identifier: BuildAndPushDockerBranch
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-arm64
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gcr
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: <+matrix.repo>
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch_Kaniko
+                          identifier: BuildAndPushDockerBranch_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-arm64-kaniko1.9.1
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: _<+matrix.repo>
+            when:
+              pipelineStatus: Success
+    - stage:
+        name: Manifest
+        identifier: Manifest
+        description: ""
+        type: CI
+        spec:
+          cloneCodebase: true
+          caching:
+            enabled: false
+            paths: []
+          platform:
+            os: Linux
+            arch: Amd64
+          runtime:
+            type: Cloud
+            spec: {}
+          execution:
+            steps:
+              - parallel:
+                  - step:
+                      type: Plugin
+                      name: Manifest
+                      identifier: Manifest
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: plugins/manifest
+                        settings:
+                          auto_tag: "true"
+                          spec: docker/<+matrix.repo>/manifest.tmpl
+                          username: drone
+                          password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                          ignore_missing: "true"
+                      when:
+                        stageStatus: Success
+                        condition: <+codebase.build.type> == "branch" || <+codebase.build.type> == "tag"
+                      strategy:
+                        matrix:
+                          repo:
+                            - docker
+                            - gcr
+                            - gar
+                            - ecr
+                            - acr
+                          nodeName: manifest_<+matrix.repo>
+                  - step:
+                      type: Plugin
+                      name: Manifest_kaniko191
+                      identifier: Manifest_kaniko
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: plugins/manifest
+                        settings:
+                          auto_tag: "false"
+                          spec: docker/<+matrix.repo>/manifest-kaniko1.9.1.tmpl
+                          username: drone
+                          password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                          ignore_missing: "true"
+                      when:
+                        stageStatus: Success
+                        condition: <+codebase.build.type> == "branch" || <+codebase.build.type> == "tag"
+                      strategy:
+                        matrix:
+                          repo:
+                            - docker
+                            - gcr
+                            - gar
+                            - ecr
+                          nodeName: manifest_<+matrix.repo>
+        when:
+          pipelineStatus: Success
+  allowStageExecutions: true

README.md

@@ -2,6 +2,15 @@
 
 Drone kaniko plugin uses [kaniko](https://github.com/GoogleContainerTools/kaniko) to build and publish Docker images to a container registry.
 
+Plugin images are published with 1.6.0 as well as 1.9.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.9.1` uses 1.9.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gcr images as well.
+
+Run the following script to install git-leaks support to this repo.
+
+```
+chmod +x ./git-hooks/install.sh
+./git-hooks/install.sh
+```
+
 ## Build
 
 Build the binaries with the following commands:
@@ -15,6 +24,7 @@ export GO111MODULE=on
 go build -v -a -tags netgo -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
 go build -v -a -tags netgo -o release/linux/amd64/kaniko-gcr ./cmd/kaniko-gcr
 go build -v -a -tags netgo -o release/linux/amd64/kaniko-ecr ./cmd/kaniko-ecr
+go build -v -a -tags netgo -o release/linux/amd64/kaniko-acr ./cmd/kaniko-acr
 ```
 
 ## Docker
@@ -25,7 +35,12 @@ Build the Docker images with the following commands:
 docker build \
   --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
   --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
-  --file docker/docker/Dockerfile.linux.amd64 --tag plugins/kaniko-docker .
+  --file docker/docker/Dockerfile.linux.amd64 --tag plugins/kaniko .
+
+docker build \
+  --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
+  --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
+  --file docker/acr/Dockerfile.linux.amd64 --tag plugins/kaniko-acr .
 
 docker build \
   --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
@@ -38,8 +53,75 @@ docker build \
   --file docker/ecr/Dockerfile.linux.amd64 --tag plugins/kaniko-ecr .
 ```
 
+### Enhanced Build Arguments Support
+
+The drone-kaniko plugin now supports an improved build arguments system with the `CustomStringSliceFlag` implementation. This feature provides a more flexible way to pass multiple build arguments to your Docker builds.
+
+#### Multiple Build Arguments with Semicolon Delimiter
+
+A new custom CLI flag type that allows passing multiple build arguments using semicolon (`;`) as a delimiter. This flag is available across all registry implementations:
+
+- `kaniko-docker`
+- `kaniko-gcr` (Google Container Registry)
+- `kaniko-ecr` (Amazon Elastic Container Registry)
+- `kaniko-acr` (Azure Container Registry)
+- `kaniko-gar` (Google Artifact Registry)
+
+**Usage:**
+
+```console
+docker run --rm \
+    -e PLUGIN_BUILD_ARGS_NEW="ARG1=value1;ARG2=value2;ARG3=value3" \
+    -e PLUGIN_REPO=foo/bar \
+    -v $(pwd):/drone \
+    -w /drone \
+    plugins/kaniko:linux-amd64
+```
+
+#### For build args containing commas
+
+When your build arguments contain commas, enable the `PLUGIN_MULTIPLE_BUILD_ARGS` flag:
+
+```console
+docker run --rm \
+    -e PLUGIN_MULTIPLE_BUILD_ARGS=true \
+    -e PLUGIN_BUILD_ARGS_NEW="KEY1=value,with,comma;KEY2=another,value" \
+    -e PLUGIN_REPO=foo/bar \
+    -v $(pwd):/drone \
+    -w /drone \
+    plugins/kaniko:linux-amd64
+```
+
 ## Usage
 
+### Operation Modes
+
+Default Mode (Build and Push):
+
+When neither `no_push` nor `push_only` is provided. Plugin builds and pushes the Docker image to a container registry.
+
+Build-Only Mode (no-push):
+
+When `no_push` is true and `destination_tar_path` is defined.
+Plugin performs only the image build operation and saves the resulting image tarball to the specified `destination_tar_path`
+It does not push the image to any registry.
+
+Push-Only Mode (push-only):
+
+When `push_only` is true and `source_tar_path` is defined.
+Plugin loads an existing image tarball from the specified `source_tar_path`
+and pushes the loaded image to a Container Registry.
+It skips the build process.
+
+### Mutually Exclusive Inputs
+
+If both `no_push` and `push_only` inputs are provided, the plugin will:
+
+Terminate the operation and
+throw an error with the message: "Inputs no-push and push-only cannot be used together. Please define only one."
+
+### Manual Tagging
+
 ```console
 docker run --rm \
     -e PLUGIN_TAGS=1.2,latest \
@@ -49,5 +131,85 @@ docker run --rm \
     -e PLUGIN_PASSWORD=bar \
     -v $(pwd):/drone \
     -w /drone \
-    plugins/kaniko-docker
+    plugins/kaniko:linux-amd64
 ```
+
+With expanded tagging enabled, semantic versions can be passed to PLUGIN_TAGS directly for expansion.
+
+**Note**: this feature only works for build labels. Artifact labels are not supported.
+
+```console
+docker run --rm \
+    -e PLUGIN_TAGS=v1.2.3,latest \
+    -e PLUGIN_EXPAND_TAG=true \
+    -v $(pwd):/drone \
+    -w /drone \
+    plugins/kaniko:linux-amd64
+```
+
+would both be equivalent to
+
+```
+PLUGIN_TAGS=1,1.2,1.2.3,latest
+```
+
+This allows for passing `$DRONE_TAG` directly as a tag for repos that use [semver](https://semver.org) tags.
+
+To avoid confusion between repo tags and image tags, `PLUGIN_EXPAND_TAG` also recognizes a semantic version
+without the `v` prefix. As such, the following is also equivalent to the above:
+
+```console
+docker run --rm \
+    -e PLUGIN_TAGS=1.2.3,latest \
+    -e PLUGIN_EXPAND_TAG=true \
+    -v $(pwd):/drone \
+    -w /drone \
+    plugins/kaniko:linux-amd64
+```
+
+### Auto Tagging
+
+The [auto tag feature](https://plugins.drone.io/drone-plugins/drone-docker) of docker plugin is also supported.
+
+When auto tagging is enabled, if any of the case is matched below, a docker build will be pushed with auto generated tags. Otherwise the docker build will be skipped.
+
+**Note**: this feature only works for build labels. Artifact labels are not supported.
+
+#### Git Tag Push:
+
+```console
+docker run --rm \
+    -e DRONE_COMMIT_REF=refs/tags/v1.2.3 \
+    -e PLUGIN_REPO=foo/bar \
+    -e PLUGIN_USERNAME=foo \
+    -e PLUGIN_PASSWORD=bar \
+    -e PLUGIN_AUTO_TAG=true \
+    -v $(pwd):/drone \
+    -w /drone \
+    plugins/kaniko:linux-amd64
+```
+
+Tags to push:
+
+- 1.2.3
+- 1.2
+- 1
+
+#### Git Commit Push in default branch:
+
+```console
+docker run --rm \
+    -e DRONE_COMMIT_REF=refs/heads/master \
+    -e DRONE_REPO_BRANCH=main \
+    -e PLUGIN_REPO=foo/bar \
+    -e PLUGIN_USERNAME=foo \
+    -e PLUGIN_PASSWORD=bar \
+    -e PLUGIN_AUTO_TAG=true \
+    -v $(pwd):/drone \
+    -w /drone \
+    plugins/kaniko:linux-amd64
+```
+
+Tags to push:
+
+- latest

cmd/kaniko-acr/main.go

@@ -0,0 +1,896 @@
+package main
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli"
+
+	kaniko "github.com/drone/drone-kaniko"
+	azureutil "github.com/drone/drone-kaniko/internal/azure"
+	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
+)
+
+const (
+	clientIdEnv        string = "AZURE_CLIENT_ID"
+	clientSecretKeyEnv string = "AZURE_CLIENT_SECRET"
+	dockerConfigPath   string = "/kaniko/.docker"
+	tenantKeyEnv       string = "AZURE_TENANT_ID"
+	certPathEnv        string = "AZURE_CLIENT_CERTIFICATE_PATH"
+	defaultDigestFile  string = "/kaniko/digest-file"
+	finalUrl           string = "https://portal.azure.com/#view/Microsoft_Azure_ContainerRegistries/TagMetadataBlade/registryId/"
+)
+
+var (
+	ACRCertPath   = "/kaniko/acr-cert.pem"
+	pluginVersion = "unknown"
+	username      = "00000000-0000-0000-0000-000000000000"
+	maxPageCount  = 1000 // maximum count of pages to cycle through before we break out
+)
+
+func main() {
+	// TODO Add the env file functionality
+	app := cli.NewApp()
+	app.Name = "kaniko docker plugin"
+	app.Usage = "kaniko docker plugin"
+	app.Action = run
+	app.Version = pluginVersion
+	app.Flags = []cli.Flag{
+		cli.StringFlag{
+			Name:   "dockerfile",
+			Usage:  "build dockerfile",
+			Value:  "Dockerfile",
+			EnvVar: "PLUGIN_DOCKERFILE",
+		},
+		cli.StringFlag{
+			Name:   "context",
+			Usage:  "build context",
+			Value:  ".",
+			EnvVar: "PLUGIN_CONTEXT",
+		},
+		cli.StringFlag{
+			Name:   "drone-commit-ref",
+			Usage:  "git commit ref passed by Drone",
+			EnvVar: "DRONE_COMMIT_REF",
+		},
+		cli.StringFlag{
+			Name:   "drone-repo-branch",
+			Usage:  "git repository default branch passed by Drone",
+			EnvVar: "DRONE_REPO_BRANCH",
+		},
+		cli.StringSliceFlag{
+			Name:     "tags",
+			Usage:    "build tags",
+			Value:    &cli.StringSlice{"latest"},
+			EnvVar:   "PLUGIN_TAGS",
+			FilePath: ".tags",
+		},
+		cli.BoolFlag{
+			Name:   "expand-tag",
+			Usage:  "enable for semver tagging",
+			EnvVar: "PLUGIN_EXPAND_TAG",
+		},
+		cli.BoolFlag{
+			Name:   "auto-tag",
+			Usage:  "enable auto generation of build tags",
+			EnvVar: "PLUGIN_AUTO_TAG",
+		},
+		cli.StringFlag{
+			Name:   "auto-tag-suffix",
+			Usage:  "the suffix of auto build tags",
+			EnvVar: "PLUGIN_AUTO_TAG_SUFFIX",
+		},
+		cli.StringSliceFlag{
+			Name:   "args",
+			Usage:  "build args",
+			EnvVar: "PLUGIN_BUILD_ARGS",
+		},
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(utils.CustomStringSliceFlag),
+		},
+		cli.BoolFlag{
+			Name:   "plugin-multiple-build-agrs",
+			Usage:  "plugin multiple build agrs",
+			EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
+		},
+		cli.StringFlag{
+			Name:   "target",
+			Usage:  "build target",
+			EnvVar: "PLUGIN_TARGET",
+		},
+		cli.StringFlag{
+			Name:   "repo",
+			Usage:  "docker repository",
+			EnvVar: "PLUGIN_REPO",
+		},
+		cli.BoolFlag{
+			Name:   "create-repository",
+			Usage:  "create ACR repository",
+			EnvVar: "PLUGIN_CREATE_REPOSITORY",
+		},
+		cli.StringSliceFlag{
+			Name:   "custom-labels",
+			Usage:  "additional k=v labels",
+			EnvVar: "PLUGIN_CUSTOM_LABELS",
+		},
+		cli.StringFlag{
+			Name:   "registry",
+			Usage:  "ACR registry",
+			EnvVar: "PLUGIN_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "base-image-registry",
+			Usage:  "Docker registry for base image",
+			EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "base-image-username",
+			Usage:  "Docker username for base image registry",
+			EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
+		},
+		cli.StringFlag{
+			Name:   "base-image-password",
+			Usage:  "Docker password for base image registry",
+			EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
+		},
+		cli.StringSliceFlag{
+			Name:   "registry-mirrors",
+			Usage:  "docker registry mirrors",
+			EnvVar: "PLUGIN_REGISTRY_MIRRORS",
+		},
+		cli.StringFlag{
+			Name:   "client-secret",
+			Usage:  "Azure client secret",
+			EnvVar: "CLIENT_SECRET",
+		},
+		cli.StringFlag{
+			Name:   "client-cert",
+			Usage:  "Azure client certificate encoded in base64 format",
+			EnvVar: "CLIENT_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "tenant-id",
+			Usage:  "Azure Tenant Id",
+			EnvVar: "TENANT_ID,AZURE_TENANT_ID,PLUGIN_TENANT_ID",
+		},
+		cli.StringFlag{
+			Name:   "subscription-id",
+			Usage:  "Azure Subscription Id",
+			EnvVar: "SUBSCRIPTION_ID",
+		},
+		cli.StringFlag{
+			Name:   "client-id",
+			Usage:  "Azure Client ID (also called App ID)",
+			EnvVar: "CLIENT_ID,AZURE_CLIENT_ID,PLUGIN_CLIENT_ID,AZURE_APP_ID",
+		},
+		cli.StringFlag{
+			Name:   "oidc-token-id",
+			Usage:  "OIDC ID token to exchange for Azure AD access token (federated credentials)",
+			EnvVar: "PLUGIN_OIDC_TOKEN_ID",
+		},
+		cli.StringFlag{
+			Name:   "azure-authority-host",
+			Usage:  "Azure authority host base URL (e.g., https://login.microsoftonline.com, https://login.microsoftonline.us)",
+			EnvVar: "AZURE_AUTHORITY_HOST",
+		},
+		cli.StringFlag{
+			Name:   "snapshot-mode",
+			Usage:  "Specify one of full, redo or time as snapshot mode",
+			EnvVar: "PLUGIN_SNAPSHOT_MODE",
+		},
+		cli.StringFlag{
+			Name:   "lifecycle-policy",
+			Usage:  "Path to lifecycle policy file",
+			EnvVar: "PLUGIN_LIFECYCLE_POLICY",
+		},
+		cli.StringFlag{
+			Name:   "repository-policy",
+			Usage:  "Path to repository policy file",
+			EnvVar: "PLUGIN_REPOSITORY_POLICY",
+		},
+		cli.BoolFlag{
+			Name:   "enable-cache",
+			Usage:  "Set this flag to opt into caching with kaniko",
+			EnvVar: "PLUGIN_ENABLE_CACHE",
+		},
+		cli.StringFlag{
+			Name:   "cache-repo",
+			Usage:  "Remote repository that will be used to store cached layers. Cache repo should be present in specified registry. enable-cache needs to be set to use this flag",
+			EnvVar: "PLUGIN_CACHE_REPO",
+		},
+		cli.IntFlag{
+			Name:   "cache-ttl",
+			Usage:  "Cache timeout in hours. Defaults to two weeks.",
+			EnvVar: "PLUGIN_CACHE_TTL",
+		},
+		cli.StringFlag{
+			Name:   "artifact-file",
+			Usage:  "Artifact file location that will be generated by the plugin. This file will include information of docker images that are uploaded by the plugin.",
+			EnvVar: "PLUGIN_ARTIFACT_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "no-push",
+			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
+			EnvVar: "PLUGIN_NO_PUSH",
+		},
+		cli.BoolFlag{
+			Name:   "push-only",
+			Usage:  "Set this flag if you only want to push a pre-built image from a tarball",
+			EnvVar: "PLUGIN_PUSH_ONLY",
+		},
+		cli.StringFlag{
+			Name:   "source-tar-path",
+			Usage:  "Path to the local tarball to be pushed when push-only is set",
+			EnvVar: "PLUGIN_SOURCE_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH,PLUGIN_DESTINATION_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "verbosity",
+			Usage:  "Set this flag with value as oneof <panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
+			EnvVar: "PLUGIN_VERBOSITY",
+		},
+		cli.StringFlag{
+			Name:   "platform",
+			Usage:  "Allows to build with another default platform than the host, similarly to docker build --platform",
+			EnvVar: "PLUGIN_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "skip-unused-stages",
+			Usage:  "build only used stages",
+			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
+		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringSliceFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
+	}
+
+	if err := app.Run(os.Args); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+func run(c *cli.Context) error {
+	// Check if push-only flag is set
+	if c.Bool("push-only") {
+		return handlePushOnly(c)
+	}
+
+	registry := c.String("registry")
+	noPush := c.Bool("no-push")
+
+	clientID := c.String("client-id")
+	tenantID := c.String("tenant-id")
+	oidcIdToken := c.String("oidc-token-id")
+	authorityHost := c.String("azure-authority-host")
+
+	var publicUrl string
+	var err error
+	publicUrl, err = setupAuth(
+		tenantID,
+		clientID,
+		oidcIdToken,
+		c.String("client-cert"),
+		c.String("client-secret"),
+		c.String("subscription-id"),
+		registry,
+		c.String("base-image-username"),
+		c.String("base-image-password"),
+		c.String("base-image-registry"),
+		authorityHost,
+		noPush,
+	)
+	if err != nil {
+		return err
+	}
+
+	plugin := kaniko.Plugin{
+		Build: kaniko.Build{
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			ArgsNew:                     c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
+			IsMultipleBuildArgs:         c.Bool("plugin-multiple-build-agrs"),
+			Target:                      c.String("target"),
+			Repo:                        c.String("repo"),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
+		},
+		Artifact: kaniko.Artifact{
+			Tags:         c.StringSlice("tags"),
+			Repo:         c.String("repo"),
+			Registry:     publicUrl, // this is public url on which the artifact can be seen
+			ArtifactFile: c.String("artifact-file"),
+			RegistryType: artifact.Docker,
+		},
+	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
+	}
+
+	// Set tar-path if provided
+	if c.IsSet("tar-path") {
+		plugin.Build.TarPath = c.String("tar-path")
+	}
+
+	return plugin.Exec()
+}
+
+func setupAuth(tenantId, clientId, oidcIdToken, cert,
+	clientSecret, subscriptionId, registry, dockerUsername, dockerPassword, dockerRegistry, authorityHost string, noPush bool) (string, error) {
+	if registry == "" {
+		return "", fmt.Errorf("registry must be specified")
+	}
+
+	// Determine auth path: OIDC or Service Principal (secret/cert)
+	if tenantId == "" || clientId == "" {
+		if noPush {
+			logrus.Warnf("NO_PUSH mode: tenantId or clientId not provided")
+			return "", nil
+		}
+		return "", fmt.Errorf("tenantId and clientId must be provided")
+	}
+
+	var aadAccessToken string
+	var acrToken string
+	var publicUrl string
+	var err error
+
+	if oidcIdToken != "" {
+		// Exchange OIDC ID token for AAD access token via client_assertion
+		aadAccessToken, err = azureutil.GetAADAccessTokenViaClientAssertion(context.Background(), tenantId, clientId, oidcIdToken, authorityHost)
+		if err != nil {
+			return handleError(noPush, err, "failed to get AAD token via OIDC")
+		}
+		publicUrl, err = getPublicUrl(aadAccessToken, registry, subscriptionId)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
+		}
+		// Exchange AAD access token to ACR refresh token
+		acrToken, err = fetchACRToken(tenantId, aadAccessToken, registry)
+		if err != nil {
+			return handleError(noPush, err, "failed to fetch ACR token")
+		}
+	} else if clientSecret != "" || cert != "" {
+		acrToken, publicUrl, err = getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
+		if err != nil {
+			return handleError(noPush, err, "failed to fetch ACR Token")
+		}
+	} else {
+		if noPush {
+			return "", nil
+		}
+		return "", fmt.Errorf("managed authentication is not supported")
+	}
+
+	if err := setDockerAuth(username, acrToken, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
+		return handleError(noPush, err, "failed to create docker config")
+	}
+	return publicUrl, nil
+}
+
+// Error handling
+func handleError(noPush bool, err error, msg string) (string, error) {
+	if noPush {
+		logrus.Warnf("NO_PUSH mode: %s: %v", msg, err)
+		return "", nil
+	}
+	return "", errors.Wrap(err, msg)
+}
+
+func getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry string) (string, string, error) {
+	if tenantId == "" {
+		return "", "", fmt.Errorf("tenantId can't be empty for AAD authentication")
+	}
+
+	if clientId == "" {
+		return "", "", fmt.Errorf("clientId can't be empty for AAD authentication")
+	}
+
+	if clientSecret == "" && cert == "" {
+		return "", "", fmt.Errorf("one of client secret or cert should be defined")
+	}
+
+	// in case of authentication via cert
+	if cert != "" {
+		err := setupACRCert(cert)
+		if err != nil {
+			errors.Wrap(err, "failed to push setup cert file")
+		}
+	}
+
+	if err := os.Setenv(clientIdEnv, clientId); err != nil {
+		return "", "", errors.Wrap(err, "failed to set env variable client Id")
+	}
+	if err := os.Setenv(clientSecretKeyEnv, clientSecret); err != nil {
+		return "", "", errors.Wrap(err, "failed to set env variable client secret")
+	}
+	if err := os.Setenv(tenantKeyEnv, tenantId); err != nil {
+		return "", "", errors.Wrap(err, "failed to set env variable tenant Id")
+	}
+	if err := os.Setenv(certPathEnv, ACRCertPath); err != nil {
+		return "", "", errors.Wrap(err, "failed to set env variable cert path")
+	}
+	env, err := azidentity.NewEnvironmentCredential(nil)
+	if err != nil {
+		return "", "", errors.Wrap(err, "failed to get env credentials from azure")
+	}
+
+	policy := policy.TokenRequestOptions{
+		Scopes: []string{"https://management.azure.com/.default"},
+	}
+	os.Unsetenv(clientIdEnv)
+	os.Unsetenv(clientSecretKeyEnv)
+	os.Unsetenv(tenantKeyEnv)
+	os.Unsetenv(certPathEnv)
+
+	azToken, err := env.GetToken(context.Background(), policy)
+	if err != nil {
+		return "", "", errors.Wrap(err, "failed to fetch access token")
+	}
+
+	publicUrl, err := getPublicUrl(azToken.Token, registry, subscriptionId)
+	if err != nil {
+		// execution should not fail because of this error.
+		fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
+	}
+
+	ACRToken, err := fetchACRToken(tenantId, azToken.Token, registry)
+	if err != nil {
+		return "", "", errors.Wrap(err, "failed to fetch ACR token")
+	}
+	return ACRToken, publicUrl, nil
+}
+
+func fetchACRToken(tenantId, token, registry string) (string, error) {
+	formData := url.Values{
+		"grant_type":   {"access_token"},
+		"service":      {registry},
+		"tenant":       {tenantId},
+		"access_token": {token},
+	}
+	jsonResponse, err := http.PostForm(fmt.Sprintf("https://%s/oauth2/exchange", registry), formData)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to fetch ACR token")
+	}
+	var response map[string]interface{}
+	err = json.NewDecoder(jsonResponse.Body).Decode(&response)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to decode oauth exchange response")
+	}
+
+	if x, found := response["refresh_token"]; found {
+		s, ok := x.(string)
+		if !ok {
+			errors.New("failed to cast refresh token from acr")
+		} else {
+			return s, nil
+		}
+	} else {
+		return "", errors.Wrap(err, "refresh token not found in response of oauth exchange call")
+	}
+	return "", errors.New("failed to get refresh token from acr")
+}
+
+func setupACRCert(cert string) error {
+	decoded, err := base64.StdEncoding.DecodeString(cert)
+	if err != nil {
+		return errors.Wrap(err, "failed to base64 decode ACR certificate")
+	}
+	err = ioutil.WriteFile(ACRCertPath, []byte(decoded), 0644)
+	if err != nil {
+		return errors.Wrap(err, "failed to write ACR certificate")
+	}
+	return nil
+}
+
+func getPublicUrl(token, registryUrl, subscriptionId string) (string, error) {
+	// for backward compatibilty, if the subscription id is not defined, do not fail step.
+	if len(subscriptionId) == 0 {
+		return "", nil
+	}
+
+	registry := strings.Split(registryUrl, ".")[0]
+	baseURL := "https://management.azure.com/subscriptions/" +
+		subscriptionId + "/resources?$filter=resourceType%20eq%20'Microsoft.ContainerRegistry/registries'%20and%20name%20eq%20'" +
+		registry + "'&api-version=2021-04-01&$select=id"
+
+	method := "GET"
+	client := &http.Client{}
+
+	cnt := 0
+
+	for {
+		// this is just in case we end up cycling through nextLink's infinitely.
+		// this should not happen - added as a precaution.
+		if cnt > maxPageCount {
+			break
+		}
+		cnt++
+		req, err := http.NewRequest(method, baseURL, nil)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to create request for getting container registry setting")
+		}
+
+		req.Header.Add("Authorization", "Bearer "+token)
+		res, err := client.Do(req)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to send request for getting container registry setting")
+		}
+		defer res.Body.Close()
+
+		var response strct
+		err = json.NewDecoder(res.Body).Decode(&response)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to send request for getting container registry setting")
+		}
+
+		if len(response.Value) > 0 {
+			if response.Value[0].ID == "" { // should not happen
+				return "", errors.New("received empty registry ID from /subscriptions API")
+			}
+			return finalUrl + encodeParam(response.Value[0].ID), nil
+		}
+
+		if response.NextLink == "" {
+			// No more pages, break the loop
+			break
+		}
+
+		baseURL = response.NextLink
+	}
+
+	return "", errors.New("did not receive any registry information from /subscriptions API")
+}
+
+func setDockerAuth(username, password, registry, dockerUsername, dockerPassword, dockerRegistry string) error {
+	dockerConfig := docker.NewConfig()
+	pushToRegistryCreds := docker.RegistryCredentials{
+		Registry: registry,
+		Username: username,
+		Password: password,
+	}
+
+	credentials := []docker.RegistryCredentials{pushToRegistryCreds}
+
+	if dockerRegistry != "" {
+		pullFromRegistryCreds := docker.RegistryCredentials{
+			Registry: dockerRegistry,
+			Username: dockerUsername,
+			Password: dockerPassword,
+		}
+		credentials = append(credentials, pullFromRegistryCreds)
+	} else {
+		fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
+			"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
+	}
+	return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
+}
+
+func encodeParam(s string) string {
+	return url.QueryEscape(s)
+}
+
+func handlePushOnly(c *cli.Context) error {
+	// Validate inputs for push-only operation
+	sourceTarPath := c.String("source-tar-path")
+	if sourceTarPath == "" {
+		return fmt.Errorf("source_tar_path is required when push_only is set")
+	}
+
+	if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
+		return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
+	}
+
+	repo := c.String("repo")
+	registry := c.String("registry")
+	if repo == "" || registry == "" {
+		return fmt.Errorf("repository and registry must be specified for push-only operation")
+	}
+
+	// Resolve Azure client/tenant and OIDC via CLI flags
+	clientID := c.String("client-id")
+	tenantID := c.String("tenant-id")
+	oidcIdToken := c.String("oidc-token-id")
+	authorityHost := c.String("azure-authority-host")
+
+	var publicUrl string
+	var err error
+	publicUrl, err = setupAuth(
+		tenantID,
+		clientID,
+		oidcIdToken,
+		c.String("client-cert"),
+		c.String("client-secret"),
+		c.String("subscription-id"),
+		registry,
+		c.String("base-image-username"),
+		c.String("base-image-password"),
+		c.String("base-image-registry"),
+		authorityHost,
+		false,
+	)
+	if err != nil {
+		return err
+	}
+
+	// Load the image from the tarball
+	logrus.Infof("Loading image from tarball: %s", sourceTarPath)
+
+	img, err := crane.Load(sourceTarPath)
+	if err != nil {
+		return fmt.Errorf("failed to load image from tarball: %v", err)
+	}
+
+	// Check if the Docker config directory exists (should have been created by setupAuth)
+	if _, err := os.Stat(dockerConfigPath); os.IsNotExist(err) {
+		return fmt.Errorf("Docker config directory does not exist: %v", err)
+	} else if err != nil {
+		return fmt.Errorf("error checking Docker config directory: %v", err)
+	}
+
+	// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
+	if err := os.Setenv("DOCKER_CONFIG", dockerConfigPath); err != nil {
+		return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
+	}
+
+	// Setup crane options
+	opts := []crane.Option{
+		crane.WithAuthFromKeychain(authn.DefaultKeychain),
+	}
+
+	// Push for each tag
+	tags := c.StringSlice("tags")
+	if len(tags) == 0 {
+		tags = []string{"latest"}
+	}
+
+	// Use the registry from setupAuth if publicUrl is available, otherwise use the provided registry
+	pushRegistry := registry
+	if publicUrl != "" {
+		logrus.Infof("Using public URL for pushing: %s", publicUrl)
+		// Extract just the registry part from the full URL if needed
+		// This depends on the format of publicUrl, adjust parsing as needed
+		pushRegistry = publicUrl
+	}
+
+	for _, tag := range tags {
+		dest := fmt.Sprintf("%s/%s:%s", pushRegistry, repo, tag)
+		logrus.Infof("Pushing image to: %s", dest)
+
+		if err := crane.Push(img, dest, opts...); err != nil {
+			return fmt.Errorf("failed to push image to %s: %v", dest, err)
+		}
+
+		logrus.Infof("Successfully pushed image to %s", dest)
+	}
+
+	return nil
+}
+
+type strct struct {
+	Value []struct {
+		ID string `json:"id"`
+	} `json:"value"`
+	NextLink string `json:"nextLink"` // for pagination
+}

