feat(image): introduce WithCredentials* to select how pull credentials are retrieved

Signed-off-by: Nicolas De Loof <[email protected]>

Author: ndeloof

image/options.go

@@ -2,8 +2,10 @@ package image
 
 import (
 	"errors"
+	"fmt"
 	"io"
 
+	"github.com/docker/go-sdk/config"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 
 	"github.com/docker/docker/api/types/build"
@@ -39,9 +41,41 @@ func WithBuildOptions(options build.ImageBuildOptions) BuildOption {
 type PullOption func(*pullOptions) error
 
 type pullOptions struct {
-	pullClient  ImagePullClient
-	pullOptions image.PullOptions
-	pullHandler func(r io.ReadCloser) error
+	pullClient    ImagePullClient
+	pullOptions   image.PullOptions
+	pullHandler   func(r io.ReadCloser) error
+	credentialsFn func(string) (string, string, error)
+}
+
+// WithCredentialsFn set the function to retrieve credentials for an image to be pulled
+func WithCredentialsFn(credentialsFn func(string) (string, string, error)) PullOption {
+	return func(opts *pullOptions) error {
+		opts.credentialsFn = credentialsFn
+		return nil
+	}
+}
+
+// WithCredentialsFromConfig configures pull to retrieve credentials from the CLI config
+func WithCredentialsFromConfig() PullOption {
+	return func(opts *pullOptions) error {
+		opts.credentialsFn = func(imageName string) (string, string, error) {
+			authConfigs, err := config.AuthConfigs(imageName)
+			if err != nil {
+				return "", "", err
+			}
+
+			// there must be only one auth config for the image
+			if len(authConfigs) > 1 {
+				return "", "", fmt.Errorf("multiple auth configs found for image %s, expected only one", imageName)
+			}
+
+			for _, ac := range authConfigs {
+				return ac.Username, ac.Password, nil
+			}
+			return "", "", nil
+		}
+		return nil
+	}
 }
 
 // WithPullClient sets the pull client used to pull the image.

image/pull.go

@@ -54,37 +54,39 @@ func Pull(ctx context.Context, imageName string, opts ...PullOption) error {
 		defer pullOpts.pullClient.Close()
 	}
 
+	if pullOpts.credentialsFn == nil {
+		if err := WithCredentialsFromConfig()(pullOpts); err != nil {
+			return fmt.Errorf("set credentials for pull option: %w", err)
+		}
+	}
+
 	if imageName == "" {
 		return errors.New("image name is not set")
 	}
 
-	authConfigs, err := config.AuthConfigs(imageName)
-	if err != nil {
-		pullOpts.pullClient.Logger().Warn("failed to get image auth, setting empty credentials for the image", "image", imageName, "error", err)
-	} else {
-		// there must be only one auth config for the image
-		if len(authConfigs) > 1 {
-			return fmt.Errorf("multiple auth configs found for image %s, expected only one", imageName)
-		}
-
-		var tmp config.AuthConfig
-		for _, ac := range authConfigs {
-			tmp = ac
-		}
-
-		authConfig := config.AuthConfig{
-			Username: tmp.Username,
-			Password: tmp.Password,
-		}
-		encodedJSON, err := json.Marshal(authConfig)
+	if pullOpts.credentialsFn == nil {
+		username, password, err := pullOpts.credentialsFn(imageName)
 		if err != nil {
-			pullOpts.pullClient.Logger().Warn("failed to marshal image auth, setting empty credentials for the image", "image", imageName, "error", err)
-		} else {
-			pullOpts.pullOptions.RegistryAuth = base64.URLEncoding.EncodeToString(encodedJSON)
+			return fmt.Errorf("failed to retrieve credentials for image %s: %w", imageName, err)
+		}
+		if username != "" && password != "" {
+			authConfig := config.AuthConfig{
+				Username: username,
+				Password: password,
+			}
+			encodedJSON, err := json.Marshal(authConfig)
+			if err != nil {
+				pullOpts.pullClient.Logger().Warn("failed to marshal image auth, setting empty credentials for the image", "image", imageName, "error", err)
+			} else {
+				pullOpts.pullOptions.RegistryAuth = base64.URLEncoding.EncodeToString(encodedJSON)
+			}
 		}
 	}
 
-	var pull io.ReadCloser
+	var (
+		pull io.ReadCloser
+		err  error
+	)
 	err = backoff.RetryNotify(
 		func() error {
 			pull, err = pullOpts.pullClient.ImagePull(ctx, imageName, pullOpts.pullOptions)