Skip to content

feat: enable authenticated pulls #1580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: enable authenticated pulls #1580

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c255c88
fix authenticated pulls
bluestealth May 9, 2025
c0f452f
Update pkg/runtimes/docker/container.go
bluestealth May 13, 2025
d2befe5
Merge branch 'main' into registryCreds
bluestealth Jul 11, 2025
0ef7c11
Merge branch 'main' into registryCreds
iwilltry42 Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ require (
github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dimchansky/utfbom v1.1.1 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/distribution/reference v0.6.0
github.com/docker/cli v28.3.1+incompatible
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker v28.3.1+incompatible
Expand Down
39 changes: 38 additions & 1 deletion pkg/runtimes/docker/container.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,15 @@ import (
"fmt"
"io"

"github.com/distribution/reference"
dockerconfig "github.com/docker/cli/cli/config"
dockerconfigfile "github.com/docker/cli/cli/config/configfile"
dockerconfigtypes "github.com/docker/cli/cli/config/types"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/filters"
dockerimage "github.com/docker/docker/api/types/image"
registrytypes "github.com/docker/docker/api/types/registry"
"github.com/docker/docker/client"
l "github.com/k3d-io/k3d/v5/pkg/logger"
k3d "github.com/k3d-io/k3d/v5/pkg/types"
Expand Down Expand Up @@ -104,9 +109,41 @@ func removeContainer(ctx context.Context, ID string) error {
return nil
}

// resolveAuth gets registry authentication configuration for an image
func resolveAuth(image string) (authConfig registrytypes.AuthConfig, err error) {
var ref reference.Named
var config *dockerconfigfile.ConfigFile
var dockerAuthConfig dockerconfigtypes.AuthConfig
if ref, err = reference.ParseNormalizedNamed(image); err != nil {
return
}
authKey := reference.Domain(ref)
if authKey == "docker.io" || authKey == "index.docker.io" {
authKey = "https://index.docker.io/v1/"
}
Comment on lines +121 to +123
Copy link

Copilot AI Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The hardcoded registry URL transformation should be extracted into a constant or helper function for better maintainability. Consider defining const DockerHubAuthKey = \"https://index.docker.io/v1/\" at the package level.

Copilot uses AI. Check for mistakes.
if config, err = dockerconfig.Load(dockerconfig.Dir()); err != nil {
return
}
if dockerAuthConfig, err = config.GetAuthConfig(authKey); err != nil {
return
}
authConfig = registrytypes.AuthConfig(dockerAuthConfig)
return
}

// pullImage pulls a container image and outputs progress if --verbose flag is set
func pullImage(ctx context.Context, docker client.APIClient, image string) error {
resp, err := docker.ImagePull(ctx, image, dockerimage.PullOptions{})
authConfig, err := resolveAuth(image)
if err != nil {
l.Log().Warnf("Failed to get auth: %v", err)
}
encoded, err := registrytypes.EncodeAuthConfig(authConfig)
if err != nil {
l.Log().Warnf("Failed to encode auth: %v", err)
Comment on lines +138 to +142
Copy link

Copilot AI Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When resolveAuth fails, the code continues with a potentially invalid authConfig struct. Similarly, when EncodeAuthConfig fails, the code continues with a potentially invalid encoded value. Consider using empty/default values or returning early on critical authentication failures to ensure predictable behavior.

Suggested change
l.Log().Warnf("Failed to get auth: %v", err)
}
encoded, err := registrytypes.EncodeAuthConfig(authConfig)
if err != nil {
l.Log().Warnf("Failed to encode auth: %v", err)
return fmt.Errorf("failed to get auth: %w", err)
}
encoded, err := registrytypes.EncodeAuthConfig(authConfig)
if err != nil {
return fmt.Errorf("failed to encode auth: %w", err)

Copilot uses AI. Check for mistakes.
}
resp, err := docker.ImagePull(ctx, image, dockerimage.PullOptions{
RegistryAuth: encoded,
})
if err != nil {
return fmt.Errorf("docker failed to pull the image '%s': %w", image, err)
}
Expand Down