Move credentials after build dependencies, controlled by calibanconfig

[sritchie]

Dependencies are much more expensive to change than credentials. This PR moves the credential injection after dependency fetching.

This is a decent idea, I think, BUT it has a problem. If you have private dependencies in a google Source Cloud Repository, you need the credentials to come before the pip install so that git can use gcloud for authentication.

@ajslone , I'm going to vote that we:

• make this change here, but only after
• we add a setting in .calibanconfig.json that allows you to move this earlier if you need it there.

I am a little worried at configuration options starting to increase. What do you think?

[codecov]

Codecov Report

Merging #10 into master will decrease coverage by 0.09%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master      #10      +/-   ##
==========================================
- Coverage   43.73%   43.64%   -0.10%     
==========================================
  Files          20       20              
  Lines        3114     3114              
==========================================
- Hits         1362     1359       -3     
- Misses       1752     1755       +3     

Impacted Files	Coverage Δ
caliban/docker.py	25.32% <0.00%> (ø)
caliban/gke/utils.py	73.38% <0.00%> (-1.15%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4fbfe5f...dfe6948. Read the comment docs.

[ajslone]

This seems like the right thing to do, but I hear your concerns over over-configurability and its impact on usability. I'd say that as long as there are rational defaults, and there is some way to keep a persistent configuration then this should be ok.