If a single tag is explicitly set (i.e. it's not "latest"), include that
in the reference that gets rendered in the yaml.
This is really useful for tracking releases.
When ko is invoked in this mode, import paths must have the `ko://`
prefix. If a human marks an import path with `ko://` and ko can't
resolve the resulting import path, it fails. In "loose mode", such an
import path would be silently ignored and passed on to the resolved
YAML, often resulting in invalid image names (e.g., `image:
github.com/foo/bar`)
In loose mode, `ko://` prefixes are always ignored for
backward-compatibility.
Why this is necessary: when using a local docker registry, users may not
want to support https, or there may be other troubles not allowing
verifiable TLS support.
This commit adds this functionality by adding an `--insecure-registry`
flag.
