Support short-term access tokens instead of json key for gcr

[majelbstoat]

Per Gitter conversation: https://gitter.im/datawire/forge?at=5a7916cbce68c3bc744d7ad6

Jamie Talbot @majelbstoat
for google container registry, is there a way not to require a json key in favour of a 
short-term access token that's downloaded on the fly? would rather not have keys 
stored anywhere for too long a time.

Rafael Schloming @rhs 18:48
@majelbstoat there isn't currently, but if you file an issue I can look into that

[majelbstoat]

If it helps, this is what I do to make kubectl work with gcr.io in the same way:

kubectl create secret docker-registry gcr \
  --docker-server=https://gcr.io \
  --docker-username=oauth2accesstoken \
  --docker-password="$(gcloud auth print-access-token)" \
  --docker-email=me@myemail.com

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gcr"}]}'

[rhs]

I've made the key optional in forge 0.4.0. If you omit the key for a gcr registry, then forge will automatically use gcloud auth print-access-token for the password. (You will need to run gcloud auth login or gcloud auth activate-service-account prior to running forge.)