kaniko requires authentication for base images that are in gcr.io

[samos123]

Actual behavior I tried to use --tarPath where the base image is in gcr.io which will cause it to try to authenticate to gcr.io even for public images. Update: the issue is more widespread. It's an issue also when you're not using --tarPath, for example if you were using a local registry and are not authenticated with gcr.

Expected behavior base images in gcr.io shouldn't need authentication

To Reproduce Steps to reproduce the behavior:

1. Run the following and watch it fail:

   cd GoogleContainerTools/kaniko
   docker run \                                      
   -v $(pwd):/workspace gcr.io/kaniko-project/executor:latest \
   --dockerfile=/workspace/integration/dockerfiles/Dockerfile_test_cmd --context=dir:///workspace/integration \
   --no-push --tarPath /workspace/test_add.tar --force

2. This will also fail if you have a docker registry running in localhost:5000

   docker run \                          
   --net=host -v $(pwd):/workspace gcr.io/kaniko-project/executor:latest \
   --dockerfile=/workspace/integration/dockerfiles/Dockerfile_test_add --context=dir:///workspace/integration \
   --destination=localhost:5000/kaniko-test --force
   INFO[0000] Resolved base name gcr.io/google-appengine/debian9@sha256:1d6a9a6d106bd795098f60f4abb7083626354fa6735e81743c7f8cfca11259f0 to gcr.io/google-appengine/debian9@sha256:1d6a9a6d106bd795098f60f4abb7083626354fa6735e81743c7f8cfca11259f0
   INFO[0000] Using dockerignore file: /workspace/integration/.dockerignore
   INFO[0000] Resolved base name gcr.io/google-appengine/debian9@sha256:1d6a9a6d106bd795098f60f4abb7083626354fa6735e81743c7f8cfca11259f0 to gcr.io/google-appengine/debian9@sha256:1d6a9a6d106bd795098f60f4abb7083626354fa6735e81743c7f8cfca11259f0
   INFO[0000] Image gcr.io/google-appengine/debian9@sha256:1d6a9a6d106bd795098f60f4abb7083626354fa6735e81743c7f8cfca11259f0 not found in cache
   INFO[0000] Retrieving image manifest gcr.io/google-appengine/debian9@sha256:1d6a9a6d106bd795098f60f4abb7083626354fa6735e81743c7f8cfca11259f0
   error building image: Get https://gcr.io/v2/token?scope=repository%3Agoogle-appengine%2Fdebian9%3Apull&service=gcr.io: invoking docker-credential-gcr: exit status 1; output: docker-credential-gcr/helper: could not retrieve GCR's access token: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

Additional Information

• Dockerfile: https://github.com/GoogleContainerTools/kaniko/blob/master/integration/dockerfiles/Dockerfile_test_cmd
• Build Context part of integration tests

• Kaniko Image (fully qualified with digest): gcr.io/kaniko-project/executor
  e90df5b891a7

  Triage Notes for the Maintainers

  Description	Yes/No
  Please check if this a new feature you are proposing	- [ ]
  Please check if the build works in docker but not in kaniko	- [ ]
  Please check if this error is seen when you use --cache flag	- [ ]
  Please check if your dockerfile is a multistage dockerfile	- [ ]

[filesnate]

See https://github.com/GoogleContainerTools/kaniko/pull/1125 which may be related