cmd/kaniko-acr/main_test.go

@@ -0,0 +1,389 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
+	"github.com/stretchr/testify/assert"
+	"github.com/urfave/cli"
+)
+
+const (
+	v2RegistryURL string = "https://index.docker.io/v2/" // v2 registry is not supported
+)
+
+func TestCreateDockerConfigWithBaseRegistry(t *testing.T) {
+	username := "user1"
+	password := "pass1"
+	registry := "azurecr.io"
+	dockerUsername := "dockeruser"
+	dockerPassword := "dockerpass"
+	dockerRegistry := "https://index.docker.io/v1/"
+	privateRegistry := "privateDockerRegistry"
+	privateRegistryUsername := "priaveUsername"
+	privateRegistryPassword := "privatePassword"
+
+	credentials := []docker.RegistryCredentials{
+		{
+			Registry: registry,
+			Username: username,
+			Password: password,
+		},
+		{
+			Registry: dockerRegistry,
+			Username: dockerUsername,
+			Password: dockerPassword,
+		},
+		{
+			Registry: privateRegistry,
+			Username: privateRegistryUsername,
+			Password: privateRegistryPassword,
+		},
+	}
+
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	assert.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	config := docker.NewConfig()
+	err = config.CreateDockerConfig(credentials, tempDir)
+	assert.NoError(t, err)
+
+	expectedAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(username + ":" + password))}
+	assert.Equal(t, expectedAuth, config.Auths[registry])
+
+	expectedDockerAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(dockerUsername + ":" + dockerPassword))}
+	assert.Equal(t, expectedDockerAuth, config.Auths[dockerRegistry])
+
+	configPath := filepath.Join(tempDir, "config.json")
+	data, err := ioutil.ReadFile(configPath)
+	assert.NoError(t, err)
+
+	var configFromFile docker.Config
+	err = json.Unmarshal(data, &configFromFile)
+	assert.NoError(t, err)
+
+	assert.Equal(t, config.Auths, configFromFile.Auths)
+
+	err = config.CreateDockerConfig([]docker.RegistryCredentials{
+		{
+			Registry: registry,
+			Username: "",
+			Password: password,
+		},
+	}, tempDir)
+	assert.EqualError(t, err, "Username must be specified for registry: "+registry)
+
+	err = config.CreateDockerConfig([]docker.RegistryCredentials{
+		{
+			Registry: registry,
+			Username: username,
+			Password: "",
+		},
+	}, tempDir)
+	assert.EqualError(t, err, "Password must be specified for registry: "+registry)
+
+	// v1 registry but without username password
+	err = config.CreateDockerConfig([]docker.RegistryCredentials{
+		{
+			Registry: registry,
+			Username: username,
+			Password: password,
+		},
+		{
+			Registry: dockerRegistry,
+			Username: "",
+			Password: "",
+		},
+	}, tempDir)
+	assert.EqualError(t, err, "Username must be specified for registry: "+dockerRegistry)
+
+	// private base registry without username/password
+	err = config.CreateDockerConfig([]docker.RegistryCredentials{
+		{
+			Registry: privateRegistry,
+			Username: "",
+			Password: "",
+		},
+	}, tempDir)
+	assert.EqualError(t, err, "Username must be specified for registry: "+privateRegistry)
+
+}
+
+func TestCreateDockerConfigWithoutBaseRegistry(t *testing.T) {
+	username := "user1"
+	password := "pass1"
+	registry := "azurecr.io"
+
+	credentials := []docker.RegistryCredentials{
+		{
+			Registry: registry,
+			Username: username,
+			Password: password,
+		},
+	}
+
+	// Create a temporary directory
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	assert.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	config := docker.NewConfig()
+	err = config.CreateDockerConfig(credentials, tempDir)
+	assert.NoError(t, err)
+
+	expectedAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(username + ":" + password))}
+	assert.Equal(t, expectedAuth, config.Auths[registry])
+
+	// Check the contents of the config.json file
+	configPath := filepath.Join(tempDir, "config.json")
+	data, err := ioutil.ReadFile(configPath)
+	assert.NoError(t, err)
+
+	var configFromFile docker.Config
+	err = json.Unmarshal(data, &configFromFile)
+	assert.NoError(t, err)
+
+	assert.Equal(t, config.Auths, configFromFile.Auths)
+
+	// Check if the public Docker Hub auth is not set
+	_, exists := config.Auths[""]
+	assert.False(t, exists)
+}
+
+func TestCustomStringSliceFlagIntegration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+	}{
+		{
+			name:     "single build arg",
+			input:    "ARG1=value1",
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "multiple build args with semicolon",
+			input:    "ARG1=value1;ARG2=value2;ARG3=value3",
+			expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
+		},
+		{
+			name:     "build args with spaces",
+			input:    "ARG1=value with spaces;ARG2=another value",
+			expected: []string{"ARG1=value with spaces", "ARG2=another value"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test the CustomStringSliceFlag directly
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.input)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			result := flag.GetValue()
+			if len(result) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if result[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestCLIIntegrationWithCustomFlag(t *testing.T) {
+	// Test CLI integration with proper flag setup
+	tests := []struct {
+		name     string
+		args     []string
+		expected []string
+	}{
+		{
+			name:     "CLI with single arg",
+			args:     []string{"acr-test", "--args-new", "ARG1=value1"},
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "CLI with multiple args",
+			args:     []string{"acr-test", "--args-new", "ARG1=value1;ARG2=value2"},
+			expected: []string{"ARG1=value1", "ARG2=value2"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			app := cli.NewApp()
+			app.Name = "acr-test"
+
+			var capturedArgs []string
+
+			app.Flags = []cli.Flag{
+				cli.GenericFlag{
+					Name:   "args-new",
+					Usage:  "build args new",
+					EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+					Value:  new(utils.CustomStringSliceFlag),
+				},
+			}
+
+			app.Action = func(c *cli.Context) error {
+				if genericFlag := c.Generic("args-new"); genericFlag != nil {
+					if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
+						capturedArgs = customFlag.GetValue()
+					}
+				}
+				return nil
+			}
+
+			err := app.Run(tt.args)
+			if err != nil {
+				t.Errorf("CLI run error = %v, want nil", err)
+				return
+			}
+
+			if len(capturedArgs) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if capturedArgs[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestACRBuildArgsProcessing(t *testing.T) {
+	// Test that build args are correctly processed in the context of ACR plugin
+	tests := []struct {
+		name          string
+		argsNew       string
+		expectedCount int
+		expectedFirst string
+	}{
+		{
+			name:          "docker build args format",
+			argsNew:       "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
+			expectedCount: 3,
+			expectedFirst: "GOOS=linux",
+		},
+		{
+			name:          "azure specific args",
+			argsNew:       "AZURE_TENANT_ID=tenant123;AZURE_CLIENT_ID=client456",
+			expectedCount: 2,
+			expectedFirst: "AZURE_TENANT_ID=tenant123",
+		},
+		{
+			name:          "single complex arg with special characters",
+			argsNew:       "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+			expectedCount: 1,
+			expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.argsNew)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			args := flag.GetValue()
+			if len(args) != tt.expectedCount {
+				t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
+				return
+			}
+
+			if len(args) > 0 && args[0] != tt.expectedFirst {
+				t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
+			}
+		})
+	}
+}
+
+func TestACRAuthenticationFlow(t *testing.T) {
+	// Test that ACR authentication works with build args
+	tests := []struct {
+		name         string
+		tenantId     string
+		clientId     string
+		clientSecret string
+		expectError  bool
+	}{
+		{
+			name:         "missing tenant id",
+			tenantId:     "",
+			clientId:     "client123",
+			clientSecret: "secret456",
+			expectError:  true,
+		},
+		{
+			name:         "missing client id",
+			tenantId:     "tenant123",
+			clientId:     "",
+			clientSecret: "secret456",
+			expectError:  true,
+		},
+		{
+			name:         "missing client secret",
+			tenantId:     "tenant123",
+			clientId:     "client456",
+			clientSecret: "",
+			expectError:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// This test validates the parameter validation logic
+			// without actually making network calls
+			if tt.tenantId == "" && !tt.expectError {
+				t.Error("Expected error for missing tenant ID")
+			}
+			if tt.clientId == "" && !tt.expectError {
+				t.Error("Expected error for missing client ID")
+			}
+			if tt.clientSecret == "" && !tt.expectError {
+				t.Error("Expected error for missing client secret")
+			}
+		})
+	}
+}
+
+func TestSetupAuth_RegistryMustBeSpecified(t *testing.T) {
+	pub, err := setupAuth("tenant", "client", "", "", "", "sub", "", "", "", "", "", false)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "registry must be specified")
+	assert.Equal(t, "", pub)
+}
+
+func TestSetupAuth_MissingTenantOrClient(t *testing.T) {
+	pub, err := setupAuth("tenant", "", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", false)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "tenantId and clientId must be provided")
+	assert.Equal(t, "", pub)
+}
+
+func TestSetupAuth_NoCreds_NoPushTrue(t *testing.T) {
+	pub, err := setupAuth("tenant", "client", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", true)
+	assert.NoError(t, err)
+	assert.Equal(t, "", pub)
+}

cmd/kaniko-docker/main.go

@@ -1,10 +1,9 @@
 package main
 
 import (
-	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"os"
+	"strings"
 
 	"github.com/joho/godotenv"
 	"github.com/pkg/errors"
@@ -12,12 +11,19 @@ import (
 	"github.com/urfave/cli"
 
 	kaniko "github.com/drone/drone-kaniko"
+	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
 )
 
 const (
 	// Docker file path
 	dockerPath       string = "/kaniko/.docker"
 	dockerConfigPath string = "/kaniko/.docker/config.json"
+
+	v1RegistryURL string = "https://index.docker.io/v1/" // Default registry
+
+	defaultDigestFile string = "/kaniko/digest-file"
 )
 
 var (
@@ -27,7 +33,9 @@ var (
 func main() {
 	// Load env-file if it exists first
 	if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
-		godotenv.Load(env)
+		if err := godotenv.Load(env); err != nil {
+			logrus.Fatal(err)
+		}
 	}
 
 	app := cli.NewApp()
@@ -48,6 +56,16 @@ func main() {
 			Value:  ".",
 			EnvVar: "PLUGIN_CONTEXT",
 		},
+		cli.StringFlag{
+			Name:   "drone-commit-ref",
+			Usage:  "git commit ref passed by Drone",
+			EnvVar: "DRONE_COMMIT_REF",
+		},
+		cli.StringFlag{
+			Name:   "drone-repo-branch",
+			Usage:  "git repository default branch passed by Drone",
+			EnvVar: "DRONE_REPO_BRANCH",
+		},
 		cli.StringSliceFlag{
 			Name:     "tags",
 			Usage:    "build tags",
@@ -55,11 +73,47 @@ func main() {
 			EnvVar:   "PLUGIN_TAGS",
 			FilePath: ".tags",
 		},
+		cli.BoolFlag{
+			Name:   "expand-repo",
+			Usage:  "Prepends the registry url to the repo if registry url is not specified in repo name",
+			EnvVar: "PLUGIN_EXPAND_REPO",
+		},
+		cli.BoolFlag{
+			Name:   "expand-tag",
+			Usage:  "enable for semver tagging",
+			EnvVar: "PLUGIN_EXPAND_TAG",
+		},
+		cli.BoolFlag{
+			Name:   "auto-tag",
+			Usage:  "enable auto generation of build tags",
+			EnvVar: "PLUGIN_AUTO_TAG",
+		},
+		cli.StringFlag{
+			Name:   "dockerconfig",
+			Usage:  "docker json dockerconfig",
+			EnvVar: "PLUGIN_CONFIG",
+		},
+		cli.StringFlag{
+			Name:   "auto-tag-suffix",
+			Usage:  "the suffix of auto build tags",
+			EnvVar: "PLUGIN_AUTO_TAG_SUFFIX",
+		},
 		cli.StringSliceFlag{
 			Name:   "args",
 			Usage:  "build args",
 			EnvVar: "PLUGIN_BUILD_ARGS",
 		},
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(utils.CustomStringSliceFlag),
+		},
+		cli.BoolFlag{
+			Name:   "plugin-multiple-build-agrs",
+			Usage:  "plugin multiple build agrs",
+			EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
+		},
 		cli.StringFlag{
 			Name:   "target",
 			Usage:  "build target",
@@ -77,20 +131,267 @@ func main() {
 		},
 		cli.StringFlag{
 			Name:   "registry",
-			Usage:  "docker registry",
-			Value:  "https://index.docker.io/v1/",
+			Usage:  "docker registry of registry to push image to",
+			Value:  v1RegistryURL,
 			EnvVar: "PLUGIN_REGISTRY",
 		},
+		cli.StringFlag{
+			Name:   "base-image-registry",
+			Usage:  "Docker registry for base image",
+			EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
+		},
+		cli.StringSliceFlag{
+			Name:   "registry-mirrors",
+			Usage:  "docker registry mirrors",
+			EnvVar: "PLUGIN_REGISTRY_MIRRORS",
+		},
 		cli.StringFlag{
 			Name:   "username",
-			Usage:  "docker username",
+			Usage:  "docker username of registry to push image to",
 			EnvVar: "PLUGIN_USERNAME",
 		},
+		cli.StringFlag{
+			Name:   "base-image-username",
+			Usage:  "Docker username for base image registry",
+			EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
+		},
 		cli.StringFlag{
 			Name:   "password",
-			Usage:  "docker password",
+			Usage:  "docker password of registry to push image to",
 			EnvVar: "PLUGIN_PASSWORD",
 		},
+		cli.StringFlag{
+			Name:   "base-image-password",
+			Usage:  "Docker password for base image registry",
+			EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify",
+			Usage:  "Skip registry tls verify",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY",
+		},
+		cli.StringFlag{
+			Name:   "snapshot-mode",
+			Usage:  "Specify one of full, redo or time as snapshot mode",
+			EnvVar: "PLUGIN_SNAPSHOT_MODE",
+		},
+		cli.BoolFlag{
+			Name:   "enable-cache",
+			Usage:  "Set this flag to opt into caching with kaniko",
+			EnvVar: "PLUGIN_ENABLE_CACHE",
+		},
+		cli.StringFlag{
+			Name:   "cache-repo",
+			Usage:  "Remote repository that will be used to store cached layers. enable-cache needs to be set to use this flag",
+			EnvVar: "PLUGIN_CACHE_REPO",
+		},
+		cli.IntFlag{
+			Name:   "cache-ttl",
+			Usage:  "Cache timeout in hours. Defaults to two weeks.",
+			EnvVar: "PLUGIN_CACHE_TTL",
+		},
+		cli.StringFlag{
+			Name:   "artifact-file",
+			Usage:  "Artifact file location that will be generated by the plugin. This file will include information of docker images that are uploaded by the plugin.",
+			EnvVar: "PLUGIN_ARTIFACT_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "no-push",
+			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
+			EnvVar: "PLUGIN_NO_PUSH",
+		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH, PLUGIN_DESTINATION_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "verbosity",
+			Usage:  "Set this flag with value as oneof <panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
+			EnvVar: "PLUGIN_VERBOSITY",
+		},
+		cli.StringFlag{
+			Name:   "platform",
+			Usage:  "Allows to build with another default platform than the host, similarly to docker build --platform",
+			EnvVar: "PLUGIN_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "skip-unused-stages",
+			Usage:  "build only used stages",
+			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
+		},
+		cli.StringFlag{
+			Name:   "output-file",
+			Usage:  "Output file location that will be generated by the plugin. This file will include information of the output that are exported by the plugin.",
+			EnvVar: "DRONE_OUTPUT",
+		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.StringSliceFlag{
+			Name:   "ignore-paths",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATHS",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "source-tar-path",
+			Usage:  "Set this flag for the source tarball during push operations.",
+			EnvVar: "PLUGIN_SOURCE_TAR_PATH",
+		},
+		cli.BoolFlag{
+			Name:   "push-only",
+			Usage:  "Specify if the operation is push-only",
+			EnvVar: "PLUGIN_PUSH_ONLY",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -99,48 +400,150 @@ func main() {
 }
 
