Support multiple credentials per registry

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+- Add support for multiple credentials per-registry
+  - Image resource will match on the longest case match by default
+  - Credentials to use can be explicitly set by `:repo_credential_override`
+
 ## 11.9.2 - *2025-02-02*
 
 ## 11.9.1 - *2025-02-01*

resources/image.rb

@@ -10,6 +10,7 @@
 property :nocache, [true, false], default: false
 property :noprune, [true, false], default: false
 property :repo, String, name_property: true
+property :repo_credential_override, String
 property :rm, [true, false], default: true
 property :source, String
 property :tag, String, default: 'latest'
@@ -140,7 +141,7 @@ def import_image
 
   def pull_image
     with_retries do
-      creds = credentails
+      creds = credentials
       original_image = Docker::Image.get(image_identifier, {}, connection) if Docker::Image.exist?(image_identifier, {}, connection)
       new_image = Docker::Image.create({ 'fromImage' => image_identifier }, creds, connection)
 
@@ -150,7 +151,7 @@ def pull_image
 
   def push_image
     with_retries do
-      creds = credentails
+      creds = credentials
       i = Docker::Image.get(image_identifier, {}, connection)
       i.push(creds, repo_tag: image_identifier)
     end
@@ -175,8 +176,25 @@ def load_image
     end
   end
 
-  def credentails
+  def credentials
+    return new_resource.repo_credential_override unless new_resource.repo_credential_override.nil? || new_resource.repo_credential_override.empty?
+
     registry_host = parse_registry_host(new_resource.repo)
-    node.run_state['docker_auth'] && node.run_state['docker_auth'][registry_host] || {}
+    # Return unless we have credentials stored and we have a custom repo path
+    return registry_host unless registry_host.include?('/') && node.run_state.key?('docker_auth')
+
+    # Longest-path registry credentials match
+    registry_host = nil
+    registry_split = new_resource.repo.split('/')
+    join_count = registry_split.count
+
+    until registry_host || (join_count < 0)
+      join_count -= 1
+      registry_host = registry_split[0..join_count].join('/') if node.run_state['docker_auth'].key?(registry_split[0..join_count].join('/'))
+    end
+
+    return {} unless registry_host
+
+    node.run_state.dig('docker_auth', registry_host) || {}
   end
 end

resources/partial/_base.rb

@@ -129,10 +129,10 @@ def parse_registry_host(val)
     #   domain.ext/image         (=> 3rd party registry)
     #   domain.ext/.../image     (=> 3rd party registry)
     #
-    first_part = val.sub(%r{https?://}, '').split('/').first
+    registry = val.sub(%r{https?://}, '')
 
     # looks like a host name of a custom docker registry
-    return first_part if first_part.include?('.')
+    return registry if registry.include?('.')
 
     # default host
     'index.docker.io'