Rename --k8s-keychain flag

[imjasonh]

Description

The --k8s-keychain flag (e.g., in cosign sign) is

whether to use the kubernetes keychain instead of the default keychain (supports workload identity).

This is a bit of a misnomer, since "the kubernetes keychain" as a term isn't particularly well defined, and because what I believe it means is, "the common set of cloud auth helpers that can be included in Kubernetes (i.e., GCP, AWS, Azure)", and in actuality, the flag enables a number of auth helpers that aren't exactly that set of "kubernetes auth helpers":

cosign/cmd/cosign/cli/options/registry.go

Lines 83 to 89 in 516cc39

	kc := authn.NewMultiKeychain(
	authn.DefaultKeychain,
	google.Keychain,
	authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(ioutil.Discard))),
	authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
	github.Keychain,
	)

Along with GCP, AWS and Azure, this set includes the GHCR auth helper, and with #2007 this keychain will also include an Alibaba helper.

I propose changing this flag to something like --workload-identity (ideas welcome!) or at least improve docs to clarify what it does.