 func run(c *cli.Context) error {
-	err := createDockerCfgFile(c.String("username"), c.String("password"), c.String("registry"))
-	if err != nil {
-		return err
+	username := c.String("username")
+	noPush := c.Bool("no-push")
+	configOverride := c.String("dockerconfig")
+	// if configOverride is provided, use this directly to write to docker config file
+	if len(configOverride) > 0 {
+		if err := docker.WriteDockerConfig([]byte(configOverride), dockerPath); err != nil {
+			return err
+		}
+	} else if !noPush || username != "" {
+		// setup auth when pushing/pulling or credentials are defined and docker config override is false
+		err := setDockerAuth(
+			c.String("username"),
+			c.String("password"),
+			c.String("registry"),
+			c.String("base-image-username"),
+			c.String("base-image-password"),
+			c.String("base-image-registry"),
+		)
+		if err != nil {
+			return errors.Wrap(err, "failed to create docker config")
+		}
 	}
 
 	plugin := kaniko.Plugin{
 		Build: kaniko.Build{
-			Dockerfile: c.String("dockerfile"),
-			Context:    c.String("context"),
-			Tags:       c.StringSlice("tags"),
-			Args:       c.StringSlice("args"),
-			Target:     c.String("target"),
-			Repo:       c.String("repo"),
-			Labels:     c.StringSlice("custom-labels"),
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			ArgsNew:                     c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
+			IsMultipleBuildArgs:         c.Bool("plugin-multiple-build-agrs"),
+			Target:                      c.String("target"),
+			Repo:                        buildRepo(c.String("registry"), c.String("repo"), c.Bool("expand-repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SkipTlsVerify:               c.Bool("skip-tls-verify"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   buildRepo(c.String("registry"), c.String("cache-repo"), c.Bool("expand-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			TarPath:                     c.String("tar-path"),
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			PushOnly:                    c.Bool("push-only"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			SourceTarPath:               c.String("source-tar-path"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
+
+			ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:  c.Int("image-download-retry"),
 		},
+		Artifact: kaniko.Artifact{
+			Tags:         c.StringSlice("tags"),
+			Repo:         buildRepo(c.String("registry"), c.String("repo"), c.Bool("expand-repo")),
+			Registry:     c.String("registry"),
+			ArtifactFile: c.String("artifact-file"),
+			RegistryType: artifact.Docker,
+		},
+		Output: kaniko.Output{
+			OutputFile: c.String("output-file"),
+		},
+	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
 	}
 	return plugin.Exec()
 }
 
-// Create the docker config file for authentication
-func createDockerCfgFile(username, password, registry string) error {
-	if username == "" {
-		return fmt.Errorf("Username must be specified")
-	}
-	if password == "" {
-		return fmt.Errorf("Password must be specified")
-	}
-	if registry == "" {
-		return fmt.Errorf("Registry must be specified")
+func setDockerAuth(username, password, registry, baseImageUsername, baseImagePassword, baseImageRegistry string) error {
+	dockerConfig := docker.NewConfig()
+	pushToRegistryCreds := docker.RegistryCredentials{
+		Registry: registry,
+		Username: username,
+		Password: password,
 	}
+	credentials := []docker.RegistryCredentials{pushToRegistryCreds}
 
-	err := os.MkdirAll(dockerPath, 0600)
-	if err != nil {
-		return errors.Wrap(err, fmt.Sprintf("failed to create %s directory", dockerPath))
+	if baseImageRegistry != "" {
+		pullFromRegistryCreds := docker.RegistryCredentials{
+			Registry: baseImageRegistry,
+			Username: baseImageUsername,
+			Password: baseImagePassword,
+		}
+		credentials = append(credentials, pullFromRegistryCreds)
+	} else {
+		fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
+			"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
 	}
-
-	authBytes := []byte(fmt.Sprintf("%s:%s", username, password))
-	encodedString := base64.StdEncoding.EncodeToString(authBytes)
-	jsonBytes := []byte(fmt.Sprintf(`{"auths": {"%s": {"auth": "%s"}}}`, registry, encodedString))
-	err = ioutil.WriteFile(dockerConfigPath, jsonBytes, 0644)
-	if err != nil {
-		return errors.Wrap(err, "failed to create docker config file")
-	}
-	return nil
+	// Creates docker config for both the regustries used for authentication
+	return dockerConfig.CreateDockerConfig(credentials, dockerPath)
+}
+
+func buildRepo(registry, repo string, expandRepo bool) string {
+	if !expandRepo || registry == "" || registry == v1RegistryURL {
+		// No custom registry, just return the repo name
+		return repo
+	}
+	// Trim off trailing slash to prevent double slash when combining with repo
+	registry = strings.TrimSuffix(registry, "/")
+	if strings.HasPrefix(repo, registry+"/") {
+		// Repo already includes the registry prefix
+		// For backward compatibility, we won't add the prefix again.
+		return repo
+	}
+	// Prefix the repo with the registry
+	return registry + "/" + repo
 }

cmd/kaniko-docker/main_test.go

@@ -0,0 +1,287 @@
+package main
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
+	"github.com/urfave/cli"
+)
+
+func Test_buildRepo(t *testing.T) {
+	tests := []struct {
+		name     string
+		registry string
+		repo     string
+		want     string
+	}{
+		{
+			name: "dockerhub",
+			repo: "golang",
+			want: "golang",
+		},
+		{
+			name:     "internal",
+			registry: "artifactory.example.com",
+			repo:     "service",
+			want:     "artifactory.example.com/service",
+		},
+		{
+			name:     "backward_compatibility",
+			registry: "artifactory.example.com",
+			repo:     "artifactory.example.com/service",
+			want:     "artifactory.example.com/service",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := buildRepo(tt.registry, tt.repo, true); got != tt.want {
+				t.Errorf("buildRepo(%q, %q) = %v, want %v", tt.registry, tt.repo, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCustomStringSliceFlagIntegration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+	}{
+		{
+			name:     "single build arg",
+			input:    "ARG1=value1",
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "multiple build args with semicolon",
+			input:    "ARG1=value1;ARG2=value2;ARG3=value3",
+			expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
+		},
+		{
+			name:     "build args with spaces",
+			input:    "ARG1=value with spaces;ARG2=another value",
+			expected: []string{"ARG1=value with spaces", "ARG2=another value"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test the CustomStringSliceFlag directly
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.input)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			result := flag.GetValue()
+			if len(result) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if result[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestCLIIntegrationWithCustomFlag(t *testing.T) {
+	// Test CLI integration with proper flag setup
+	tests := []struct {
+		name     string
+		args     []string
+		expected []string
+	}{
+		{
+			name:     "CLI with single arg",
+			args:     []string{"docker-test", "--args-new", "ARG1=value1"},
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "CLI with multiple args",
+			args:     []string{"docker-test", "--args-new", "ARG1=value1;ARG2=value2"},
+			expected: []string{"ARG1=value1", "ARG2=value2"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			app := cli.NewApp()
+			app.Name = "docker-test"
+
+			var capturedArgs []string
+
+			app.Flags = []cli.Flag{
+				cli.GenericFlag{
+					Name:   "args-new",
+					Usage:  "build args new",
+					EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+					Value:  new(utils.CustomStringSliceFlag),
+				},
+			}
+
+			app.Action = func(c *cli.Context) error {
+				if genericFlag := c.Generic("args-new"); genericFlag != nil {
+					if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
+						capturedArgs = customFlag.GetValue()
+					}
+				}
+				return nil
+			}
+
+			err := app.Run(tt.args)
+			if err != nil {
+				t.Errorf("CLI run error = %v, want nil", err)
+				return
+			}
+
+			if len(capturedArgs) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if capturedArgs[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestDockerBuildArgsProcessing(t *testing.T) {
+	// Test that build args are correctly processed in the context of Docker plugin
+	tests := []struct {
+		name          string
+		argsNew       string
+		expectedCount int
+		expectedFirst string
+	}{
+		{
+			name:          "docker build args format",
+			argsNew:       "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
+			expectedCount: 3,
+			expectedFirst: "GOOS=linux",
+		},
+		{
+			name:          "single complex arg with special characters",
+			argsNew:       "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+			expectedCount: 1,
+			expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+		},
+		{
+			name:          "args with equals and semicolons",
+			argsNew:       "API_URL=https://api.example.com;DEBUG=true;VERSION=1.0.0",
+			expectedCount: 3,
+			expectedFirst: "API_URL=https://api.example.com",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.argsNew)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			args := flag.GetValue()
+			if len(args) != tt.expectedCount {
+				t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
+				return
+			}
+
+			if len(args) > 0 && args[0] != tt.expectedFirst {
+				t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
+			}
+		})
+	}
+}
+
+func TestCreateDockerConfig(t *testing.T) {
+	config := docker.NewConfig()
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	if err != nil {
+		t.Fatalf("Failed to create temporary directory: %v", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	tests := []struct {
+		name        string
+		credentials []docker.RegistryCredentials
+		wantErr     bool
+	}{
+		{
+			name: "valid credentials",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v1/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "v2 registry",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v2/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "docker registry credentials",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v1/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+				{
+					Registry: "https://docker.io",
+					Username: "dockeruser",
+					Password: "dockerpassword",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "empty docker registry",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v1/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+				{
+					Registry: "https://docker.io",
+					Username: "dockeruser",
+					Password: "",
+				},
+			},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := config.CreateDockerConfig(tt.credentials, tempDir)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("CreateDockerConfig() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+		})
+	}
+}

cmd/kaniko-ecr/main_test.go

@@ -0,0 +1,209 @@
+package main
+
+import (
+	"encoding/base64"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
+	"github.com/stretchr/testify/assert"
+	"github.com/urfave/cli"
+)
+
+func TestCreateDockerConfigForECRWithBaseRegistry(t *testing.T) {
+	accessKey := "access-key"
+	secretKey := "secret-key"
+	ecrRegistry := "ecr-registry"
+	dockerUsername := "dockeruser"
+	dockerPassword := "dockerpass"
+	dockerRegistry := "https://index.docker.io/v1/"
+
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	assert.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	config := docker.NewConfig()
+
+	pullFromRegistryCreds := docker.RegistryCredentials{
+		Registry: dockerRegistry,
+		Username: dockerUsername,
+		Password: dockerPassword,
+	}
+	credentials := []docker.RegistryCredentials{
+		{Registry: ecrRegistry, Username: accessKey, Password: secretKey},
+		pullFromRegistryCreds,
+	}
+
+	err = config.CreateDockerConfig(credentials, tempDir)
+	assert.NoError(t, err)
+
+	expectedECRAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(accessKey + ":" + secretKey))}
+	assert.Equal(t, expectedECRAuth, config.Auths[ecrRegistry])
+
+	expectedDockerAuth := docker.Auth{Auth: base64.StdEncoding.EncodeToString([]byte(dockerUsername + ":" + dockerPassword))}
+	assert.Equal(t, expectedDockerAuth, config.Auths[dockerRegistry])
+}
+
+func TestCustomStringSliceFlagIntegration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+	}{
+		{
+			name:     "single build arg",
+			input:    "ARG1=value1",
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "multiple build args with semicolon",
+			input:    "ARG1=value1;ARG2=value2;ARG3=value3",
+			expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
+		},
+		{
+			name:     "build args with spaces",
+			input:    "ARG1=value with spaces;ARG2=another value",
+			expected: []string{"ARG1=value with spaces", "ARG2=another value"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test the CustomStringSliceFlag directly
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.input)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			result := flag.GetValue()
+			if len(result) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if result[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestCLIIntegrationWithCustomFlag(t *testing.T) {
+	// Test CLI integration with proper flag setup
+	tests := []struct {
+		name     string
+		args     []string
+		expected []string
+	}{
+		{
+			name:     "CLI with single arg",
+			args:     []string{"ecr-test", "--args-new", "ARG1=value1"},
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "CLI with multiple args",
+			args:     []string{"ecr-test", "--args-new", "ARG1=value1;ARG2=value2"},
+			expected: []string{"ARG1=value1", "ARG2=value2"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			app := cli.NewApp()
+			app.Name = "ecr-test"
+
+			var capturedArgs []string
+
+			app.Flags = []cli.Flag{
+				cli.GenericFlag{
+					Name:   "args-new",
+					Usage:  "build args new",
+					EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+					Value:  new(utils.CustomStringSliceFlag),
+				},
+			}
+
+			app.Action = func(c *cli.Context) error {
+				if genericFlag := c.Generic("args-new"); genericFlag != nil {
+					if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
+						capturedArgs = customFlag.GetValue()
+					}
+				}
+				return nil
+			}
+
+			err := app.Run(tt.args)
+			if err != nil {
+				t.Errorf("CLI run error = %v, want nil", err)
+				return
+			}
+
+			if len(capturedArgs) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if capturedArgs[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestECRBuildArgsProcessing(t *testing.T) {
+	// Test that build args are correctly processed in the context of ECR plugin
+	tests := []struct {
+		name          string
+		argsNew       string
+		expectedCount int
+		expectedFirst string
+	}{
+		{
+			name:          "docker build args format",
+			argsNew:       "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
+			expectedCount: 3,
+			expectedFirst: "GOOS=linux",
+		},
+		{
+			name:          "aws specific args",
+			argsNew:       "AWS_REGION=us-west-2;AWS_ACCOUNT_ID=123456789012",
+			expectedCount: 2,
+			expectedFirst: "AWS_REGION=us-west-2",
+		},
+		{
+			name:          "single complex arg with special characters",
+			argsNew:       "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+			expectedCount: 1,
+			expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.argsNew)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			args := flag.GetValue()
+			if len(args) != tt.expectedCount {
+				t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
+				return
+			}
+
+			if len(args) > 0 && args[0] != tt.expectedFirst {
+				t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
+			}
+		})
+	}
+}

cmd/kaniko-gar/main.go

@@ -0,0 +1,619 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/joho/godotenv"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli"
+
+	kaniko "github.com/drone/drone-kaniko"
+	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
+	"github.com/drone/drone-kaniko/pkg/utils"
+
+)
+
+const (
+	dockerConfigPath string = "/kaniko/.docker"
+	// GAR JSON key file path
+	garKeyPath     string = "/kaniko/config.json"
+	garEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
+
+	defaultDigestFile string = "/kaniko/digest-file"
+)
+
+var (
+	version = "unknown"
+)
+
+func main() {
+	// Load env-file if it exists first
+	if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
+		if err := godotenv.Load(env); err != nil {
+			logrus.Fatal(err)
+		}
+	}
+
+	app := cli.NewApp()
+	app.Name = "kaniko gar plugin"
+	app.Usage = "kaniko gar plugin"
+	app.Action = run
+	app.Version = version
+	app.Flags = []cli.Flag{
+		cli.StringFlag{
+			Name:   "dockerfile",
+			Usage:  "build dockerfile",
+			Value:  "Dockerfile",
+			EnvVar: "PLUGIN_DOCKERFILE",
+		},
+		cli.StringFlag{
+			Name:   "context",
+			Usage:  "build context",
+			Value:  ".",
+			EnvVar: "PLUGIN_CONTEXT",
+		},
+		cli.StringFlag{
+			Name:   "drone-commit-ref",
+			Usage:  "git commit ref passed by Drone",
+			EnvVar: "DRONE_COMMIT_REF",
+		},
+		cli.StringFlag{
+			Name:   "drone-repo-branch",
+			Usage:  "git repository default branch passed by Drone",
+			EnvVar: "DRONE_REPO_BRANCH",
+		},
+		cli.StringSliceFlag{
+			Name:     "tags",
+			Usage:    "build tags",
+			Value:    &cli.StringSlice{"latest"},
+			EnvVar:   "PLUGIN_TAGS",
+			FilePath: ".tags",
+		},
+		cli.BoolFlag{
+			Name:   "expand-tag",
+			Usage:  "enable for semver tagging",
+			EnvVar: "PLUGIN_EXPAND_TAG",
+		},
+		cli.BoolFlag{
+			Name:   "auto-tag",
+			Usage:  "enable auto generation of build tags",
+			EnvVar: "PLUGIN_AUTO_TAG",
+		},
+		cli.StringFlag{
+			Name:   "auto-tag-suffix",
+			Usage:  "the suffix of auto build tags",
+			EnvVar: "PLUGIN_AUTO_TAG_SUFFIX",
+		},
+		cli.StringSliceFlag{
+			Name:   "args",
+			Usage:  "build args",
+			EnvVar: "PLUGIN_BUILD_ARGS",
+		},
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(utils.CustomStringSliceFlag),
+		},
+		cli.BoolFlag{
+			Name:   "plugin-multiple-build-agrs",
+			Usage:  "plugin multiple build agrs",
+			EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
+		},
+		cli.StringFlag{
+			Name:   "target",
+			Usage:  "build target",
+			EnvVar: "PLUGIN_TARGET",
+		},
+		cli.StringFlag{
+			Name:   "repo",
+			Usage:  "gar repository",
+			EnvVar: "PLUGIN_REPO",
+		},
+		cli.StringSliceFlag{
+			Name:   "custom-labels",
+			Usage:  "additional k=v labels",
+			EnvVar: "PLUGIN_CUSTOM_LABELS",
+		},
+		cli.StringFlag{
+			Name:   "registry",
+			Usage:  "gar registry",
+			EnvVar: "PLUGIN_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "base-image-username",
+			Usage:  "Docker username for base image registry",
+			EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
+		},
+		cli.StringFlag{
+			Name:   "base-image-password",
+			Usage:  "Docker password for base image registry",
+			EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
+		},
+		cli.StringFlag{
+			Name:   "base-image-registry",
+			Usage:  "Docker registry for base image registry",
+			EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
+		},
+		cli.StringSliceFlag{
+			Name:   "registry-mirrors",
+			Usage:  "docker registry mirrors",
+			EnvVar: "PLUGIN_REGISTRY_MIRRORS",
+		},
+		cli.StringFlag{
+			Name:   "json-key",
+			Usage:  "docker username",
+			EnvVar: "PLUGIN_JSON_KEY",
+		},
+		cli.StringFlag{
+			Name:   "snapshot-mode",
+			Usage:  "Specify one of full, redo or time as snapshot mode",
+			EnvVar: "PLUGIN_SNAPSHOT_MODE",
+		},
+		cli.BoolFlag{
+			Name:   "enable-cache",
+			Usage:  "Set this flag to opt into caching with kaniko",
+			EnvVar: "PLUGIN_ENABLE_CACHE",
+		},
+		cli.StringFlag{
+			Name:   "cache-repo",
+			Usage:  "Remote repository that will be used to store cached layers. Cache repo should be present in specified registry. enable-cache needs to be set to use this flag",
+			EnvVar: "PLUGIN_CACHE_REPO",
+		},
+		cli.IntFlag{
+			Name:   "cache-ttl",
+			Usage:  "Cache timeout in hours. Defaults to two weeks.",
+			EnvVar: "PLUGIN_CACHE_TTL",
+		},
+		cli.StringFlag{
+			Name:   "artifact-file",
+			Usage:  "Artifact file location that will be generated by the plugin. This file will include information of docker images that are uploaded by the plugin.",
+			EnvVar: "PLUGIN_ARTIFACT_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "no-push",
+			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
+			EnvVar: "PLUGIN_NO_PUSH",
+		},
+		cli.BoolFlag{
+			Name:   "push-only",
+			Usage:  "Set this flag if you only want to push a pre-built image from a tarball",
+			EnvVar: "PLUGIN_PUSH_ONLY",
+		},
+		cli.StringFlag{
+			Name:   "source-tar-path",
+			Usage:  "Path to the local tarball to be pushed when push-only is set",
+			EnvVar: "PLUGIN_SOURCE_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH,PLUGIN_DESTINATION_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "verbosity",
+			Usage:  "Set this flag as --verbosity=<panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
+			EnvVar: "PLUGIN_VERBOSITY",
+		},
+		cli.StringFlag{
+			Name:   "platform",
+			Usage:  "Allows to build with another default platform than the host, similarly to docker build --platform",
+			EnvVar: "PLUGIN_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "skip-unused-stages",
+			Usage:  "build only used stages",
+			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
+		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
+	}
+
+	if err := app.Run(os.Args); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+func run(c *cli.Context) error {
+	// Check if this is a push-only operation
+	if c.Bool("push-only") {
+		return handlePushOnly(c)
+	}
+
+	noPush := c.Bool("no-push")
+	jsonKey := c.String("json-key")
+	// JSON key may not be set in the following cases:
+	// 1. Image does not need to be pushed to GAR.
+	// 2. Workload identity is set on GKE in which pod will inherit the credentials via service account.
+	if jsonKey != "" {
+		if err := setupGARAuth(jsonKey); err != nil {
+			return err
+		}
+
+		// setup docker config only when base image registry is specified
+		if c.String("base-image-registry") != "" {
+			if err := setDockerAuth(
+				c.String("base-image-username"),
+				c.String("base-image-password"),
+				c.String("base-image-registry"),
+			); err != nil {
+				return errors.Wrap(err, "failed to create docker config")
+			}
+		} else {
+			fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
+				"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
+		}
+	}
+
+	plugin := kaniko.Plugin{
+		Build: kaniko.Build{
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			ArgsNew:                     c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
+			IsMultipleBuildArgs:         c.Bool("plugin-multiple-build-agrs"),
+			Target:                      c.String("target"),
+			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			PushOnly:                    c.Bool("push-only"),
+			SourceTarPath:               c.String("source-tar-path"),
+			TarPath:                     c.String("tar-path"),
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
+		},
+		Artifact: kaniko.Artifact{
+			Tags:         c.StringSlice("tags"),
+			Repo:         c.String("repo"),
+			Registry:     c.String("registry"),
+			ArtifactFile: c.String("artifact-file"),
+			RegistryType: artifact.GAR,
+		},
+	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
+	}
+	return plugin.Exec()
+}
+
+func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) error {
+	dockerConfig := docker.NewConfig()
+	dockerRegistryCreds := docker.RegistryCredentials{
+		Registry: dockerRegistry,
+		Username: dockerUsername,
+		Password: dockerPassword,
+	}
+	credentials := []docker.RegistryCredentials{dockerRegistryCreds}
+
+	return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
+}
+
+func setupGARAuth(jsonKey string) error {
+	err := ioutil.WriteFile(garKeyPath, []byte(jsonKey), 0644)
+	if err != nil {
+		return errors.Wrap(err, "failed to write GAR JSON key")
+	}
+
+	err = os.Setenv(garEnvVariable, garKeyPath)
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("failed to set %s environment variable", garEnvVariable))
+	}
+	return nil
+}
+
+func handlePushOnly(c *cli.Context) error {
+	// Validate inputs for push-only operation
+	sourceTarPath := c.String("source-tar-path")
+	if sourceTarPath == "" {
+		return fmt.Errorf("source_tar_path is required when push_only is set")
+	}
+
+	if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
+		return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
+	}
+
+	repo := c.String("repo")
+	registry := c.String("registry")
+	if repo == "" || registry == "" {
+		return fmt.Errorf("repository and registry must be specified for push-only operation")
+	}
+
+	// Authentication options for crane
+	var opts []crane.Option
+
+	// Setup GAR authentication
+	jsonKey := c.String("json-key")
+	if jsonKey != "" {
+		if err := setupGARAuth(jsonKey); err != nil {
+			return err
+		}
+
+		logrus.Info("Setting up authentication for GAR")
+
+		// Create Docker config directory if it doesn't exist
+		dockerConfigDir := "/kaniko/.docker"
+		if err := os.MkdirAll(dockerConfigDir, 0755); err != nil {
+			return fmt.Errorf("failed to create Docker config directory: %v", err)
+		}
+
+		// Generate a Docker config with GAR auth
+		type DockerAuth struct {
+			Username string `json:"username"`
+			Password string `json:"password"`
+			Auth     string `json:"auth"`
+		}
+
+		type DockerConfig struct {
+			Auths map[string]DockerAuth `json:"auths"`
+		}
+
+		// Create proper Auth field (base64 encoded username:password)
+		username := "_json_key"
+		authString := base64.StdEncoding.EncodeToString([]byte(username + ":" + jsonKey))
+
+		// Use _json_key as username and the key content as password for GAR
+		config := DockerConfig{
+			Auths: map[string]DockerAuth{
+				registry: {
+					Username: username,
+					Password: jsonKey,
+					Auth:     authString,
+				},
+			},
+		}
+
+		// Write the Docker config
+		configBytes, err := json.Marshal(config)
+		if err != nil {
+			return fmt.Errorf("failed to marshal Docker config: %v", err)
+		}
+
+		dockerConfigPath := filepath.Join(dockerConfigDir, "config.json")
+		if err := ioutil.WriteFile(dockerConfigPath, configBytes, 0644); err != nil {
+			return fmt.Errorf("failed to write Docker config: %v", err)
+		}
+
+		// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
+		if err := os.Setenv("DOCKER_CONFIG", dockerConfigDir); err != nil {
+			return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
+		}
+
+		// Set up crane to use basic auth with docker config
+		opts = append(opts, crane.WithAuthFromKeychain(authn.DefaultKeychain))
+	} else {
+		logrus.Warn("No JSON key provided, authentication may fail if not running with workload identity")
+	}
+
+	// Load the image from the tarball
+	logrus.Infof("Loading image from tarball: %s", sourceTarPath)
+	img, err := crane.Load(sourceTarPath)
+	if err != nil {
+		return fmt.Errorf("failed to load image from tarball: %v", err)
+	}
+
+	// Push for each tag
+	tags := c.StringSlice("tags")
+	if len(tags) == 0 {
+		tags = []string{"latest"}
+	}
+
+	for _, tag := range tags {
+		dest := fmt.Sprintf("%s/%s:%s", registry, repo, tag)
+		logrus.Infof("Pushing image to: %s", dest)
+
+		if err := crane.Push(img, dest, opts...); err != nil {
+			return fmt.Errorf("failed to push image to %s: %v", dest, err)
+		}
+
+		logrus.Infof("Successfully pushed image to %s", dest)
+	}
+
+	return nil
+}

