[Proposal] Embed credentials helper to simplify push / pull process

[b4nst]

Currently in order to push / pull an image from Google Artifact Registry, we have to use GoogleCloudPlatform/docker-credential-gcr to generate the proper ~/.docker/config.json.
It works but there's a simpler UX solution: using the helper directly.

It's done by Kaniko for example:

https://github.com/GoogleContainerTools/kaniko/blob/eea12bd0259c37f04443cca47f4aac3bf82d8c31/tools/tools.go#L25-L27

[stefanprodan]

Is the machine where you're running Timoni in GCP? If so, we can add --oidc-provider gcp|aws|azure to all commands and Timoni will use context-based authorization to request a token for the machine's IAM role.

PS. The OIDC auth for Google Artifact Registry, ECR and ACR are already implemented in fluxcd/pkg/oci, we just need to wire it to flag.

[b4nst]

Ah, didn't try passing the flag. Indeed I dive (after creating the issue) in the code and saw we were using fluxcd/pkg/oci. I was wondering if there's a reason behind the use of this library instead of github.com/google/go-containerregistry (used under the hood).
I was about to start a refactoring then think there might be a rationale behind that decision (maybe because of the link between timoni and flux).
The nice thing about go-containerregistry is the existence of multi keychain auth. Using that you can get rid of any cli arg, and push to multiple providers. UX is better imo.
I did not find any use of NewMultiKeychain in luxcd/pkg/oci but didn't dive a lot either tbh.

[stefanprodan]

How is go-containerregistry implementing ODIC login and token refresh? In Flux we do it here https://github.com/fluxcd/pkg/blob/main/oci/auth/login/login.go#L127

As for UX, I prefer to explicitly tell the tool which auth method to use, instead of magically try to mix OIDC with existing docker configs.