Authenticate to registries when pulling images

When we attempt to pull images, use authentication secrets, if we can
find some that match.  We special-case docker.io and locations that end
in .docker.io to also check for authentication information tagged for
either docker.io, index.docker.io, or https://index.docker.io/v1/.

Signed-off-by: Nalin Dahyabhai <[email protected]>

Author: nalind

cmd/imagebuilder/imagebuilder.go

@@ -8,6 +8,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/docker/distribution/reference"
 	dockertypes "github.com/docker/docker/api/types"
 	docker "github.com/fsouza/go-dockerclient"
 	"k8s.io/klog"
@@ -87,7 +88,58 @@ func main() {
 	options.TransientMounts = mounts
 
 	options.Out, options.ErrOut = os.Stdout, os.Stderr
+	authConfigurations, err := docker.NewAuthConfigurationsFromDockerCfg()
+	if err != nil {
+		log.Fatalf("reading authentication configurations: %v", err)
+	}
+	if authConfigurations == nil {
+		klog.V(4).Infof("No authentication secrets found")
+	}
+
 	options.AuthFn = func(name string) ([]dockertypes.AuthConfig, bool) {
+		if authConfigurations != nil {
+			if authConfig, ok := authConfigurations.Configs[name]; ok {
+				klog.V(4).Infof("Found authentication secret for registry %q", name)
+				return []dockertypes.AuthConfig{{
+					Username:      authConfig.Username,
+					Password:      authConfig.Password,
+					Email:         authConfig.Email,
+					ServerAddress: authConfig.ServerAddress,
+				}}, true
+			}
+			if named, err := reference.ParseNormalizedNamed(name); err == nil {
+				domain := reference.Domain(named)
+				if authConfig, ok := authConfigurations.Configs[domain]; ok {
+					klog.V(4).Infof("Found authentication secret for registry %q", domain)
+					return []dockertypes.AuthConfig{{
+						Username:      authConfig.Username,
+						Password:      authConfig.Password,
+						Email:         authConfig.Email,
+						ServerAddress: authConfig.ServerAddress,
+					}}, true
+				}
+				if domain == "docker.io" || strings.HasSuffix(domain, ".docker.io") {
+					var auths []dockertypes.AuthConfig
+					for _, aka := range []string{"docker.io", "index.docker.io", "https://index.docker.io/v1/"} {
+						if aka == domain {
+							continue
+						}
+						if authConfig, ok := authConfigurations.Configs[aka]; ok {
+							klog.V(4).Infof("Found authentication secret for registry %q", aka)
+							auths = append(auths, dockertypes.AuthConfig{
+								Username:      authConfig.Username,
+								Password:      authConfig.Password,
+								Email:         authConfig.Email,
+								ServerAddress: authConfig.ServerAddress,
+							})
+						}
+					}
+					if len(auths) > 0 {
+						return auths, true
+					}
+				}
+			}
+		}
 		return nil, false
 	}
 	options.LogFn = func(format string, args ...interface{}) {

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
 	github.com/containerd/containerd v1.3.0
 	github.com/containers/storage v0.0.0-20181207174215-bf48aa83089d
+	github.com/docker/distribution v2.7.1+incompatible
 	github.com/docker/docker v1.4.2-0.20170829193243-b68221c37ee5
 	github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df // indirect
 	github.com/docker/go-units v0.3.4-0.20181030082039-2fb04c6466a5 // indirect
@@ -20,7 +21,7 @@ require (
 	github.com/opencontainers/runc v1.0.0-rc6.0.20190305074555-923a8f8a9a07 // indirect
 	github.com/pkg/errors v0.8.2-0.20190227000051-27936f6d90f9
 	github.com/pquerna/ffjson v0.0.0-20171002144729-d49c2bc1aa13 // indirect
-	github.com/sirupsen/logrus v1.3.1-0.20190306131408-d7b6bf5e4d26 // indirect
+	github.com/sirupsen/logrus v1.3.1-0.20190306131408-d7b6bf5e4d26
 	github.com/stretchr/testify v1.6.1
 	golang.org/x/crypto v0.0.0-20190103213133-ff983b9c42bc // indirect
 	golang.org/x/net v0.0.0-20190107210223-45ffb0cd1ba0 // indirect

go.sum

@@ -11,6 +11,8 @@ github.com/containers/storage v0.0.0-20181207174215-bf48aa83089d/go.mod h1:+RirK
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
+github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v1.4.2-0.20170829193243-b68221c37ee5 h1:2iTeIddeUKUPxzR4/Gy35WsvRk79n5sUA+g8RHKU4tc=
 github.com/docker/docker v1.4.2-0.20170829193243-b68221c37ee5/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df h1:cGbd/ECh4QPOc6+Tbvdk5NjCcOYESiwc1RjXp0XciVg=

vendor/github.com/docker/distribution/LICENSE

@@ -21,6 +21,9 @@ github.com/containers/storage/pkg/system
 github.com/containers/storage/pkg/mount
 # github.com/davecgh/go-spew v1.1.1
 github.com/davecgh/go-spew/spew
+# github.com/docker/distribution v2.7.1+incompatible
+github.com/docker/distribution/reference
+github.com/docker/distribution/digestset
 # github.com/docker/docker v1.4.2-0.20170829193243-b68221c37ee5
 github.com/docker/docker/api/types
 github.com/docker/docker/pkg/system