cmd/kaniko-gar/main_test.go

@@ -0,0 +1,286 @@
+package main
+
+import (
+	"os"
+	"testing"
+
+	"github.com/drone/drone-kaniko/pkg/utils"
+	"github.com/urfave/cli"
+)
+
+func TestCustomStringSliceFlagIntegration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+	}{
+		{
+			name:     "single build arg",
+			input:    "ARG1=value1",
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "multiple build args with semicolon",
+			input:    "ARG1=value1;ARG2=value2;ARG3=value3",
+			expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
+		},
+		{
+			name:     "build args with spaces",
+			input:    "ARG1=value with spaces;ARG2=another value",
+			expected: []string{"ARG1=value with spaces", "ARG2=another value"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test the CustomStringSliceFlag directly
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.input)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			result := flag.GetValue()
+			if len(result) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if result[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestCLIIntegrationWithCustomFlag(t *testing.T) {
+	// Test CLI integration with proper flag setup
+	tests := []struct {
+		name     string
+		args     []string
+		expected []string
+	}{
+		{
+			name:     "CLI with single arg",
+			args:     []string{"gar-test", "--args-new", "ARG1=value1"},
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "CLI with multiple args",
+			args:     []string{"gar-test", "--args-new", "ARG1=value1;ARG2=value2"},
+			expected: []string{"ARG1=value1", "ARG2=value2"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			app := cli.NewApp()
+			app.Name = "gar-test"
+
+			var capturedArgs []string
+
+			app.Flags = []cli.Flag{
+				cli.GenericFlag{
+					Name:   "args-new",
+					Usage:  "build args new",
+					EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+					Value:  new(utils.CustomStringSliceFlag),
+				},
+			}
+
+			app.Action = func(c *cli.Context) error {
+				if genericFlag := c.Generic("args-new"); genericFlag != nil {
+					if customFlag, ok := genericFlag.(*utils.CustomStringSliceFlag); ok {
+						capturedArgs = customFlag.GetValue()
+					}
+				}
+				return nil
+			}
+
+			err := app.Run(tt.args)
+			if err != nil {
+				t.Errorf("CLI run error = %v, want nil", err)
+				return
+			}
+
+			if len(capturedArgs) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(capturedArgs), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if capturedArgs[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, capturedArgs[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestEnvironmentVariableIntegration(t *testing.T) {
+	// Test that environment variables work with CustomStringSliceFlag
+	originalEnv := os.Getenv("PLUGIN_BUILD_ARGS_NEW")
+	defer func() {
+		if originalEnv != "" {
+			os.Setenv("PLUGIN_BUILD_ARGS_NEW", originalEnv)
+		} else {
+			os.Unsetenv("PLUGIN_BUILD_ARGS_NEW")
+		}
+	}()
+
+	os.Setenv("PLUGIN_BUILD_ARGS_NEW", "ENV_ARG1=env_value1;ENV_ARG2=env_value2")
+
+	app := cli.NewApp()
+	app.Flags = []cli.Flag{
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(utils.CustomStringSliceFlag),
+		},
+	}
+
+	var capturedArgs []string
+	app.Action = func(c *cli.Context) error {
+		if flag := c.Generic("args-new"); flag != nil {
+			if customFlag, ok := flag.(*utils.CustomStringSliceFlag); ok {
+				capturedArgs = customFlag.GetValue()
+			}
+		}
+		return nil
+	}
+
+	err := app.Run([]string{"test"})
+	if err != nil {
+		t.Errorf("App.Run() error = %v, want nil", err)
+		return
+	}
+
+	expected := []string{"ENV_ARG1=env_value1", "ENV_ARG2=env_value2"}
+	if len(capturedArgs) != len(expected) {
+		t.Errorf("Environment variable test: got %d args, want %d", len(capturedArgs), len(expected))
+		return
+	}
+
+	for i, exp := range expected {
+		if capturedArgs[i] != exp {
+			t.Errorf("Environment variable test: got arg[%d] = %v, want %v", i, capturedArgs[i], exp)
+		}
+	}
+}
+
+func TestGARBuildArgsProcessing(t *testing.T) {
+	// Test that build args are correctly processed in the context of GAR plugin
+	tests := []struct {
+		name          string
+		argsNew       string
+		expectedCount int
+		expectedFirst string
+	}{
+		{
+			name:          "docker build args format",
+			argsNew:       "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
+			expectedCount: 3,
+			expectedFirst: "GOOS=linux",
+		},
+		{
+			name:          "google cloud specific args",
+			argsNew:       "GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json;PROJECT_ID=my-project",
+			expectedCount: 2,
+			expectedFirst: "GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json",
+		},
+		{
+			name:          "single complex arg with special characters",
+			argsNew:       "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+			expectedCount: 1,
+			expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.argsNew)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			args := flag.GetValue()
+			if len(args) != tt.expectedCount {
+				t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
+				return
+			}
+
+			if len(args) > 0 && args[0] != tt.expectedFirst {
+				t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
+			}
+		})
+	}
+}
+
+func TestGARRegistryFormatting(t *testing.T) {
+	// Test GAR-specific registry formatting
+	tests := []struct {
+		name     string
+		registry string
+		repo     string
+		expected string
+	}{
+		{
+			name:     "standard GAR format",
+			registry: "us-central1-docker.pkg.dev",
+			repo:     "my-project/my-repo/my-image",
+			expected: "us-central1-docker.pkg.dev/my-project/my-repo/my-image",
+		},
+		{
+			name:     "different region",
+			registry: "europe-west1-docker.pkg.dev",
+			repo:     "project123/repo456/image789",
+			expected: "europe-west1-docker.pkg.dev/project123/repo456/image789",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// This would be the format used in the GAR plugin
+			result := tt.registry + "/" + tt.repo
+			if result != tt.expected {
+				t.Errorf("GAR formatting: got %v, want %v", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestGARAuthSetup(t *testing.T) {
+	// Test GAR authentication setup
+	tests := []struct {
+		name           string
+		jsonKey        string
+		expectAuthFile bool
+	}{
+		{
+			name:           "with json key",
+			jsonKey:        `{"type":"service_account","project_id":"test"}`,
+			expectAuthFile: true,
+		},
+		{
+			name:           "without json key (workload identity)",
+			jsonKey:        "",
+			expectAuthFile: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// This simulates the auth setup logic
+			hasAuthFile := tt.jsonKey != ""
+			if hasAuthFile != tt.expectAuthFile {
+				t.Errorf("Auth file expectation: got %v, want %v", hasAuthFile, tt.expectAuthFile)
+			}
+		})
+	}
+}

cmd/kaniko-gcr/main.go

@@ -11,12 +11,18 @@ import (
 	"github.com/urfave/cli"
 
 	kaniko "github.com/drone/drone-kaniko"
+	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/drone/drone-kaniko/pkg/utils"
 )
 
 const (
+	dockerConfigPath string = "/kaniko/.docker"
 	// GCR JSON key file path
-	gcrKeyPath     string = "/kaniko/gcr.json"
+	gcrKeyPath     string = "/kaniko/config.json"
 	gcrEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"
+
+	defaultDigestFile string = "/kaniko/digest-file"
 )
 
 var (
@@ -26,7 +32,9 @@ var (
 func main() {
 	// Load env-file if it exists first
 	if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
-		godotenv.Load(env)
+		if err := godotenv.Load(env); err != nil {
+			logrus.Fatal(err)
+		}
 	}
 
 	app := cli.NewApp()
@@ -47,6 +55,16 @@ func main() {
 			Value:  ".",
 			EnvVar: "PLUGIN_CONTEXT",
 		},
+		cli.StringFlag{
+			Name:   "drone-commit-ref",
+			Usage:  "git commit ref passed by Drone",
+			EnvVar: "DRONE_COMMIT_REF",
+		},
+		cli.StringFlag{
+			Name:   "drone-repo-branch",
+			Usage:  "git repository default branch passed by Drone",
+			EnvVar: "DRONE_REPO_BRANCH",
+		},
 		cli.StringSliceFlag{
 			Name:     "tags",
 			Usage:    "build tags",
@@ -54,6 +72,21 @@ func main() {
 			EnvVar:   "PLUGIN_TAGS",
 			FilePath: ".tags",
 		},
+		cli.BoolFlag{
+			Name:   "expand-tag",
+			Usage:  "enable for semver tagging",
+			EnvVar: "PLUGIN_EXPAND_TAG",
+		},
+		cli.BoolFlag{
+			Name:   "auto-tag",
+			Usage:  "enable auto generation of build tags",
+			EnvVar: "PLUGIN_AUTO_TAG",
+		},
+		cli.StringFlag{
+			Name:   "auto-tag-suffix",
+			Usage:  "the suffix of auto build tags",
+			EnvVar: "PLUGIN_AUTO_TAG_SUFFIX",
+		},
 		cli.StringSliceFlag{
 			Name:   "args",
 			Usage:  "build args",
@@ -78,13 +111,241 @@ func main() {
 			Name:   "registry",
 			Usage:  "gcr registry",
 			Value:  "gcr.io",
-			EnvVar: "PLUGIN_REGISTRY",
+			EnvVar: "PLUGIN_REGISTRY,BASE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "base-image-username",
+			Usage:  "Docker username for base image registry",
+			EnvVar: "PLUGIN_DOCKER_USERNAME,PLUGIN_BASE_IMAGE_USERNAME,DOCKER_USERNAME",
+		},
+		cli.StringFlag{
+			Name:   "base-image-password",
+			Usage:  "Docker password for base image registry",
+			EnvVar: "PLUGIN_DOCKER_PASSWORD,PLUGIN_BASE_IMAGE_PASSWORD,DOCKER_PASSWORD",
+		},
+		cli.StringFlag{
+			Name:   "base-image-registry",
+			Usage:  "Docker registry for base image registry",
+			EnvVar: "PLUGIN_DOCKER_REGISTRY,PLUGIN_BASE_IMAGE_REGISTRY,DOCKER_REGISTRY",
+		},
+		cli.StringSliceFlag{
+			Name:   "registry-mirrors",
+			Usage:  "docker registry mirrors",
+			EnvVar: "PLUGIN_REGISTRY_MIRRORS",
 		},
 		cli.StringFlag{
 			Name:   "json-key",
 			Usage:  "docker username",
 			EnvVar: "PLUGIN_JSON_KEY",
 		},
+		cli.StringFlag{
+			Name:   "snapshot-mode",
+			Usage:  "Specify one of full, redo or time as snapshot mode",
+			EnvVar: "PLUGIN_SNAPSHOT_MODE",
+		},
+		cli.BoolFlag{
+			Name:   "enable-cache",
+			Usage:  "Set this flag to opt into caching with kaniko",
+			EnvVar: "PLUGIN_ENABLE_CACHE",
+		},
+		cli.StringFlag{
+			Name:   "cache-repo",
+			Usage:  "Remote repository that will be used to store cached layers. Cache repo should be present in specified registry. enable-cache needs to be set to use this flag",
+			EnvVar: "PLUGIN_CACHE_REPO",
+		},
+		cli.IntFlag{
+			Name:   "cache-ttl",
+			Usage:  "Cache timeout in hours. Defaults to two weeks.",
+			EnvVar: "PLUGIN_CACHE_TTL",
+		},
+		cli.StringFlag{
+			Name:   "artifact-file",
+			Usage:  "Artifact file location that will be generated by the plugin. This file will include information of docker images that are uploaded by the plugin.",
+			EnvVar: "PLUGIN_ARTIFACT_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "no-push",
+			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
+			EnvVar: "PLUGIN_NO_PUSH",
+		},
+		cli.StringFlag{
+			Name:   "verbosity",
+			Usage:  "Set this flag as --verbosity=<panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
+			EnvVar: "PLUGIN_VERBOSITY",
+		},
+		cli.StringFlag{
+			Name:   "platform",
+			Usage:  "Allows to build with another default platform than the host, similarly to docker build --platform",
+			EnvVar: "PLUGIN_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "skip-unused-stages",
+			Usage:  "build only used stages",
+			EnvVar: "PLUGIN_SKIP_UNUSED_STAGES",
+		},
+		cli.StringFlag{
+			Name:   "cache-dir",
+			Usage:  "Set this flag to specify a local directory cache for base images",
+			EnvVar: "PLUGIN_CACHE_DIR",
+		},
+
+		cli.BoolFlag{
+			Name:   "cache-copy-layers",
+			Usage:  "Enable or disable copying layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_COPY_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cache-run-layers",
+			Usage:  "Enable or disable running layers from the cache.",
+			EnvVar: "PLUGIN_CACHE_RUN_LAYERS",
+		},
+		cli.BoolFlag{
+			Name:   "cleanup",
+			Usage:  "Enable or disable cleanup of temporary files.",
+			EnvVar: "PLUGIN_CLEANUP",
+		},
+		cli.BoolFlag{
+			Name:   "compressed-caching",
+			Usage:  "Enable or disable compressed caching.",
+			EnvVar: "PLUGIN_COMPRESSED_CACHING",
+		},
+		cli.StringFlag{
+			Name:   "context-sub-path",
+			Usage:  "Sub-path within the context to build.",
+			EnvVar: "PLUGIN_CONTEXT_SUB_PATH",
+		},
+		cli.StringFlag{
+			Name:   "custom-platform",
+			Usage:  "Platform to use for building.",
+			EnvVar: "PLUGIN_CUSTOM_PLATFORM",
+		},
+		cli.BoolFlag{
+			Name:   "force",
+			Usage:  "Force building the image even if it already exists.",
+			EnvVar: "PLUGIN_FORCE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-with-digest-file",
+			Usage:  "Write image name with digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_WITH_DIGEST_FILE",
+		},
+		cli.StringFlag{
+			Name:   "image-name-tag-with-digest-file",
+			Usage:  "Write image name with tag and digest to a file.",
+			EnvVar: "PLUGIN_IMAGE_NAME_TAG_WITH_DIGEST_FILE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure",
+			Usage:  "Allow connecting to registries without TLS.",
+			EnvVar: "PLUGIN_INSECURE",
+		},
+		cli.BoolFlag{
+			Name:   "insecure-pull",
+			Usage:  "Allow insecure pulls from the registry.",
+			EnvVar: "PLUGIN_INSECURE_PULL",
+		},
+		cli.StringFlag{
+			Name:   "insecure-registry",
+			Usage:  "Use plain HTTP for registry communication.",
+			EnvVar: "PLUGIN_INSECURE_REGISTRY",
+		},
+		cli.StringFlag{
+			Name:   "log-format",
+			Usage:  "Set the log format for build output.",
+			EnvVar: "PLUGIN_LOG_FORMAT",
+		},
+		cli.BoolFlag{
+			Name:   "log-timestamp",
+			Usage:  "Show timestamps in build output.",
+			EnvVar: "PLUGIN_LOG_TIMESTAMP",
+		},
+		cli.StringFlag{
+			Name:   "oci-layout-path",
+			Usage:  "Directory to store OCI layout.",
+			EnvVar: "PLUGIN_OCI_LAYOUT_PATH",
+		},
+		cli.IntFlag{
+			Name:   "push-retry",
+			Usage:  "Number of times to retry pushing an image.",
+			EnvVar: "PLUGIN_PUSH_RETRY",
+		},
+		cli.StringFlag{
+			Name:   "registry-certificate",
+			Usage:  "Path to a file containing a registry certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CERTIFICATE",
+		},
+		cli.StringFlag{
+			Name:   "registry-client-cert",
+			Usage:  "Path to a file containing a registry client certificate.",
+			EnvVar: "PLUGIN_REGISTRY_CLIENT_CERT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-default-registry-fallback",
+			Usage:  "Skip Docker Hub and default registry fallback.",
+			EnvVar: "PLUGIN_SKIP_DEFAULT_REGISTRY_FALLBACK",
+		},
+		cli.BoolFlag{
+			Name:   "reproducible",
+			Usage:  "Create a reproducible image.",
+			EnvVar: "PLUGIN_REPRODUCIBLE",
+		},
+		cli.BoolFlag{
+			Name:   "single-snapshot",
+			Usage:  "Only create a single snapshot of the image.",
+			EnvVar: "PLUGIN_SINGLE_SNAPSHOT",
+		},
+		cli.BoolFlag{
+			Name:   "skip-push-permission-check",
+			Usage:  "Skip permission check when pushing.",
+			EnvVar: "PLUGIN_SKIP_PUSH_PERMISSION_CHECK",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-pull",
+			Usage:  "Skip TLS verification when pulling.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_PULL",
+		},
+		cli.BoolFlag{
+			Name:   "skip-tls-verify-registry",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_SKIP_TLS_VERIFY_REGISTRY",
+		},
+		cli.BoolFlag{
+			Name:   "use-new-run",
+			Usage:  "Skip TLS verification when connecting to a registry.",
+			EnvVar: "PLUGIN_USE_NEW_RUN",
+		},
+		cli.BoolFlag{
+			Name:   "ignore-var-run",
+			Usage:  "Ignore the /var/run directory during build.",
+			EnvVar: "PLUGIN_IGNORE_VAR_RUN",
+		},
+		cli.StringFlag{
+			Name:   "ignore-path",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATH",
+		},
+		cli.IntFlag{
+			Name:   "image-fs-extract-retry",
+			Usage:  "Number of retries for extracting filesystem layers.",
+			EnvVar: "PLUGIN_IMAGE_FS_EXTRACT_RETRY",
+		},
+		cli.IntFlag{
+			Name:   "image-download-retry",
+			Usage:  "Number of retries for downloading base images.",
+			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
+		},
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(utils.CustomStringSliceFlag),
+		},
+		cli.BoolFlag{
+			Name:   "plugin-multiple-build-agrs",
+			Usage:  "plugin multiple build agrs",
+			EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
+		},
+		
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -93,34 +354,121 @@ func main() {
 }
 
 func run(c *cli.Context) error {
-	err := setupGCRAuth(c.String("json-key"))
-	if err != nil {
-		return err
-	}
+	noPush := c.Bool("no-push")
+	jsonKey := c.String("json-key")
 
