authn.kubernetes.Resolve now behaves exactly like Kubernetes

[dprotaso]

Prior we weren't matching host names and partial paths properly

This was breaking Gitlab and Azure tag to digest resolution in Knative (knative/serving#12761)

[dprotaso]

I think I need to pull the first commit into a separate PR since I need to bump the ggcr version in the kubernetes/go.mod

Otherwise the kubernetes pkg won't pull the right ggcr min version containing the new json marshalling helpers.

[dprotaso]

Step 1: #1350

Will rebase this PR with go.mod updates

[imjasonh]

Should we promote this extra fuzzy URL matching to match k8s' behavior up to pkg/authn and use it for all Docker config handling?

Thanks so much for doing this investigation and work @dprotaso, you're a rockstar 👨‍🎤 ❤️

[dprotaso]

Should we promote this extra fuzzy URL matching to match k8s' behavior up to pkg/authn and use it for all Docker config handling?

I was wondering if the fuzzy matching is only a k8s behaviour or is that a docker config convention? I would do it in a separate PR if it's not K8s convention.

[codecov-commenter]

Codecov Report

Merging #1349 (8c468cd) into main (f1b7291) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1349   +/-   ##
=======================================
  Coverage   74.19%   74.19%           
=======================================
  Files         113      113           
  Lines        8439     8439           
=======================================
  Hits         6261     6261           
  Misses       1574     1574           
  Partials      604      604           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f1b7291...8c468cd. Read the comment docs.

[dprotaso]

Also note - unit/build tests don't work in nested modules since ./... only applies to all packages in the current module

go-containerregistry/.github/workflows/test.yaml

Line 25 in f1b7291

- run: go test -coverprofile=coverage.txt -covermode=atomic -race ./...

Realized this here (gopher slack): https://gophers.slack.com/archives/C9BMAAFFB/p1649939462805589

[dprotaso]

Unit test failure seems unrelated

--- FAIL: TestWriteIndex_Progress (2.28s)
    progress_test.go:193: saw progress revert: was high of 2659099, saw 2524410

https://github.com/google/go-containerregistry/runs/6024983982?check_suite_focus=true#step:4:715

[dprotaso]

presubmit looks legit - looking into that

[dprotaso]

After this I need to bump the k8schain/go.mod with the pkg/authn/kubernetes sha (in a separate PR)

[imjasonh]

I was wondering if the fuzzy matching is only a k8s behaviour or is that a docker config convention? I would do it in a separate PR if it's not K8s convention.

Sounds like it's just K8s' version, but it seems useful to apply Postel's law here and everywhere. Maybe this means we can drop (some of?) our dep from pkg/authn -> docker/cli, and things like this:

go-containerregistry/pkg/authn/keychain.go

Line 126 in f1b7291

cfg, err = cf.GetAuthConfig(key)

(not for this PR, just something to consider in the future)

[dprotaso]

(not for this PR, just something to consider in the future)

👍