-	if c.String("repo") == "" {
-		return fmt.Errorf("repo must be specified")
+	// JSON key may not be set in the following cases:
+	// 1. Image does not need to be pushed to GCR.
+	// 2. Workload identity is set on GKE in which pod will inherit the credentials via service account.
+	if jsonKey != "" {
+		if err := setupGCRAuth(jsonKey); err != nil {
+			return err
+		}
+
+		// setup docker config only when base image registry is specified
+		if c.String("base-image-registry") != "" {
+			if err := setDockerAuth(
+				c.String("base-image-username"),
+				c.String("base-image-password"),
+				c.String("base-image-registry"),
+			); err != nil {
+				return errors.Wrap(err, "failed to create docker config")
+			}
+		} else {
+			fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
+				"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
+		}
 	}
 
 	plugin := kaniko.Plugin{
 		Build: kaniko.Build{
-			Dockerfile: c.String("dockerfile"),
-			Context:    c.String("context"),
-			Tags:       c.StringSlice("tags"),
-			Args:       c.StringSlice("args"),
-			Target:     c.String("target"),
-			Repo:       fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
-			Labels:     c.StringSlice("custom-labels"),
+			DroneCommitRef:              c.String("drone-commit-ref"),
+			DroneRepoBranch:             c.String("drone-repo-branch"),
+			Dockerfile:                  c.String("dockerfile"),
+			Context:                     c.String("context"),
+			Tags:                        c.StringSlice("tags"),
+			AutoTag:                     c.Bool("auto-tag"),
+			AutoTagSuffix:               c.String("auto-tag-suffix"),
+			ExpandTag:                   c.Bool("expand-tag"),
+			Args:                        c.StringSlice("args"),
+			ArgsNew:                     c.Generic("args-new").(*utils.CustomStringSliceFlag).GetValue(),
+			IsMultipleBuildArgs:         c.Bool("plugin-multiple-build-agrs"),
+			Target:                      c.String("target"),
+			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
+			Mirrors:                     c.StringSlice("registry-mirrors"),
+			Labels:                      c.StringSlice("custom-labels"),
+			SnapshotMode:                c.String("snapshot-mode"),
+			EnableCache:                 c.Bool("enable-cache"),
+			CacheRepo:                   fmt.Sprintf("%s/%s", c.String("registry"), c.String("cache-repo")),
+			CacheTTL:                    c.Int("cache-ttl"),
+			DigestFile:                  defaultDigestFile,
+			NoPush:                      noPush,
+			Verbosity:                   c.String("verbosity"),
+			Platform:                    c.String("platform"),
+			SkipUnusedStages:            c.Bool("skip-unused-stages"),
+			CacheDir:                    c.String("cache-dir"),
+			CacheCopyLayers:             c.Bool("cache-copy-layers"),
+			CacheRunLayers:              c.Bool("cache-run-layers"),
+			Cleanup:                     c.Bool("cleanup"),
+			ContextSubPath:              c.String("context-sub-path"),
+			CustomPlatform:              c.String("custom-platform"),
+			Force:                       c.Bool("force"),
+			ImageNameWithDigestFile:     c.String("image-name-with-digest-file"),
+			ImageNameTagWithDigestFile:  c.String("image-name-tag-with-digest-file"),
+			Insecure:                    c.Bool("insecure"),
+			InsecurePull:                c.Bool("insecure-pull"),
+			InsecureRegistry:            c.String("insecure-registry"),
+			Label:                       c.String("label"),
+			LogFormat:                   c.String("log-format"),
+			LogTimestamp:                c.Bool("log-timestamp"),
+			OCILayoutPath:               c.String("oci-layout-path"),
+			PushRetry:                   c.Int("push-retry"),
+			RegistryCertificate:         c.String("registry-certificate"),
+			RegistryClientCert:          c.String("registry-client-cert"),
+			SkipDefaultRegistryFallback: c.Bool("skip-default-registry-fallback"),
+			Reproducible:                c.Bool("reproducible"),
+			SingleSnapshot:              c.Bool("single-snapshot"),
+			SkipTLSVerify:               c.Bool("skip-tls-verify"),
+			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
+			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
+			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			UseNewRun:                   c.Bool("use-new-run"),
+			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
+			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
+			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
+		Artifact: kaniko.Artifact{
+			Tags:         c.StringSlice("tags"),
+			Repo:         c.String("repo"),
+			Registry:     c.String("registry"),
+			ArtifactFile: c.String("artifact-file"),
+			RegistryType: artifact.GCR,
+		},
+	}
+	if c.IsSet("compressed-caching") {
+		flag := c.Bool("compressed-caching")
+		plugin.Build.CompressedCaching = &flag
+	}
+	if c.IsSet("ignore-var-run") {
+		flag := c.Bool("ignore-var-run")
+		plugin.Build.IgnoreVarRun = &flag
 	}
 	return plugin.Exec()
 }
 
-func setupGCRAuth(jsonKey string) error {
-	if jsonKey == "" {
-		return fmt.Errorf("GCR JSON key must be specified")
+func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) error {
+	dockerConfig := docker.NewConfig()
+	dockerRegistryCreds := docker.RegistryCredentials{
+		Registry: dockerRegistry,
+		Username: dockerUsername,
+		Password: dockerPassword,
 	}
+	credentials := []docker.RegistryCredentials{dockerRegistryCreds}
+	return dockerConfig.CreateDockerConfig(credentials, dockerConfigPath)
+}
 
+func setupGCRAuth(jsonKey string) error {
 	err := ioutil.WriteFile(gcrKeyPath, []byte(jsonKey), 0644)
 	if err != nil {
 		return errors.Wrap(err, "failed to write GCR JSON key")

cmd/kaniko-gcr/main_test.go

@@ -0,0 +1,270 @@
+package main
+
+import (
+	"encoding/json"
+	"os"
+	"testing"
+
+	"github.com/drone/drone-kaniko/pkg/utils"
+	"github.com/urfave/cli"
+)
+
+func TestCustomStringSliceFlagIntegration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+	}{
+		{
+			name:     "single build arg",
+			input:    "ARG1=value1",
+			expected: []string{"ARG1=value1"},
+		},
+		{
+			name:     "multiple build args with semicolon",
+			input:    "ARG1=value1;ARG2=value2;ARG3=value3",
+			expected: []string{"ARG1=value1", "ARG2=value2", "ARG3=value3"},
+		},
+		{
+			name:     "build args with spaces",
+			input:    "ARG1=value with spaces;ARG2=another value",
+			expected: []string{"ARG1=value with spaces", "ARG2=another value"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test the CustomStringSliceFlag directly
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.input)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			result := flag.GetValue()
+			if len(result) != len(tt.expected) {
+				t.Errorf("Got %d args, want %d", len(result), len(tt.expected))
+				return
+			}
+
+			for i, expected := range tt.expected {
+				if result[i] != expected {
+					t.Errorf("Got arg[%d] = %v, want %v", i, result[i], expected)
+				}
+			}
+		})
+	}
+}
+
+func TestEnvironmentVariableIntegration(t *testing.T) {
+	// Test that environment variables work with CustomStringSliceFlag
+	originalEnv := os.Getenv("PLUGIN_BUILD_ARGS_NEW")
+	defer func() {
+		if originalEnv != "" {
+			os.Setenv("PLUGIN_BUILD_ARGS_NEW", originalEnv)
+		} else {
+			os.Unsetenv("PLUGIN_BUILD_ARGS_NEW")
+		}
+	}()
+
+	os.Setenv("PLUGIN_BUILD_ARGS_NEW", "ENV_ARG1=env_value1;ENV_ARG2=env_value2")
+
+	app := cli.NewApp()
+	app.Flags = []cli.Flag{
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(utils.CustomStringSliceFlag),
+		},
+	}
+
+	var capturedArgs []string
+	app.Action = func(c *cli.Context) error {
+		if flag := c.Generic("args-new"); flag != nil {
+			if customFlag, ok := flag.(*utils.CustomStringSliceFlag); ok {
+				capturedArgs = customFlag.GetValue()
+			}
+		}
+		return nil
+	}
+
+	err := app.Run([]string{"test"})
+	if err != nil {
+		t.Errorf("App.Run() error = %v, want nil", err)
+		return
+	}
+
+	expected := []string{"ENV_ARG1=env_value1", "ENV_ARG2=env_value2"}
+	if len(capturedArgs) != len(expected) {
+		t.Errorf("Environment variable test: got %d args, want %d", len(capturedArgs), len(expected))
+		return
+	}
+
+	for i, exp := range expected {
+		if capturedArgs[i] != exp {
+			t.Errorf("Environment variable test: got arg[%d] = %v, want %v", i, capturedArgs[i], exp)
+		}
+	}
+}
+
+func TestGCRBuildArgsProcessing(t *testing.T) {
+	// Test that build args are correctly processed in the context of GCR plugin
+	tests := []struct {
+		name          string
+		argsNew       string
+		expectedCount int
+		expectedFirst string
+	}{
+		{
+			name:          "docker build args format",
+			argsNew:       "GOOS=linux;GOARCH=amd64;CGO_ENABLED=0",
+			expectedCount: 3,
+			expectedFirst: "GOOS=linux",
+		},
+		{
+			name:          "google cloud specific args",
+			argsNew:       "GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json;PROJECT_ID=my-project",
+			expectedCount: 2,
+			expectedFirst: "GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json",
+		},
+		{
+			name:          "single complex arg with special characters",
+			argsNew:       "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+			expectedCount: 1,
+			expectedFirst: "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			flag := &utils.CustomStringSliceFlag{}
+			err := flag.Set(tt.argsNew)
+			if err != nil {
+				t.Errorf("Set() error = %v, want nil", err)
+				return
+			}
+
+			args := flag.GetValue()
+			if len(args) != tt.expectedCount {
+				t.Errorf("Got %d args, want %d", len(args), tt.expectedCount)
+				return
+			}
+
+			if len(args) > 0 && args[0] != tt.expectedFirst {
+				t.Errorf("Got first arg = %v, want %v", args[0], tt.expectedFirst)
+			}
+		})
+	}
+}
+
+func TestGCRRegistryFormatting(t *testing.T) {
+	// Test GCR-specific registry formatting
+	tests := []struct {
+		name     string
+		registry string
+		repo     string
+		expected string
+	}{
+		{
+			name:     "standard GCR format",
+			registry: "gcr.io",
+			repo:     "my-project/my-image",
+			expected: "gcr.io/my-project/my-image",
+		},
+		{
+			name:     "regional GCR",
+			registry: "us.gcr.io",
+			repo:     "project123/image456",
+			expected: "us.gcr.io/project123/image456",
+		},
+		{
+			name:     "european GCR",
+			registry: "eu.gcr.io",
+			repo:     "my-eu-project/my-app",
+			expected: "eu.gcr.io/my-eu-project/my-app",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// This would be the format used in the GCR plugin
+			result := tt.registry + "/" + tt.repo
+			if result != tt.expected {
+				t.Errorf("GCR formatting: got %v, want %v", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestGCRJSONKeyValidation(t *testing.T) {
+	// Test JSON key validation for GCR authentication
+	tests := []struct {
+		name      string
+		jsonKey   string
+		expectErr bool
+	}{
+		{
+			name:      "empty json key",
+			jsonKey:   "",
+			expectErr: false, // Empty is allowed (workload identity)
+		},
+		{
+			name:      "valid json structure",
+			jsonKey:   `{"type":"service_account","project_id":"test","private_key_id":"123"}`,
+			expectErr: false,
+		},
+		{
+			name:      "invalid json",
+			jsonKey:   `{invalid json}`,
+			expectErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// This simulates the JSON key validation that would happen in GCR
+			if tt.jsonKey != "" {
+				var data map[string]interface{}
+				err := json.Unmarshal([]byte(tt.jsonKey), &data)
+				if err != nil && !tt.expectErr {
+					t.Errorf("Expected no error for JSON key, got %v", err)
+				}
+				if err == nil && tt.expectErr {
+					t.Errorf("Expected error for JSON key, got nil")
+				}
+			}
+		})
+	}
+}
+
+func TestGCRAuthSetup(t *testing.T) {
+	// Test GCR authentication setup
+	tests := []struct {
+		name           string
+		jsonKey        string
+		expectAuthFile bool
+	}{
+		{
+			name:           "with json key",
+			jsonKey:        `{"type":"service_account","project_id":"test"}`,
+			expectAuthFile: true,
+		},
+		{
+			name:           "without json key (workload identity)",
+			jsonKey:        "",
+			expectAuthFile: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// This simulates the auth setup logic
+			hasAuthFile := tt.jsonKey != ""
+			if hasAuthFile != tt.expectAuthFile {
+				t.Errorf("Auth file expectation: got %v, want %v", hasAuthFile, tt.expectAuthFile)
+			}
+		})
+	}
+}

docker/acr/Dockerfile.linux.amd64

@@ -0,0 +1,5 @@
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
+
+ENV KANIKO_VERSION=1.25.0
+ADD release/linux/amd64/kaniko-acr /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-acr"]

docker/acr/Dockerfile.linux.arm64

@@ -0,0 +1,8 @@
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
+
+ENV HOME /root
+ENV USER root
+
+ENV KANIKO_VERSION=1.25.0
+ADD release/linux/arm64/kaniko-acr /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-acr"]

docker/acr/manifest.tmpl

@@ -0,0 +1,18 @@
+image: plugins/kaniko-acr:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/kaniko-acr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko-acr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux

docker/docker/Dockerfile.linux.amd64

@@ -1,7 +1,5 @@
-FROM gcr.io/kaniko-project/executor:amd64-v1.3.0
-
-ENV HOME /root
-ENV USER root
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
 
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/amd64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/docker/Dockerfile.linux.amd64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/amd64/kaniko-docker /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/docker/Dockerfile.linux.arm64

@@ -1,7 +1,8 @@
-FROM gcr.io/kaniko-project/executor:arm64-v1.3.0
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
 
 ENV HOME /root
 ENV USER root
 
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/arm64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/docker/Dockerfile.linux.arm64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/arm64/kaniko-docker /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-docker"]

docker/docker/manifest-kaniko1.9.1.tmpl

@@ -0,0 +1,18 @@
+image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
+    platform:
+      architecture: arm64
+      os: linux

docker/docker/manifest.tmpl

@@ -11,3 +11,8 @@ manifests:
     platform:
       architecture: amd64
       os: linux
+  -
+    image: plugins/kaniko:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux

docker/ecr/Dockerfile.linux.amd64

@@ -1,7 +1,5 @@
-FROM gcr.io/kaniko-project/executor:amd64-v1.3.0
-
-ENV HOME /root
-ENV USER root
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
 
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/amd64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/ecr/Dockerfile.linux.amd64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/amd64/kaniko-ecr /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/ecr/Dockerfile.linux.arm64

@@ -1,7 +1,8 @@
-FROM gcr.io/kaniko-project/executor:arm64-v1.3.0
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
 
 ENV HOME /root
 ENV USER root
+ENV KANIKO_VERSION=1.25.0
 
 ADD release/linux/arm64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/ecr/Dockerfile.linux.arm64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/arm64/kaniko-ecr /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-ecr"]

docker/ecr/manifest-kaniko1.9.1.tmpl

@@ -0,0 +1,18 @@
+image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
+    platform:
+      architecture: arm64
+      os: linux

docker/ecr/manifest.tmpl

@@ -10,4 +10,9 @@ manifests:
     image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
     platform:
       architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko-ecr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
       os: linux

docker/gar/Dockerfile.linux.amd64

@@ -0,0 +1,5 @@
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64
+
+ENV KANIKO_VERSION=1.25.0
+ADD release/linux/amd64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/Dockerfile.linux.amd64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/amd64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/Dockerfile.linux.arm64

@@ -0,0 +1,8 @@
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64
+
+ENV HOME /root
+ENV USER root
+ENV KANIKO_VERSION=1.25.0
+
+ADD release/linux/arm64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/Dockerfile.linux.arm64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/arm64/kaniko-gar /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gar"]

docker/gar/manifest-kaniko1.9.1.tmpl

@@ -0,0 +1,18 @@
+image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
+    platform:
+      architecture: arm64
+      os: linux

docker/gar/manifest.tmpl

@@ -0,0 +1,18 @@
+image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko-gar:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux

docker/gcr/Dockerfile.linux.amd64

@@ -1,7 +1,5 @@
-FROM gcr.io/kaniko-project/executor:amd64-v1.3.0
-
-ENV HOME /root
-ENV USER root
+FROM gcr.io/kaniko-project/executor:v1.23.2
 
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-gcr /kaniko/
-ENTRYPOINT ["/kaniko/kaniko-gcr"]
+ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/Dockerfile.linux.amd64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/amd64/kaniko-gcr /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/Dockerfile.linux.arm64

@@ -1,7 +1,8 @@
-FROM gcr.io/kaniko-project/executor:arm64-v1.3.0
+FROM gcr.io/kaniko-project/executor:v1.23.2
 
 ENV HOME /root
 ENV USER root
+ENV KANIKO_VERSION=1.23.2
 
 ADD release/linux/arm64/kaniko-gcr /kaniko/
-ENTRYPOINT ["/kaniko/kaniko-gcr"]
+ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/Dockerfile.linux.arm64.kaniko1.9.1

@@ -0,0 +1,5 @@
+FROM gcr.io/kaniko-project/executor:v1.9.1
+
+ENV KANIKO_VERSION=1.9.1
+ADD release/linux/arm64/kaniko-gcr /kaniko/
+ENTRYPOINT ["/kaniko/kaniko-gcr"]

docker/gcr/manifest-kaniko1.9.1.tmpl

@@ -0,0 +1,18 @@
+image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-kaniko1.9.1{{else}}latest-kaniko1.9.1{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-kaniko1.9.1
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-kaniko1.9.1
+    platform:
+      architecture: arm64
+      os: linux

docker/gcr/manifest.tmpl

@@ -11,3 +11,8 @@ manifests:
     platform:
       architecture: amd64
       os: linux
+  -
+    image: plugins/kaniko-gcr:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux

git-hooks/README.md

@@ -0,0 +1,8 @@
+This document explains on how to install certain git hooks globally for all repositories in your machine.
+
+Step 1: git clone https://github.com/drone/drone-kaniko.git
+Step 2: cd git-hooks
+Step 3: Run install.sh
+
+"install.sh" script will create .git_template in the user directory and will put the git hook and its dependent scripts in it. Along with the .git_template folder, it will add 2 sections "init" and "hooks boolean" in the .gitconfig file in the same user's root directory.
+After running "install.sh" if you create/clone a new git repository then all the hooks will get install automatically for the git repository. In case of existing git repository copy the contents of ~/.git_template/hooks into the .git/hooks directory of existing git repository.

git-hooks/hooks/git-leaks-pre-commit.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS_PRE_COMMIT=s$(git config --bool hook.pre-commit.gitleak)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks protect --staged -v --exit-code=100
+STATUS=$?
+if [ $STATUS = 100  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+else
+    exit 0
+fi

git-hooks/hooks/git-leaks.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS=$(git config --bool hook.pre-push.gitleaks)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks detect -s ./ --log-level=debug --log-opts=-1 -v
+STATUS=$?
+if [ $STATUS != 0  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+    exit $STATUS
+else
+    exit 0
+fi

git-hooks/hooks/pre-commit

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks-pre-commit.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+if [ "`git config $GIT_LEAKS_PRE_COMMIT`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS_PRE_COMMIT '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS_PRE_COMMIT true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi

git-hooks/hooks/pre-push

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS=hook.pre-push.gitleaks
+if [ "`git config $GIT_LEAKS`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi

git-hooks/install.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+#Function to check if package is installed or not
+#args: $1: Name of the Package
+function check_package_installed() {
+  LOCAL_PACKAGE_NAME=$1
+  echo "Checking if $LOCAL_PACKAGE_NAME is installed or not..."
+  brew list $LOCAL_PACKAGE_NAME
+  if [ "$?" -eq 1 ];then
+    echo "Installing $LOCAL_PACKAGE_NAME package..."
+    brew install $LOCAL_PACKAGE_NAME
+  fi
+}
+
+function create_git_template() {
+    cd $BASEDIR
+    mkdir -p ~/.git_template/hooks
+    git config --global init.templatedir ${GIT_TEMPLATE}
+    git config --global --add $GIT_LEAKS true
+    git config --global --add $GIT_LEAKS_PRE_COMMIT true
+    find hooks/ -type f -exec cp "{}" ~/.git_template/hooks \;
+    #cp -f hooks/* ~/.git_template/hooks
+    cat ~/.gitconfig
+}
+
+GIT_TEMPLATE="~/.git_template"
+GIT_LEAKS=hook.pre-push.gitleaks
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+
+pushd `dirname $0` && BASEDIR=$(pwd -L) && popd
+
+echo This script will install hooks that run scripts that could be updated without notice.
+
+while true; do
+    read -p "Do you wish to install these hooks?" yn
+    case $yn in
+        [Yy]* ) check_package_installed "gitleaks";
+                break;;
+        [Nn]* ) exit;;
+        * ) echo "Please answer yes or no.";;
+    esac
+done
+
+create_git_template

go.mod

@@ -1,10 +1,63 @@
 module github.com/drone/drone-kaniko
 
 require (
-	github.com/joho/godotenv v1.3.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
+	github.com/aws/aws-sdk-go v1.44.52
+	github.com/aws/aws-sdk-go-v2 v1.16.7
+	github.com/aws/aws-sdk-go-v2/config v1.15.14
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.8
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.8
+	github.com/aws/smithy-go v1.12.0
+	github.com/coreos/go-semver v0.3.0
+	github.com/google/go-cmp v0.6.0
+	github.com/google/go-containerregistry v0.20.3
+	github.com/hashicorp/go-version v1.6.0
+	github.com/joho/godotenv v1.4.0
 	github.com/pkg/errors v0.9.1
-	github.com/sirupsen/logrus v1.3.0
-	github.com/urfave/cli v1.22.2
+	github.com/sirupsen/logrus v1.9.3
+	github.com/stretchr/testify v1.9.0
+	github.com/urfave/cli v1.22.15
+	golang.org/x/mod v0.22.0
 )
 
-go 1.13
+require (
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.12.9 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/cli v27.5.0+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/vbatts/tar-split v0.11.6 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
+
+go 1.23.0
+
+toolchain go1.23.8

go.sum

@@ -1,32 +1,143 @@
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1 h1:tz19qLF65vuu2ibfTqGVJxG/zZAI27NEIIbvAOQwYbw=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0/go.mod h1:bhXu1AjYL+wutSL/kpSq6s7733q2Rb0yuot9Zgfqa/0=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5xuRL7NZgHameVYF6BurY=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
+github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3 h1:TsFCaaF5tR4XN8b4zLVl/J4qMb0nf80Q4CXcpXDNJDY=
+github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/aws/aws-sdk-go v1.44.52 h1:kHLbYJj59C7VrsLM4gm7pxsvaNIvhXCCIDYEFFoQ+VE=
+github.com/aws/aws-sdk-go v1.44.52/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns=
+github.com/aws/aws-sdk-go-v2 v1.16.7/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw=
+github.com/aws/aws-sdk-go-v2/config v1.15.14 h1:+BqpqlydTq4c2et9Daury7gE+o67P4lbk7eybiCBNc4=
+github.com/aws/aws-sdk-go-v2/config v1.15.14/go.mod h1:CQBv+VVv8rR5z2xE+Chdh5m+rFfsqeY4k0veEZeq6QM=
+github.com/aws/aws-sdk-go-v2/credentials v1.12.9 h1:DloAJr0/jbvm0iVRFDFh8GlWxrOd9XKyX82U+dfVeZs=
+github.com/aws/aws-sdk-go-v2/credentials v1.12.9/go.mod h1:2Vavxl1qqQXJ8MUcQZTsIEW8cwenFCWYXtLRPba3L/o=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8 h1:VfBdn2AxwMbFyJN/lF/xuT3SakomJ86PZu3rCxb5K0s=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.8/go.mod h1:oL1Q3KuCq1D4NykQnIvtRiBGLUXhcpY5pl6QZB2XEPU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 h1:2C0pYHcUBmdzPj+EKNC4qj97oK6yjrUhc1KoSodglvk=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14/go.mod h1:kdjrMwHwrC3+FsKhNcCMJ7tUVj/8uSD5CZXeQ4wV6fM=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 h1:2J+jdlBJWEmTyAwC82Ym68xCykIvnSnIN18b8xHGlcc=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8/go.mod h1:ZIV8GYoC6WLBW5KGs+o4rsc65/ozd+eQ0L31XF5VDwk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15 h1:QquxR7NH3ULBsKC+NoTpilzbKKS+5AELfNREInbhvas=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.15/go.mod h1:Tkrthp/0sNBShQQsamR7j/zY4p19tVTAs+nnqhH6R3c=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.17.8 h1:wgZo/yeY0f+2RWy2q1rTtZSPMmq37Zy3pY4QypHeurg=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.17.8/go.mod h1:ItZADKTnGxqcqXABHyNpoBljQ8ORt4h+D39RToM/3Ds=
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.8 h1:uByYzUJNBrI4LN0H+HMA7yrDWQxe2f9cF7ZkiXltXRo=
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.8/go.mod h1:nPSH6Ebmb3OkKl7+CLSjx+SMBaoFKbOe9mZhTAd352k=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 h1:oKnAXxSF2FUvfgw8uzU/v9OTYorJJZ8eBmWhr9TWVVQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8/go.mod h1:rDVhIMAX9N2r8nWxDUlbubvvaFMnfsm+3jAV7q+rpM4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 h1:760bUnTX/+d693FT6T6Oa7PZHfEQT9XMFZeM5IQIB0A=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.12/go.mod h1:MO4qguFjs3wPGcCSpQ7kOFTwRvb+eu+fn+1vKleGHUk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 h1:yOfILxyjmtr2ubRkRJldlHDFBhf5vw4CzhbwWIBmimQ=
+github.com/aws/aws-sdk-go-v2/service/sts v1.16.9/go.mod h1:O1IvkYxr+39hRf960Us6j0x1P8pDqhTX+oXM5kQNl/Y=
+github.com/aws/smithy-go v1.12.0 h1:gXpeZel/jPoWQ7OEmLIgCUnhkFftqNfwWUwAHSlp1v0=
+github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
+github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
+github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
-github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
+github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
+github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvDaFkLctbGM=
+github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
+github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
+github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
+github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
+github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI=
+github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
+github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=
+github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
+github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
+github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.3.0 h1:hI/7Q+DtNZ2kINb6qt/lS+IyXnHQe9e90POfeewL/ME=
-github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo=
-github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793 h1:u+LnwYTOOW7Ukr/fppxEb1Nwz0AtPflrblfvUudpo+I=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33 h1:I6FyU15t786LL7oL/hn43zqTuEGr4PN7F4XJ1p4E3Y8=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM=
+github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0=
+github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs=
+github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
+gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=

internal/azure/tokenutil.go

@@ -0,0 +1,72 @@
+package azure
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+const DefaultResource = "https://management.azure.com/"
+const defaultAuthorityHost = "https://login.microsoftonline.com"
+const defaultHTTPTimeout = 30 * time.Second
+
+// GetAADAccessTokenViaClientAssertion exchanges an external OIDC ID token for an Azure AD access token
+
+func GetAADAccessTokenViaClientAssertion(ctx context.Context, tenantID, clientID, oidcToken, authorityHost string) (string, error) {
+	resource := DefaultResource
+
+	form := url.Values{
+		"client_id":             {clientID},
+		"scope":                 {resource + ".default"},
+		"grant_type":            {"client_credentials"},
+		"client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},
+		"client_assertion":      {oidcToken},
+	}
+	base := authorityHost
+	if strings.TrimSpace(base) == "" {
+		base = defaultAuthorityHost
+	}
+	base = strings.TrimRight(base, "/")
+	endpoint := fmt.Sprintf("%s/%s/oauth2/v2.0/token", base, tenantID)
+	client := &http.Client{Timeout: defaultHTTPTimeout}
+	req, err := http.NewRequestWithContext(ctx, "POST", endpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		var aadErr struct {
+			Error            string `json:"error"`
+			ErrorDescription string `json:"error_description"`
+		}
+		limited := io.LimitedReader{R: resp.Body, N: 4096}
+		_ = json.NewDecoder(&limited).Decode(&aadErr)
+		if aadErr.Error != "" {
+			return "", fmt.Errorf("AAD token request failed: status=%d, error=%s", resp.StatusCode, aadErr.Error)
+		}
+		return "", fmt.Errorf("AAD token request failed: status=%d", resp.StatusCode)
+	}
+	var payload struct {
+		AccessToken string `json:"access_token"`
+		TokenType   string `json:"token_type"`
+		ExpiresIn   int    `json:"expires_in"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
+		return "", err
+	}
+	if payload.AccessToken == "" {
+		return "", fmt.Errorf("AAD token response missing access_token")
+	}
+	return payload.AccessToken, nil
+}

internal/azure/tokenutil_test.go

@@ -0,0 +1,103 @@
+package azure
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestGetAADAccessTokenViaClientAssertion_Success(t *testing.T) {
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			t.Fatalf("expected POST, got %s", r.Method)
+		}
+		if ct := r.Header.Get("Content-Type"); !strings.Contains(ct, "application/x-www-form-urlencoded") {
+			t.Fatalf("expected form content-type, got %s", ct)
+		}
+		if err := r.ParseForm(); err != nil {
+			t.Fatalf("failed parsing form: %v", err)
+		}
+		assertEq(t, r.Form.Get("client_id"), "client")
+		assertEq(t, r.Form.Get("grant_type"), "client_credentials")
+		assertEq(t, r.Form.Get("client_assertion_type"), "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
+		assertEq(t, r.Form.Get("client_assertion"), "idtoken")
+		assertEq(t, r.Form.Get("scope"), DefaultResource+".default")
+
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"access_token":"AT","token_type":"Bearer","expires_in":3600}`))
+	}))
+	defer ts.Close()
+
+	tok, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if tok != "AT" {
+		t.Fatalf("expected access token AT, got %q", tok)
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_400WithErrorField(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		_, _ = w.Write([]byte(`{"error":"invalid_client","error_description":"bad"}`))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil || !strings.Contains(err.Error(), "status=400") || !strings.Contains(err.Error(), "invalid_client") {
+		t.Fatalf("expected 400 with invalid_client error, got %v", err)
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_400WithoutErrorField(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusBadRequest)
+		_, _ = w.Write([]byte("{}"))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil || !strings.Contains(err.Error(), "status=400") {
+		t.Fatalf("expected 400 error, got %v", err)
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_MalformedJSON(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte("not-json"))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil {
+		t.Fatalf("expected JSON decode error, got nil")
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_MissingAccessToken(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"token_type":"Bearer","expires_in":3600}`))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil || !strings.Contains(err.Error(), "missing access_token") {
+		t.Fatalf("expected missing access_token error, got %v", err)
+	}
+}
+
+func assertEq(t *testing.T, got, want string) {
+	t.Helper()
+	if got != want {
+		t.Fatalf("mismatch: got=%q want=%q", got, want)
+	}
+}

kaniko.go

@@ -2,64 +2,514 @@ package kaniko
 
 import (
 	"fmt"
+	"io/ioutil"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+
+	"github.com/drone/drone-kaniko/pkg/artifact"
+	"github.com/drone/drone-kaniko/pkg/output"
+	"github.com/drone/drone-kaniko/pkg/tagger"
+	"github.com/google/go-containerregistry/pkg/crane"
+	"golang.org/x/mod/semver"
 )
 
 type (
 	// Build defines Docker build parameters.
 	Build struct {
-		Dockerfile string   // Docker build Dockerfile
-		Context    string   // Docker build context
-		Tags       []string // Docker build tags
-		Args       []string // Docker build args
-		Target     string   // Docker build target
-		Repo       string   // Docker build repository
-		Labels     []string // Label map
+		Args                []string // Docker build args
+		ArgsNew             []string // docker build args with comma seperated values
+		AutoTag             bool     // Set this to auto detect tags from git commits and semver-tagged labels
+		AutoTagSuffix       string   // Suffix to append to the auto detect tags
+		CacheRepo           string   // Remote repository that will be used to store cached layers
+		CacheTTL            int      // Cache timeout in hours
+		Context             string   // Docker build context
+		DigestFile          string   // Digest file location
+		Dockerfile          string   // Docker build Dockerfile
+		DroneCommitRef      string   // Drone git commit reference
+		DroneRepoBranch     string   // Drone repo branch
+		EnableCache         bool     // Whether to enable kaniko cache
+		ExpandTag           bool     // Set this to expand the `Tags` into semver-tagged labels
+		IsMultipleBuildArgs bool     // env variable for fallback for docker build args
+		Labels              []string // Label map
+		Mirrors             []string // Docker repository mirrors
+		NoPush              bool     // Set this flag if you only want to build the image, without pushing to a registry
+		Platform            string   // Allows to build with another default platform than the host, similarly to docker build --platform
+		PushOnly            bool     // Specify if the operation is push-only.
+		Repo                string   // Docker build repository
+		SkipTlsVerify       bool     // Docker skip tls certificate verify for registry
+		SkipUnusedStages    bool     // Build only used stages
+		SnapshotMode        string   // Kaniko snapshot mode
+		SourceTarPath       string   // Path to the local tarball to be pushed
+		Tags                []string // Docker build tags
+		TarPath             string   // Set this flag to save the image as a tarball at path
+		Target              string   // Docker build target
+		Verbosity           string   // Log level
+
+		Cache                       bool     // Enable or disable caching during the build process.
+		CacheDir                    string   // Directory to store cached layers.
+		CacheCopyLayers             bool     // Enable or disable copying layers from the cache.
+		CacheRunLayers              bool     // Enable or disable running layers from the cache.
+		Cleanup                     bool     // Enable or disable cleanup of temporary files.
+		CompressedCaching           *bool    // Enable or disable compressed caching.
+		ContextSubPath              string   // Sub-path within the context to build.
+		CustomPlatform              string   // Platform to use for building.
+		Force                       bool     // Force building the image even if it already exists.
+		Git                         bool     // Branch to clone if build context is a git repository .
+		ImageNameWithDigestFile     string   // Write image name with digest to a file.
+		ImageNameTagWithDigestFile  string   // Write image name with tag and digest to a file.
+		Insecure                    bool     // Allow connecting to registries without TLS.
+		InsecurePull                bool     // Allow insecure pulls from the registry.
+		InsecureRegistry            string   // Use plain HTTP for registry communication.
+		Label                       string   // Add metadata to an image.
+		LogFormat                   string   // Set the log format for build output.
+		LogTimestamp                bool     // Show timestamps in build output.
+		OCILayoutPath               string   // Directory to store OCI layout.
+		PushRetry                   int      // Number of times to retry pushing an image.
+		RegistryCertificate         string   // Path to a file containing a registry certificate.
+		RegistryClientCert          string   // Path to a file containing a registry client certificate.
+		RegistryMirror              string   // Mirror for registry pulls.
+		SkipDefaultRegistryFallback bool     // Skip Docker Hub and default registry fallback.
+		Reproducible                bool     // Create a reproducible image.
+		SingleSnapshot              bool     // Only create a single snapshot of the image.
+		SkipTLSVerify               bool     // Skip TLS verification when connecting to the registry.
+		SkipPushPermissionCheck     bool     // Skip permission check when pushing.
+		SkipTLSVerifyPull           bool     // Skip TLS verification when pulling.
+		SkipTLSVerifyRegistry       bool     // Skip TLS verification when connecting to a registry.
+		UseNewRun                   bool     // Use the new container runtime (`runc`) for builds.
+		IgnoreVarRun                *bool    // Ignore `/var/run` when copying from the context.
+		IgnorePath                  string   // Ignore files matching the specified path pattern.
+		IgnorePaths                 []string // Ignore files matching the specified path pattern.
+		ImageFSExtractRetry         int      // Number of times to retry extracting the image filesystem.
+		ImageDownloadRetry          int      // Number of times to retry downloading layers.
+	}
+
+	// Artifact defines content of artifact file
+	Artifact struct {
+		Tags         []string                  // Docker artifact tags
+		Repo         string                    // Docker artifact repository
+		Registry     string                    // Docker artifact registry
+		RegistryType artifact.RegistryTypeEnum // Rocker artifact registry type
+		ArtifactFile string                    // Artifact file location
+	}
+
+	// Output defines content of output file
+	Output struct {
+		OutputFile string // File where plugin output are saved
 	}
 
 	// Plugin defines the Docker plugin parameters.
 	Plugin struct {
-		Build Build // Docker build configuration
+		Build    Build    // Docker build configuration
+		Artifact Artifact // Artifact file content
+		Output   Output   // Output file content
+
+		// parameters for UTs to mock crane functionality
+		LoadImageFromTarball func(string) (v1.Image, error)
+		PushImageToRegistry  func(v1.Image, string) error
 	}
 )
 
+// labelsForTag returns the labels to use for the given tag, subject to the value of ExpandTag.
+//
+// Build information (e.g. +linux_amd64) is carried through to all labels.
+// Pre-release information (e.g. -rc1) suppresses major and major+minor auto-labels.
+func (b Build) labelsForTag(tag string) (labels []string) {
+	// We strip "v" off of the beginning of semantic versions, as they are not used in docker tags
+	const VersionPrefix = "v"
+
+	// Semantic Versions don't allow underscores, so replace them with dashes.
+	//   https://semver.org/
+	semverTag := strings.ReplaceAll(tag, "_", "-")
+
+	// Allow tags of the form "1.2.3" as well as "v1.2.3" to avoid confusion.
+	if withV := VersionPrefix + semverTag; !semver.IsValid(semverTag) && semver.IsValid(withV) {
+		semverTag = withV
+	}
+
+	// Pass through tags if expand-tag is not set, or if the tag is not a semantic version
+	if !b.ExpandTag || !semver.IsValid(semverTag) {
+		return []string{tag}
+	}
+	tag = semverTag
+
+	// If the version is pre-release, only the full release should be tagged, not the major/minor versions.
+	if semver.Prerelease(tag) != "" {
+		return []string{
+			strings.TrimPrefix(tag, VersionPrefix),
+		}
+	}
+
+	// tagFor carries any build information from the semantic version through to major and minor tags.
+	labelFor := func(base string) string {
+		return strings.TrimPrefix(base, VersionPrefix) + semver.Build(tag)
+	}
+	return []string{
+		labelFor(semver.Major(tag)),
+		labelFor(semver.MajorMinor(tag)),
+		labelFor(semver.Canonical(tag)),
+	}
+}
+
+// Returns the auto detected tags. See the AutoTag section of
+// https://plugins.drone.io/drone-plugins/drone-docker/ for more info.
+func (b Build) AutoTags() (tags []string, err error) {
+	if len(b.Tags) > 1 || len(b.Tags) == 1 && b.Tags[0] != "latest" {
+		err = fmt.Errorf("The auto-tag flag does not work with user provided tags %s", b.Tags)
+		return
+	}
+	// We have tried the best to prevent enabling auto-tag and passing in
+	// user specified at the same time. Starts to auto detect tags.
+	// Note: passing in a "latest" tag with auto-tag enabled won't trigger the
+	// early returns above, because we cannot tell if the tag is provided by
+	// the default value or by the users.
+	commitRef := b.DroneCommitRef
+	if !tagger.UseAutoTag(commitRef, b.DroneRepoBranch) {
+		err = fmt.Errorf("Could not auto detect the tag. Skipping automated docker build for commit %s", commitRef)
+		return
+	}
+	tags, err = tagger.AutoTagsSuffix(commitRef, b.AutoTagSuffix)
+	if err != nil {
+		err = fmt.Errorf("Invalid semantic version when auto detecting the tag. Skipping automated docker build for %s.", commitRef)
+	}
+	return
+}
+
 // Exec executes the plugin step
 func (p Plugin) Exec() error {
-	if p.Build.Repo == "" {
+
+	if p.Build.NoPush && p.Build.PushOnly {
+		return fmt.Errorf("inputs no-push and push-only cannot be used together. please define only one")
+	}
+
+	if !p.Build.NoPush && p.Build.Repo == "" {
 		return fmt.Errorf("repository name to publish image must be specified")
 	}
 
+	if p.Build.PushOnly {
+		// When push-only is set, source_tar_path MUST be provided
+		if p.Build.SourceTarPath == "" {
+			return fmt.Errorf("source_tar_path is required when push_only is set. please provide a valid tarball path")
+		}
+
+		if _, err := os.Stat(p.Build.SourceTarPath); os.IsNotExist(err) {
+			return fmt.Errorf("image tarball does not exist at path: %s", p.Build.SourceTarPath)
+		}
+
+		if p.Build.Repo == "" {
+			return fmt.Errorf("missing required destination repository for push-only operation")
+		}
+
+		// Load the image from the tarball
+		img, err := crane.Load(p.Build.SourceTarPath)
+		if err != nil {
+			return fmt.Errorf("failed to load image from tarball: %v", err)
+		}
+
+		// If no tags are specified, use 'latest'
+		tags := p.Build.Tags
+
+		for _, tag := range tags {
+			dest := fmt.Sprintf("%s:%s", p.Build.Repo, tag)
+
+			// Push the image to the destination
+			err := crane.Push(img, dest)
+			if err != nil {
+				return fmt.Errorf("failed to push image from tarball [%s] to destination [%s]: %v", p.Build.SourceTarPath, dest, err)
+			}
+
+			fmt.Printf("Successfully pushed image - '%s'\n to %s\n", dest, p.Build.Repo)
+		}
+
+		return nil
+	}
+
+	if _, err := os.Stat(p.Build.Dockerfile); os.IsNotExist(err) {
+		return fmt.Errorf("dockerfile does not exist at path: %s", p.Build.Dockerfile)
+	}
+
+	var tags = p.Build.Tags
+	if p.Build.AutoTag && p.Build.ExpandTag {
+		return fmt.Errorf("The auto-tag flag conflicts with the expand-tag flag")
+	}
+	if p.Build.AutoTag {
+		var err error
+		tags, err = p.Build.AutoTags()
+		if err != nil {
+			return err
+		}
+	}
+
 	cmdArgs := []string{
 		fmt.Sprintf("--dockerfile=%s", p.Build.Dockerfile),
 		fmt.Sprintf("--context=dir://%s", p.Build.Context),
 	}
 
-	// Set the destination repository
-	for _, tag := range p.Build.Tags {
-		cmdArgs = append(cmdArgs, fmt.Sprintf("--destination=%s:%s", p.Build.Repo, tag))
+	// Set the destination repository only when we push or save to tarball
+	if !p.Build.NoPush || p.Build.TarPath != "" {
+		for _, tag := range tags {
+			for _, label := range p.Build.labelsForTag(tag) {
+				cmdArgs = append(cmdArgs, fmt.Sprintf("--destination=%s:%s", p.Build.Repo, label))
+			}
+		}
 	}
+
 	// Set the build arguments
-	for _, arg := range p.Build.Args {
-		cmdArgs = append(cmdArgs, fmt.Sprintf("--build-arg=%s", arg))
+	if p.Build.IsMultipleBuildArgs {
+		for _, arg := range p.Build.ArgsNew {
+			cmdArgs = append(cmdArgs, "--build-arg", arg)
+		}
+	} else {
+		for _, arg := range p.Build.Args {
+			cmdArgs = append(cmdArgs, "--build-arg", arg)
+		}
 	}
 	// Set the labels
 	for _, label := range p.Build.Labels {
-		cmdArgs = append(cmdArgs, fmt.Sprintf("--label %s", label))
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--label=%s", label))
+	}
+	// Set repository mirrors
+	for _, mirror := range p.Build.Mirrors {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--registry-mirror=%s", mirror))
 	}
-
 	if p.Build.Target != "" {
 		cmdArgs = append(cmdArgs, fmt.Sprintf("--target=%s", p.Build.Target))
 	}
 
+	if p.Build.SkipTlsVerify {
+		cmdArgs = append(cmdArgs, "--skip-tls-verify=true")
+	}
+
+	if p.Build.SnapshotMode != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--snapshot-mode=%s", p.Build.SnapshotMode))
+	}
+
+	if p.Build.EnableCache {
+		cmdArgs = append(cmdArgs, "--cache=true")
+
+		if p.Build.CacheRepo != "" {
+			cmdArgs = append(cmdArgs, fmt.Sprintf("--cache-repo=%s", p.Build.CacheRepo))
+		}
+	}
+
+	if p.Build.CacheTTL != 0 {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--cache-ttl=%dh", p.Build.CacheTTL))
+	}
+
+	if p.Build.DigestFile != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--digest-file=%s", p.Build.DigestFile))
+	}
+
+	if p.Build.NoPush {
+		cmdArgs = append(cmdArgs, "--no-push")
+	}
+
+	if p.Build.Verbosity != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--verbosity=%s", p.Build.Verbosity))
+	}
+
+	if p.Build.Platform != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--customPlatform=%s", p.Build.Platform))
+	}
+
+	if p.Build.SkipUnusedStages {
+		cmdArgs = append(cmdArgs, "--skip-unused-stages")
+	}
+
+	if p.Build.TarPath != "" {
+		tarDir := filepath.Dir(p.Build.TarPath)
+		if _, err := os.Stat(tarDir); os.IsNotExist(err) {
+			if mkdirErr := os.MkdirAll(tarDir, 0755); mkdirErr != nil {
+				return fmt.Errorf("failed to create directory for tar path %s: %v", tarDir, mkdirErr)
+			}
+		}
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--tar-path=%s", p.Build.TarPath))
+	}
+
+	if p.Build.CacheCopyLayers {
+		cmdArgs = append(cmdArgs, "--cache-copy-layers")
+	}
+
+	if p.Build.CacheRunLayers {
+		cmdArgs = append(cmdArgs, "--cache-run-layers=true")
+	}
+
+	if p.Build.Cleanup {
+		cmdArgs = append(cmdArgs, "--cleanup=true")
+	}
+
+	if p.Build.CompressedCaching != nil {
+		if *p.Build.CompressedCaching {
+			cmdArgs = append(cmdArgs, "--compressed-caching=true")
+		} else {
+			cmdArgs = append(cmdArgs, "--compressed-caching=false")
+		}
+	}
+
+	if p.Build.ContextSubPath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--context-sub-path=%s", p.Build.ContextSubPath))
+	}
+
+	if p.Build.CustomPlatform != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--custom-platform=%s", p.Build.CustomPlatform))
+	}
+
+	if p.Build.Force {
+		cmdArgs = append(cmdArgs, "--force")
+	}
+
+	if p.Build.Git {
+		cmdArgs = append(cmdArgs, "--git")
+	}
+
+	if p.Build.ImageNameWithDigestFile != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-name-with-digest-file=%s", p.Build.ImageNameWithDigestFile))
+	}
+
+	if p.Build.ImageNameTagWithDigestFile != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-name-tag-with-digest-file=%s", p.Build.ImageNameTagWithDigestFile))
+	}
+
+	if p.Build.Insecure {
+		cmdArgs = append(cmdArgs, "--insecure")
+	}
+
+	if p.Build.InsecurePull {
+		cmdArgs = append(cmdArgs, "--insecure-pull")
+	}
+
+	if p.Build.InsecureRegistry != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--insecure-registry=%s", p.Build.InsecureRegistry))
+	}
+
+	if p.Build.LogFormat != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--log-format=%s", p.Build.LogFormat))
+	}
+
+	if p.Build.LogTimestamp {
+		cmdArgs = append(cmdArgs, "--log-timestamp")
+	}
+
+	if p.Build.OCILayoutPath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--oci-layout-path=%s", p.Build.OCILayoutPath))
+	}
+
+	if p.Build.PushRetry != 0 {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--push-retry=%d", p.Build.PushRetry))
+	}
+
+	if p.Build.RegistryCertificate != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--registry-certificate=%s", p.Build.RegistryCertificate))
+	}
+
+	if p.Build.RegistryClientCert != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--registry-client-cert=%s", p.Build.RegistryClientCert))
+	}
+
+	if p.Build.SkipDefaultRegistryFallback {
+		cmdArgs = append(cmdArgs, "--skip-default-registry-fallback")
+	}
+
+	if p.Build.Reproducible {
+		cmdArgs = append(cmdArgs, "--reproducible")
+	}
+
+	if p.Build.SingleSnapshot {
+		cmdArgs = append(cmdArgs, "--single-snapshot")
+	}
+
+	if p.Build.SkipPushPermissionCheck {
+		cmdArgs = append(cmdArgs, "--skip-push-permission-check")
+	}
+
+	if p.Build.SkipTLSVerifyPull {
+		cmdArgs = append(cmdArgs, "--skip-tls-verify-pull")
+	}
+
+	if p.Build.SkipTLSVerifyRegistry {
+		cmdArgs = append(cmdArgs, "--skip-tls-verify-registry")
+	}
+
+	if p.Build.UseNewRun {
+		cmdArgs = append(cmdArgs, "--use-new-run")
+	}
+
+	if p.Build.IgnoreVarRun != nil {
+		if *p.Build.IgnoreVarRun {
+			cmdArgs = append(cmdArgs, "--ignore-var-run=true")
+		} else {
+			cmdArgs = append(cmdArgs, "--ignore-var-run=false")
+		}
+	}
+
+	if p.Build.IgnorePath != "" {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", p.Build.IgnorePath))
+	}
+
+	if p.Build.IgnorePaths != nil {
+		for _, path := range p.Build.IgnorePaths {
+			trimmed := strings.TrimSpace(path)
+			if trimmed != "" {
+				cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", trimmed))
+			}
+		}
+	}
+
+	if p.Build.ImageFSExtractRetry != 0 {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-fs-extract-retry=%d", p.Build.ImageFSExtractRetry))
+	}
+
+	if p.Build.ImageDownloadRetry != 0 {
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-download-retry=%d", p.Build.ImageDownloadRetry))
+	}
+
 	cmd := exec.Command("/kaniko/executor", cmdArgs...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	trace(cmd)
 
 	err := cmd.Run()
-	return err
+	if err != nil {
+		return err
+	}
+
+	if p.Build.DigestFile != "" && p.Artifact.ArtifactFile != "" {
+		err = artifact.WritePluginArtifactFile(p.Artifact.RegistryType, p.Artifact.ArtifactFile, p.Artifact.Registry, p.Artifact.Repo, getDigest(p.Build.DigestFile), p.Artifact.Tags)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "failed to write plugin artifact file at path: %s with error: %s\n", p.Artifact.ArtifactFile, err)
+		}
+	}
+
+	p.Output.OutputFile = os.Getenv("DRONE_OUTPUT")
+	var tarPath string
+	if p.Build.TarPath != "" {
+		tarPath = getTarPath(p.Build.TarPath)
+	}
+	if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile), tarPath); err != nil {
+		fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
+	}
+
+	return nil
+}
+
+func getTarPath(tarPath string) string {
+	tarDir := filepath.Dir(tarPath)
+	if _, err := os.Stat(tarDir); err != nil && os.IsNotExist(err) {
+		fmt.Fprintf(os.Stderr, "Warning: tar path does not exist: %s\n", tarPath)
+		return ""
+	}
+	return tarPath
+}
+
+func getDigest(digestFile string) string {
+	content, err := ioutil.ReadFile(digestFile)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to read digest file contents at path: %s with error: %s\n", digestFile, err)
+	}
+	return string(content)
 }
 
 // trace writes each command to stdout with the command wrapped in an xml

kaniko_test.go

@@ -1 +1,454 @@
 package kaniko
+
+import (
+	"archive/tar"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestBuild_labelsForTag(t *testing.T) {
+	tests := []struct {
+		name       string
+		tag        string
+		expandTags []string
+	}{
+		{
+			name:       "semver",
+			tag:        "v1.2.3",
+			expandTags: []string{"1", "1.2", "1.2.3"},
+		},
+		{
+			name:       "no_patch",
+			tag:        "v1.2",
+			expandTags: []string{"1", "1.2", "1.2.0"},
+		},
+		{
+			name:       "only_major",
+			tag:        "v1",
+			expandTags: []string{"1", "1.0", "1.0.0"},
+		},
+		{
+			name:       "full_with_build",
+			tag:        "v1.2.3+build-info",
+			expandTags: []string{"1+build-info", "1.2+build-info", "1.2.3+build-info"},
+		},
+		{
+			name:       "build_with_underscores",
+			tag:        "v1.2.3+linux_amd64",
+			expandTags: []string{"1+linux-amd64", "1.2+linux-amd64", "1.2.3+linux-amd64"},
+		},
+		{
+			name:       "prerelease",
+			tag:        "v1.2.3-rc1",
+			expandTags: []string{"1.2.3-rc1"},
+		},
+		{
+			name:       "prerelease_with_build",
+			tag:        "v1.2.3-rc1+bld",
+			expandTags: []string{"1.2.3-rc1+bld"},
+		},
+		{
+			name:       "invalid_build",
+			tag:        "v1+bld", // can only include build detail with all three elements
+			expandTags: []string{"v1+bld"},
+		},
+		{
+			name:       "accidental_non_semver",
+			tag:        "1.2.3",
+			expandTags: []string{"1", "1.2", "1.2.3"},
+		},
+		{
+			name:       "non_semver",
+			tag:        "latest",
+			expandTags: []string{"latest"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tags := Build{ExpandTag: true}.labelsForTag(tt.tag)
+			if got, want := tags, tt.expandTags; !cmp.Equal(got, want) {
+				t.Errorf("tagsFor(%q) = %q, want %q", tt.tag, got, want)
+			}
+		})
+	}
+}
+
+func TestBuild_AutoTags(t *testing.T) {
+	tests := []struct {
+		name          string
+		repoBranch    string
+		commitRef     string
+		autoTagSuffix string
+		expectedTags  []string
+	}{
+		{
+			name:          "commit push",
+			repoBranch:    "master",
+			commitRef:     "refs/heads/master",
+			autoTagSuffix: "",
+			expectedTags:  []string{"latest"},
+		},
+		{
+			name:          "tag push",
+			repoBranch:    "master",
+			commitRef:     "refs/tags/v1.0.0",
+			autoTagSuffix: "",
+			expectedTags: []string{
+				"1",
+				"1.0",
+				"1.0.0",
+			},
+		},
+		{
+			name:          "beta tag push",
+			repoBranch:    "master",
+			commitRef:     "refs/tags/v1.0.0-beta.1",
+			autoTagSuffix: "",
+			expectedTags: []string{
+				"1.0.0-beta.1",
+			},
+		},
+		{
+			name:          "tag push with suffix",
+			repoBranch:    "master",
+			commitRef:     "refs/tags/v1.0.0",
+			autoTagSuffix: "linux-amd64",
+			expectedTags: []string{
+				"1-linux-amd64",
+				"1.0-linux-amd64",
+				"1.0.0-linux-amd64",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			b := Build{DroneCommitRef: tt.commitRef, DroneRepoBranch: tt.repoBranch, AutoTag: true}
+			if tt.autoTagSuffix != "" {
+				b.AutoTagSuffix = tt.autoTagSuffix
+			}
+			tags, err := b.AutoTags()
+			if err != nil {
+				t.Errorf("Unexpected err %q", err)
+			}
+			if got, want := tags, tt.expectedTags; !cmp.Equal(got, want) {
+				t.Errorf("auto detected tags = %q, wanted = %q", got, want)
+			}
+		})
+	}
+	t.Run("auto-tag cannot be enabled with user provided tags", func(t *testing.T) {
+		b := Build{
+			DroneCommitRef:  "refs/tags/v1.0.0",
+			DroneRepoBranch: "master",
+			AutoTag:         true,
+			Tags:            []string{"v1"},
+		}
+		_, err := b.AutoTags()
+		if err == nil {
+			t.Errorf("Expect error for invalid flags")
+		}
+	})
+}
+
+func TestTarPathValidation(t *testing.T) {
+	tests := []struct {
+		name          string
+		tarPath       string
+		setup         func(string) error
+		cleanup       func(string) error
+		expectSuccess bool
+		privileged    bool
+	}{
+		{
+			name:    "valid_path_privileged",
+			tarPath: "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-image-tar")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectSuccess: true,
+			privileged:    true,
+		},
+		{
+			name:    "valid_path_unprivileged",
+			tarPath: "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-image-tar")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectSuccess: true,
+			privileged:    false,
+		},
+		{
+			name:          "empty_path",
+			tarPath:       "",
+			setup:         func(path string) error { return nil },
+			cleanup:       func(path string) error { return nil },
+			expectSuccess: false,
+			privileged:    false,
+		},
+		{
+			name:    "relative_path_dots",
+			tarPath: "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-image-tar")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectSuccess: true,
+			privileged:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Skip privileged tests if not running as root
+			if tt.privileged && os.Getuid() != 0 {
+				t.Skip("Skipping privileged test as not running as root")
+			}
+
+			if err := tt.setup(tt.tarPath); err != nil {
+				t.Fatalf("Setup failed: %v", err)
+			}
+			defer tt.cleanup(tt.tarPath)
+
+			// Determine tar path based on test case
+			var tarPath string
+			tmpDir := os.Getenv("DRONE_WORKSPACE")
+			switch tt.name {
+			case "valid_path_privileged", "valid_path_unprivileged":
+				tarPath = filepath.Join(tmpDir, "test", "image.tar")
+			case "invalid_path_no_permissions":
+				tarPath = "/test/image.tar"
+			case "relative_path_dots":
+				tarPath = filepath.Join("..", "test", "image.tar")
+			default:
+				tarPath = tt.tarPath
+			}
+
+			p := Plugin{
+				Build: Build{
+					TarPath: tarPath,
+				},
+			}
+
+			tarDir := filepath.Dir(p.Build.TarPath)
+			err := os.MkdirAll(tarDir, 0755)
+			if tt.expectSuccess {
+				if err != nil {
+					t.Errorf("Expected directory creation to succeed, got error: %v", err)
+				}
+				if _, err := os.Stat(tarDir); err != nil {
+					t.Errorf("Expected directory to exist after creation, got error: %v", err)
+				}
+			}
+
+			result := getTarPath(p.Build.TarPath)
+			if tt.expectSuccess && result == "" {
+				t.Error("Expected non-empty tar path, got empty string")
+			}
+			if !tt.expectSuccess && result != "" {
+				t.Error("Expected empty tar path, got non-empty string")
+			}
+		})
+	}
+}
+
+func TestSourceTarballPush(t *testing.T) {
+	tests := []struct {
+		name          string
+		sourceTarPath string
+		repo          string
+		autoTag       bool
+		tags          []string
+		commitRef     string
+		repoBranch    string
+		expectedError bool
+		expectedTags  []string
+		mockLoadErr   error
+		mockPushErr   error
+	}{
+		{
+			name:          "empty_repo_fails",
+			sourceTarPath: "/path/to/image.tar",
+			repo:          "",
+			expectedError: true,
+		},
+		{
+			name:          "nonexistent_tarball_fails",
+			sourceTarPath: "/path/that/does/not/exist/image.tar",
+			repo:          "test-repo",
+			expectedError: true,
+		},
+		{
+			name:          "load_image_fails",
+			sourceTarPath: createTestTarball(t),
+			repo:          "test-repo",
+			expectedError: true,
+			mockLoadErr:   fmt.Errorf("load failed"),
+		},
+		{
+			name:          "push_image_fails",
+			sourceTarPath: createTestTarball(t),
+			repo:          "test-repo",
+			expectedError: true,
+			expectedTags:  []string{"latest"},
+			mockPushErr:   fmt.Errorf("push failed"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockPlugin := Plugin{
+				Build: Build{
+					SourceTarPath:   tt.sourceTarPath,
+					Repo:            tt.repo,
+					Tags:            tt.tags,
+					AutoTag:         tt.autoTag,
+					DroneCommitRef:  tt.commitRef,
+					DroneRepoBranch: tt.repoBranch,
+				},
+				LoadImageFromTarball: MockCraneLoad(tt.sourceTarPath, tt.mockLoadErr),
+				PushImageToRegistry:  MockCranePush(tt.mockPushErr),
+			}
+
+			err := mockPlugin.Exec()
+
+			if tt.expectedError {
+				if err == nil {
+					t.Errorf("Expected an error, but got none")
+				}
+			} else {
+				if err != nil {
+					t.Errorf("Unexpected error: %v", err)
+				}
+			}
+		})
+	}
+}
+
+// Helper function to create a test tarball
+func createTestTarball(t *testing.T) string {
+	// Create a temporary directory for the tarball contents
+	tmpDir, err := os.MkdirTemp("", "test-tarball-*")
+	if err != nil {
+		t.Fatalf("Failed to create temp directory: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	// Create a minimal `manifest.json` file with a valid hash
+	manifestPath := filepath.Join(tmpDir, "manifest.json")
+	manifestContent := `[{
+		"Config": "config.json",
+		"RepoTags": ["test-repo:latest"],
+		"Layers": ["layer.tar"]
+	}]`
+	err = os.WriteFile(manifestPath, []byte(manifestContent), 0644)
+	if err != nil {
+		t.Fatalf("Failed to create manifest.json: %v", err)
+	}
+
+	// Create a valid `config.json` file with a dummy hash
+	configPath := filepath.Join(tmpDir, "config.json")
+	configContent := `{
+		"architecture": "amd64",
+		"os": "linux",
+		"rootfs": {
+			"type": "layers",
+			"diff_ids": ["sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]
+		}
+	}`
+	err = os.WriteFile(configPath, []byte(configContent), 0644)
+	if err != nil {
+		t.Fatalf("Failed to create config.json: %v", err)
+	}
+
+	// Create a dummy `layer.tar` file
+	layerPath := filepath.Join(tmpDir, "layer.tar")
+	layerFile, err := os.Create(layerPath)
+	if err != nil {
+		t.Fatalf("Failed to create layer.tar: %v", err)
+	}
+	defer layerFile.Close()
+	_, err = layerFile.Write([]byte("dummy layer content"))
+	if err != nil {
+		t.Fatalf("Failed to write to layer.tar: %v", err)
+	}
+
+	// Create a tarball from the temp directory
+	tarballPath := filepath.Join(os.TempDir(), "test-image.tar")
+	tarballFile, err := os.Create(tarballPath)
+	if err != nil {
+		t.Fatalf("Failed to create tarball: %v", err)
+	}
+	defer tarballFile.Close()
+
+	tw := tar.NewWriter(tarballFile)
+	defer tw.Close()
+
+	err = filepath.Walk(tmpDir, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		relPath, _ := filepath.Rel(tmpDir, path)
+		if relPath == "." {
+			return nil
+		}
+
+		header, err := tar.FileInfoHeader(info, path)
+		if err != nil {
+			return err
+		}
+		header.Name = relPath
+
+		if err := tw.WriteHeader(header); err != nil {
+			return err
+		}
+
+		if !info.IsDir() {
+			fileContent, err := os.ReadFile(path)
+			if err != nil {
+				return err
+			}
+			_, err = tw.Write(fileContent)
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		t.Fatalf("Failed to write tarball: %v", err)
+	}
+
+	return tarballPath
+}

mock_crane.go

@@ -0,0 +1,71 @@
+package kaniko
+
+import (
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+)
+
+func MockCraneLoad(path string, loadErr error) func(string) (v1.Image, error) {
+	return func(inputPath string) (v1.Image, error) {
+		if loadErr != nil {
+			return nil, loadErr
+		}
+		return &mockImage{}, nil
+	}
+}
+
+func MockCranePush(pushErr error) func(v1.Image, string) error {
+	return func(img v1.Image, dest string) error {
+		if pushErr != nil {
+			return pushErr
+		}
+		return nil
+	}
+}
+
+// mockImage is a mock implementation of v1.Image interface
+type mockImage struct{}
+
+func (m *mockImage) Size() (int64, error) {
+	return 0, nil
+}
+
+func (m *mockImage) RawConfigFile() ([]byte, error) {
+	return nil, nil
+}
+
+func (m *mockImage) Digest() (v1.Hash, error) {
+	return v1.Hash{}, nil
+}
+
+func (m *mockImage) Manifest() (*v1.Manifest, error) {
+	return nil, nil
+}
+
+func (m *mockImage) RawManifest() ([]byte, error) {
+	return nil, nil
+}
+
+func (m *mockImage) LayerByDigest(hash v1.Hash) (v1.Layer, error) {
+	return nil, nil
+}
+
+func (m *mockImage) LayerByDiffID(hash v1.Hash) (v1.Layer, error) {
+	return nil, nil
+}
+
+func (m *mockImage) Layers() ([]v1.Layer, error) {
+	return nil, nil
+}
+
+func (m *mockImage) MediaType() (types.MediaType, error) {
+	return "", nil
+}
+
+func (m *mockImage) ConfigFile() (*v1.ConfigFile, error) {
+	return nil, nil
+}
+
+func (m *mockImage) ConfigName() (v1.Hash, error) {
+	return v1.Hash{}, nil
+}

pkg/artifact/artifact.go

@@ -0,0 +1,77 @@
+package artifact
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+)
+
+const (
+	dockerArtifactV1 string = "docker/v1"
+)
+
+type RegistryTypeEnum string
+
+const (
+	Docker RegistryTypeEnum = "Docker"
+	ECR    RegistryTypeEnum = "ECR"
+	GCR    RegistryTypeEnum = "GCR"
+	GAR    RegistryTypeEnum = "GAR"
+)
+
+type (
+	Image struct {
+		Image  string `json:"image"`
+		Digest string `json:"digest"`
+	}
+	Data struct {
+		RegistryType RegistryTypeEnum `json:"registryType"`
+		RegistryUrl  string           `json:"registryUrl"`
+		Images       []Image          `json:"images"`
+	}
+	DockerArtifact struct {
+		Kind string `json:"kind"`
+		Data Data   `json:"data"`
+	}
+)
+
+func WritePluginArtifactFile(registryType RegistryTypeEnum, artifactFilePath, registryUrl, imageName, digest string, tags []string) error {
+	var images []Image
+	for _, tag := range tags {
+		images = append(images, Image{
+			Image:  fmt.Sprintf("%s:%s", imageName, tag),
+			Digest: digest,
+		})
+	}
+	data := Data{
+		RegistryType: registryType,
+		RegistryUrl:  registryUrl,
+		Images:       images,
+	}
+
+	dockerArtifact := DockerArtifact{
+		Kind: dockerArtifactV1,
+		Data: data,
+	}
+
+	b, err := json.MarshalIndent(dockerArtifact, "", "\t")
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("failed to marshal output %+v", dockerArtifact))
+	}
+
+	dir := filepath.Dir(artifactFilePath)
+	err = os.MkdirAll(dir, 0644)
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("failed to create %s directory for artifact file", dir))
+	}
+
+	err = ioutil.WriteFile(artifactFilePath, b, 0644)
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("failed to write artifact to artifact file %s", artifactFilePath))
+	}
+	return nil
+}

pkg/artifact/artifact.json

@@ -0,0 +1,17 @@
+{
+	"kind": "docker/v1",
+	"data": {
+		"registryType": "Docker",
+		"registryUrl": "https://index.docker.io/",
+		"images": [
+			{
+				"image": "image:a1",
+				"digest": "sha256:22332233"
+			},
+			{
+				"image": "image:latest",
+				"digest": "sha256:22332233"
+			}
+		]
+	}
+}

pkg/artifact/artifact_test.go

@@ -0,0 +1,38 @@
+package artifact
+
+import (
+	"io/ioutil"
+	"testing"
+)
+
+func TestWritePluginArtifactFile(t *testing.T) {
+
+	testFile := t.TempDir() + "got.json"
+
+	err := WritePluginArtifactFile(Docker, testFile, "https://index.docker.io/", "image", "sha256:22332233", []string{"a1", "latest"})
+	if err != nil {
+		t.Error(err)
+		t.FailNow()
+	}
+
+	gotBytes, err := ioutil.ReadFile(testFile)
+	if err != nil {
+		t.Error(err)
+		t.FailNow()
+	}
+
+	wantBytes, err := ioutil.ReadFile("./artifact.json")
+	if err != nil {
+		t.Error(err)
+		t.FailNow()
+	}
+
+	got := string(gotBytes)
+	want := string(wantBytes)
+
+	if got != want {
+		t.Logf("got:%s", got)
+		t.Logf("want:%s", want)
+		t.FailNow()
+	}
+}

pkg/docker/config.go

@@ -0,0 +1,97 @@
+package docker
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/pkg/errors"
+)
+
+const (
+	v2HubRegistryURL string = "https://registry.hub.docker.com/v2/"
+	v1RegistryURL    string = "https://index.docker.io/v1/" // Default registry
+	v2RegistryURL    string = "https://index.docker.io/v2/" // v2 registry is not supported
+)
+
+type (
+	Auth struct {
+		Auth string `json:"auth"`
+	}
+
+	Config struct {
+		Auths       map[string]Auth   `json:"auths"`
+		CredHelpers map[string]string `json:"credHelpers,omitempty"`
+	}
+)
+
+type RegistryCredentials struct {
+	Registry string
+	Username string
+	Password string
+}
+
+func NewConfig() *Config {
+	return &Config{
+		Auths:       make(map[string]Auth),
+		CredHelpers: make(map[string]string),
+	}
+}
+
+func (c *Config) SetAuth(registry, username, password string) {
+	authBytes := []byte(username + ":" + password)
+	encodedString := base64.StdEncoding.EncodeToString(authBytes)
+	c.Auths[registry] = Auth{Auth: encodedString}
+}
+
+func (c *Config) SetCredHelper(registry, helper string) {
+	c.CredHelpers[registry] = helper
+}
+
+func (c *Config) CreateDockerConfig(credentials []RegistryCredentials, dockerPath string) error {
+	for _, cred := range credentials {
+		if cred.Registry != "" {
+			// update v2 docker registry to v1
+			if cred.Registry == v2RegistryURL || cred.Registry == v2HubRegistryURL {
+				fmt.Printf("Docker v2 registry '%s' is not supported in kaniko. Refer issue: https://github.com/GoogleContainerTools/kaniko/issues/1209\n", cred.Registry)
+				fmt.Printf("Using v1 registry instead: %s\n", v1RegistryURL)
+				cred.Registry = v1RegistryURL
+			}
+
+			if cred.Username == "" {
+				return fmt.Errorf("Username must be specified for registry: %s", cred.Registry)
+			}
+			if cred.Password == "" {
+				return fmt.Errorf("Password must be specified for registry: %s", cred.Registry)
+			}
+			c.SetAuth(cred.Registry, cred.Username, cred.Password)
+		}
+	}
+	jsonBytes, err := json.Marshal(c)
+	if err != nil {
+		return errors.Wrap(err, "failed to serialize docker config json")
+	}
+	if err := WriteDockerConfig(jsonBytes, dockerPath); err != nil {
+		return errors.Wrap(err, fmt.Sprintf("failed to write docker config to path: %s", dockerPath))
+	}
+	return nil
+}
+
+func WriteDockerConfig(data []byte, path string) (string error) {
+	err := os.MkdirAll(path, 0600)
+	if err != nil {
+		if !os.IsExist(err) {
+			return errors.Wrap(err, fmt.Sprintf("failed to create %s directory", path))
+		}
+	}
+
+	filePath := path + "/config.json"
+
+	err = ioutil.WriteFile(filePath, data, 0644)
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("failed to create docker config file at %s", path))
+	}
+	return nil
+}

pkg/docker/config_test.go

@@ -0,0 +1,55 @@
+package docker
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestConfig(t *testing.T) {
+	c := NewConfig()
+	assert.NotNil(t, c.Auths)
+	assert.NotNil(t, c.CredHelpers)
+
+	c.SetAuth(RegistryV1, "test", "password")
+	expectedAuth := Auth{Auth: "dGVzdDpwYXNzd29yZA=="}
+	assert.Equal(t, expectedAuth, c.Auths[RegistryV1])
+
+	c.SetCredHelper(RegistryECRPublic, "ecr-login")
+	assert.Equal(t, "ecr-login", c.CredHelpers[RegistryECRPublic])
+
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	assert.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	credentials := []RegistryCredentials{
+		{
+			Registry: "https://index.docker.io/v1/",
+			Username: "user1",
+			Password: "pass1",
+		},
+		{
+			Registry: "gcr.io",
+			Username: "user2",
+			Password: "pass2",
+		},
+	}
+
+	err = c.CreateDockerConfig(credentials, tempDir)
+	assert.NoError(t, err)
+
+	configPath := filepath.Join(tempDir, "config.json")
+	data, err := ioutil.ReadFile(configPath)
+	assert.NoError(t, err)
+
+	var configFromFile Config
+	err = json.Unmarshal(data, &configFromFile)
+	assert.NoError(t, err)
+
+	assert.Equal(t, c.Auths, configFromFile.Auths)
+	assert.Equal(t, c.CredHelpers, configFromFile.CredHelpers)
+}

pkg/docker/constants.go

@@ -0,0 +1,7 @@
+package docker
+
+const (
+	RegistryV1        string = "https://index.docker.io/v1/"
+	RegistryV2        string = "https://index.docker.io/v2/"
+	RegistryECRPublic string = "public.ecr.aws"
+)

pkg/output/output.go

@@ -0,0 +1,18 @@
+package output
+
+import (
+	"github.com/joho/godotenv"
+)
+
+func WritePluginOutputFile(outputFilePath, digest string, pluginTarPath string) error {
+	output := make(map[string]string)
+	if digest != "" {
+		output["digest"] = digest
+	}
+
+	if pluginTarPath != "" {
+		output["IMAGE_TAR_PATH"] = pluginTarPath
+	}
+
+	return godotenv.Write(output, outputFilePath)
+}

pkg/output/output_test.go

@@ -0,0 +1,145 @@
+package output
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestWritePluginOutputFile(t *testing.T) {
+	tests := []struct {
+		name        string
+		outputPath  string
+		digest      string
+		tarPath     string
+		setup       func(string) error
+		cleanup     func(string) error
+		expectError bool
+		privileged  bool
+	}{
+		{
+			name:       "valid_output_privileged",
+			outputPath: "",
+			digest:     "sha256:test",
+			tarPath:    "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-output")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectError: false,
+			privileged:  true,
+		},
+		{
+			name:       "valid_output_unprivileged",
+			outputPath: "",
+			digest:     "sha256:test",
+			tarPath:    "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-output")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectError: false,
+			privileged:  false,
+		},
+		{
+			name:       "digest_only",
+			outputPath: "",
+			digest:     "sha256:test",
+			tarPath:    "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-output")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectError: false,
+			privileged:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Skip privileged tests if not running as root
+			if tt.privileged && os.Getuid() != 0 {
+				t.Skip("Skipping privileged test as not running as root")
+			}
+
+			if err := tt.setup(tt.outputPath); err != nil {
+				t.Fatalf("Setup failed: %v", err)
+			}
+			defer tt.cleanup(tt.outputPath)
+
+			tmpDir := os.Getenv("DRONE_WORKSPACE")
+			var outputPath, tarPath string
+			switch tt.name {
+			case "valid_output_privileged", "valid_output_unprivileged":
+				outputPath = filepath.Join(tmpDir, "test", "output.env")
+				tarPath = filepath.Join(tmpDir, "test", "image.tar")
+			case "invalid_output_path":
+				outputPath = filepath.Join("/root", "test", "output.env")
+				tarPath = filepath.Join("/root", "test", "image.tar")
+			case "digest_only":
+				outputPath = filepath.Join(tmpDir, "test", "output.env")
+				tarPath = ""
+			}
+
+			err := os.MkdirAll(filepath.Dir(outputPath), 0755)
+			if err != nil {
+				t.Fatalf("Failed to create output directory: %v", err)
+			}
+
+			err = WritePluginOutputFile(outputPath, tt.digest, tarPath)
+
+			if tt.expectError && err == nil {
+				t.Error("Expected error, got none")
+			}
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error, got: %v", err)
+			}
+
+			if !tt.expectError && err == nil {
+				content, err := os.ReadFile(outputPath)
+				if err != nil {
+					t.Fatalf("Failed to read output file: %v", err)
+				}
+
+				if tt.digest != "" && !contains(string(content), tt.digest) {
+					t.Error("Expected digest in output file")
+				}
+
+				if tarPath != "" && !contains(string(content), tarPath) {
+					t.Error("Expected tar path in output file")
+				}
+			}
+		})
+	}
+}
+
+func contains(content, substring string) bool {
+	return len(substring) > 0 && content != "" && content != "\n" && content != "\r\n"
+}

pkg/tagger/tagger.go

@@ -0,0 +1,95 @@
+// A fork of https://github.com/drone-plugins/drone-docker/blob/master/tags.go
+
+package tagger
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/coreos/go-semver/semver"
+)
+
+// AutoTagsSuffix returns a set of default suggested tags
+// based on the commit ref with an attached suffix.
+func AutoTagsSuffix(ref, suffix string) ([]string, error) {
+	tags, err := AutoTags(ref)
+	if err != nil {
+		return nil, err
+	}
+	if len(suffix) == 0 {
+		return tags, nil
+	}
+	for i, tag := range tags {
+		if tag == "latest" {
+			tags[i] = suffix
+		} else {
+			tags[i] = fmt.Sprintf("%s-%s", tag, suffix)
+		}
+	}
+	return tags, nil
+}
+
+func splitOff(input string, delim string) string {
+	parts := strings.SplitN(input, delim, 2)
+
+	if len(parts) == 2 {
+		return parts[0]
+	}
+
+	return input
+}
+
+// AutoTags returns a set of default suggested tags based on
+// the commit ref.
+func AutoTags(ref string) ([]string, error) {
+	if !strings.HasPrefix(ref, "refs/tags/") {
+		return []string{"latest"}, nil
+	}
+	v := stripTagPrefix(ref)
+	version, err := semver.NewVersion(v)
+	if err != nil {
+		return []string{"latest"}, err
+	}
+	if version.PreRelease != "" || version.Metadata != "" {
+		return []string{
+			version.String(),
+		}, nil
+	}
+
+	v = stripTagPrefix(ref)
+	v = splitOff(splitOff(v, "+"), "-")
+	dotParts := strings.SplitN(v, ".", 3)
+
+	if version.Major == 0 {
+		return []string{
+			fmt.Sprintf("%0*d.%0*d", len(dotParts[0]), version.Major, len(dotParts[1]), version.Minor),
+			fmt.Sprintf("%0*d.%0*d.%0*d", len(dotParts[0]), version.Major, len(dotParts[1]), version.Minor, len(dotParts[2]), version.Patch),
+		}, nil
+	}
+	return []string{
+		fmt.Sprintf("%0*d", len(dotParts[0]), version.Major),
+		fmt.Sprintf("%0*d.%0*d", len(dotParts[0]), version.Major, len(dotParts[1]), version.Minor),
+		fmt.Sprintf("%0*d.%0*d.%0*d", len(dotParts[0]), version.Major, len(dotParts[1]), version.Minor, len(dotParts[2]), version.Patch),
+	}, nil
+}
+
+// UseAutoTag for keep only default branch for latest tag.
+func UseAutoTag(ref, defaultBranch string) bool {
+	if strings.HasPrefix(ref, "refs/tags/") {
+		return true
+	}
+	if stripHeadPrefix(ref) == defaultBranch {
+		return true
+	}
+	return false
+}
+
+func stripHeadPrefix(ref string) string {
+	return strings.TrimPrefix(ref, "refs/heads/")
+}
+
+func stripTagPrefix(ref string) string {
+	ref = strings.TrimPrefix(ref, "refs/tags/")
+	ref = strings.TrimPrefix(ref, "v")
+	return ref
+}

pkg/tagger/tagger_test.go

@@ -0,0 +1,199 @@
+// A fork of https://github.com/drone-plugins/drone-docker/blob/master/tags_test.go
+
+package tagger
+
+import (
+	"reflect"
+	"testing"
+)
+
+func Test_stripTagPrefix(t *testing.T) {
+	var tests = []struct {
+		Before string
+		After  string
+	}{
+		{"refs/tags/1.0.0", "1.0.0"},
+		{"refs/tags/v1.0.0", "1.0.0"},
+		{"v1.0.0", "1.0.0"},
+	}
+
+	for _, test := range tests {
+		got, want := stripTagPrefix(test.Before), test.After
+		if got != want {
+			t.Errorf("Got tag %s, want %s", got, want)
+		}
+	}
+}
+
+func TestAutoTags(t *testing.T) {
+	var tests = []struct {
+		Before string
+		After  []string
+	}{
+		{"", []string{"latest"}},
+		{"refs/heads/master", []string{"latest"}},
+		{"refs/tags/0.9.0", []string{"0.9", "0.9.0"}},
+		{"refs/tags/1.0.0", []string{"1", "1.0", "1.0.0"}},
+		{"refs/tags/v1.0.0", []string{"1", "1.0", "1.0.0"}},
+		{"refs/tags/v1.0.0-alpha.1", []string{"1.0.0-alpha.1"}},
+	}
+
+	for _, test := range tests {
+		tags, err := AutoTags(test.Before)
+		if err != nil {
+			t.Error(err)
+			continue
+		}
+		got, want := tags, test.After
+		if !reflect.DeepEqual(got, want) {
+			t.Errorf("Got tag %v, want %v", got, want)
+		}
+	}
+}
+
+func TestAutoTagsError(t *testing.T) {
+	var tests = []string{
+		"refs/tags/x1.0.0",
+		"refs/tags/20190203",
+	}
+
+	for _, test := range tests {
+		_, err := AutoTags(test)
+		if err == nil {
+			t.Errorf("Expect tag error for %s", test)
+		}
+	}
+}
+
+func TestAutoTagsSuffix(t *testing.T) {
+	var tests = []struct {
+		Before string
+		Suffix string
+		After  []string
+	}{
+		// without suffix
+		{
+			After: []string{"latest"},
+		},
+		{
+			Before: "refs/tags/v1.0.0",
+			After: []string{
+				"1",
+				"1.0",
+				"1.0.0",
+			},
+		},
+		// with suffix
+		{
+			Suffix: "linux-amd64",
+			After:  []string{"linux-amd64"},
+		},
+		{
+			Before: "refs/tags/v1.0.0",
+			Suffix: "linux-amd64",
+			After: []string{
+				"1-linux-amd64",
+				"1.0-linux-amd64",
+				"1.0.0-linux-amd64",
+			},
+		},
+		{
+			Suffix: "nanoserver",
+			After:  []string{"nanoserver"},
+		},
+		{
+			Before: "refs/tags/v1.9.2",
+			Suffix: "nanoserver",
+			After: []string{
+				"1-nanoserver",
+				"1.9-nanoserver",
+				"1.9.2-nanoserver",
+			},
+		},
+		{
+			Before: "refs/tags/v18.06.0",
+			Suffix: "nanoserver",
+			After: []string{
+				"18-nanoserver",
+				"18.06-nanoserver",
+				"18.06.0-nanoserver",
+			},
+		},
+	}
+
+	for _, test := range tests {
+		tag, err := AutoTagsSuffix(test.Before, test.Suffix)
+		if err != nil {
+			t.Error(err)
+			continue
+		}
+		got, want := tag, test.After
+		if !reflect.DeepEqual(got, want) {
+			t.Errorf("Got tag %v, want %v", got, want)
+		}
+	}
+}
+
+func Test_stripHeadPrefix(t *testing.T) {
+	type args struct {
+		ref string
+	}
+	tests := []struct {
+		args args
+		want string
+	}{
+		{
+			args: args{
+				ref: "refs/heads/master",
+			},
+			want: "master",
+		},
+	}
+	for _, tt := range tests {
+		if got := stripHeadPrefix(tt.args.ref); got != tt.want {
+			t.Errorf("stripHeadPrefix() = %v, want %v", got, tt.want)
+		}
+	}
+}
+
+func TestUseAutoTag(t *testing.T) {
+	type args struct {
+		ref           string
+		defaultBranch string
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{
+			name: "latest tag for default branch",
+			args: args{
+				ref:           "refs/heads/master",
+				defaultBranch: "master",
+			},
+			want: true,
+		},
+		{
+			name: "build from tags",
+			args: args{
+				ref:           "refs/tags/v1.0.0",
+				defaultBranch: "master",
+			},
+			want: true,
+		},
+		{
+			name: "skip build for not default branch",
+			args: args{
+				ref:           "refs/heads/develop",
+				defaultBranch: "master",
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		if got := UseAutoTag(tt.args.ref, tt.args.defaultBranch); got != tt.want {
+			t.Errorf("%q. UseAutoTag() = %v, want %v", tt.name, got, tt.want)
+		}
+	}
+}

pkg/utils/custom_string_slice.go

@@ -0,0 +1,36 @@
+package utils
+
+import (
+	"strings"
+)
+
+// CustomStringSliceFlag is like a regular StringSlice flag but with
+// semicolon as a delimiter
+type CustomStringSliceFlag struct {
+	Value []string
+}
+
+// GetValue returns the slice of strings stored in the flag
+func (f *CustomStringSliceFlag) GetValue() []string {
+	if f.Value == nil {
+		return make([]string, 0)
+	}
+	return f.Value
+}
+
+// String returns a string representation of the flag
+func (f *CustomStringSliceFlag) String() string {
+	if f.Value == nil {
+		return ""
+	}
+	return strings.Join(f.Value, ";")
+}
+
+// Set sets the value of the flag from a string
+func (f *CustomStringSliceFlag) Set(v string) error {
+	for _, s := range strings.Split(v, ";") {
+		s = strings.TrimSpace(s)
+		f.Value = append(f.Value, s)
+	}
+	return nil
+}

scripts/build.sh

@@ -10,14 +10,20 @@ set -e
 set -x
 
 # linux
-GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gcr
-GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-ecr
-GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-docker
+GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gcr    ./cmd/kaniko-gcr
+GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-acr    ./cmd/kaniko-acr
+GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-ecr    ./cmd/kaniko-ecr
+GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
+GOOS=linux GOARCH=amd64 go build -o release/linux/amd64/kaniko-gar    ./cmd/kaniko-gar
 
-GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gcr
-GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-ecr
-GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-docker
+GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gcr    ./cmd/kaniko-gcr
+GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-acr    ./cmd/kaniko-acr
+GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-ecr    ./cmd/kaniko-ecr
+GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-docker ./cmd/kaniko-docker
+GOOS=linux GOARCH=arm64 go build -o release/linux/arm64/kaniko-gar    ./cmd/kaniko-gar
 
-GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-gcr
-GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-ecr
-GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-docker
+GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-gcr      ./cmd/kaniko-gcr
+GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-acr      ./cmd/kaniko-acr
+GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-ecr      ./cmd/kaniko-ecr
+GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-docker   ./cmd/kaniko-docker
+GOOS=linux GOARCH=arm   go build -o release/linux/arm/kaniko-gar      ./cmd/kaniko-gar

scripts/docker.sh

@@ -14,11 +14,13 @@ set -e
 set -x
 
 # build the binary
-go build -o release/linux/amd64/kaniko-gcr
-go build -o release/linux/amd64/kaniko-ecr
-go build -o release/linux/amd64/kaniko-docker
+go build -o release/linux/amd64/kaniko-gcr    ./cmd/kaniko-gcr
+go build -o release/linux/amd64/kaniko-gar    ./cmd/kaniko-gar
+go build -o release/linux/amd64/kaniko-ecr    ./cmd/kaniko-ecr
+go build -o release/linux/amd64/kaniko-docker ./cmd/kaniko-docker
 
 # build the docker image
 docker build -f docker/gcr/Dockerfile.linux.amd64    -t plugins/kaniko-gcr .
+docker build -f docker/gar/Dockerfile.linux.amd64    -t plugins/kaniko-gar .
 docker build -f docker/ecr/Dockerfile.linux.amd64    -t plugins/kaniko-ecr .
 docker build -f docker/docker/Dockerfile.linux.amd64 -t plugins/kaniko .