Skip to content

imagetools: use dockerconfig for auth #3627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tonistiigi merged 2 commits into from
Feb 3, 2026
Merged

imagetools: use dockerconfig for auth #3627

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e254cf1
auth: create new authorizer for imagetools
tonistiigi Jan 24, 2026
27dde04
imagetools: use dockerconfig for auth
tonistiigi Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions driver/driver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import (

"github.com/docker/buildx/store"
"github.com/docker/buildx/util/progress"
clitypes "github.com/docker/cli/cli/config/types"
controlapi "github.com/moby/buildkit/api/services/control"
"github.com/moby/buildkit/client"
"github.com/pkg/errors"
Expand Down Expand Up @@ -58,10 +57,6 @@ type Info struct {
DynamicNodes []store.Node
}

type Auth interface {
GetAuthConfig(registryHostname string) (clitypes.AuthConfig, error)
}

type Driver interface {
Factory() Factory
Bootstrap(context.Context, progress.Logger) error
Expand Down
3 changes: 2 additions & 1 deletion driver/manager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (

"github.com/docker/cli/cli/context/store"
"github.com/moby/buildkit/client"
"github.com/moby/buildkit/session/auth/authprovider"
"github.com/moby/buildkit/util/tracing/delegated"
dockerclient "github.com/moby/moby/client"
ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
Expand Down Expand Up @@ -35,7 +36,7 @@ type InitConfig struct {
BuildkitdFlags []string
Files map[string][]byte
DriverOpts map[string]string
Auth Auth
Auth authprovider.AuthConfigProvider
Platforms []ocispecs.Platform
ContextPathHash string
DialMeta map[string][]string
Expand Down
3 changes: 2 additions & 1 deletion store/storeutil/storeutil.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"github.com/docker/buildx/store"
"github.com/docker/buildx/util/confutil"
"github.com/docker/buildx/util/dockerutil"
"github.com/docker/buildx/util/dockerutil/dockerconfig"
"github.com/docker/buildx/util/imagetools"
"github.com/docker/buildx/util/resolver"
"github.com/docker/cli/cli/command"
Expand Down Expand Up @@ -109,7 +110,7 @@ func GetNodeGroup(txn *store.Txn, dockerCli command.Cli, name string) (*store.No
}

func GetImageConfig(dockerCli command.Cli, ng *store.NodeGroup) (opt imagetools.Opt, err error) {
opt.Auth = dockerCli.ConfigFile()
opt.Auth = dockerconfig.LoadAuthConfig(dockerCli)

if ng == nil || len(ng.Nodes) == 0 {
return opt, nil
Expand Down
7 changes: 7 additions & 0 deletions util/dockerutil/dockerconfig/configprovider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,13 @@ type authConfigProvider struct {
}

func (ap *authConfigProvider) load(ctx context.Context, host string, scopes []string, cacheExpireCheck authprovider.ExpireCachedAuthCheck) (types.AuthConfig, error) {
if cacheExpireCheck == nil {
cacheExpireCheck = func(created time.Time, _ string) bool {
// Tokens for Google Artifact Registry via Workload Identity expire after 5 minutes.
return time.Since(created) > 4*time.Minute+50*time.Second
}
}

ac, err := ap.loadHost(ctx, host, scopes, cacheExpireCheck)
if err != nil {
return types.AuthConfig{}, err
Expand Down
66 changes: 6 additions & 60 deletions util/imagetools/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,68 +5,14 @@ import (
"encoding/base64"
"encoding/json"
"net/http"
"sync"
"time"

"github.com/containerd/containerd/v2/core/remotes/docker"
"github.com/distribution/reference"
"github.com/docker/cli/cli/config/types"
"github.com/moby/buildkit/session/auth/authprovider"
)

type authConfig struct {
mu sync.Mutex
authConfigCache map[string]authConfigCacheEntry
cfg Auth
}

type authConfigCacheEntry struct {
Created time.Time
Auth types.AuthConfig
}

func newAuthConfig(a Auth) *authConfig {
return &authConfig{
authConfigCache: map[string]authConfigCacheEntry{},
cfg: a,
}
}

func (a *authConfig) credentials(host string) (string, string, error) {
ac, err := a.authConfig(host)
if err != nil {
return "", "", err
}
if ac.IdentityToken != "" {
return "", ac.IdentityToken, nil
}
return ac.Username, ac.Password, nil
}

func (a *authConfig) authConfig(host string) (types.AuthConfig, error) {
const defaultExpiration = 2 * time.Minute

if host == "registry-1.docker.io" {
host = "https://index.docker.io/v1/"
}
a.mu.Lock()
defer a.mu.Unlock()

if c, ok := a.authConfigCache[host]; ok && time.Since(c.Created) <= defaultExpiration {
return c.Auth, nil
}
ac, err := a.cfg.GetAuthConfig(host)
if err != nil {
return types.AuthConfig{}, err
}
a.authConfigCache[host] = authConfigCacheEntry{
Created: time.Now(),
Auth: ac,
}
return ac, nil
}

func RegistryAuthForRef(ref string, a Auth) (string, error) {
if a == nil {
func RegistryAuthForRef(ref string, auth authprovider.AuthConfigProvider) (string, error) {
if auth == nil {
return "", nil
}
r, err := parseRef(ref)
Expand All @@ -77,7 +23,7 @@ func RegistryAuthForRef(ref string, a Auth) (string, error) {
if host == "docker.io" {
host = "https://index.docker.io/v1/"
}
ac, err := a.GetAuthConfig(host)
ac, err := auth(context.TODO(), host, nil, nil)
if err != nil {
return "", err
}
Expand All @@ -90,11 +36,11 @@ func RegistryAuthForRef(ref string, a Auth) (string, error) {

type withBearerAuthorizer struct {
docker.Authorizer
AuthConfig *authConfig
AuthConfig authprovider.AuthConfigProvider
}

func (a *withBearerAuthorizer) Authorize(ctx context.Context, req *http.Request) error {
ac, err := a.AuthConfig.authConfig(req.Host)
ac, err := a.AuthConfig(ctx, req.Host, nil, nil)
if err == nil && ac.RegistryToken != "" {
req.Header.Set("Authorization", "Bearer "+ac.RegistryToken)
return nil
Expand Down
14 changes: 5 additions & 9 deletions util/imagetools/inspect.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,16 @@ import (
"github.com/containerd/log"
"github.com/distribution/reference"
"github.com/docker/buildx/util/resolver"
clitypes "github.com/docker/cli/cli/config/types"
"github.com/docker/buildx/util/resolver/auth"
"github.com/moby/buildkit/session/auth/authprovider"
"github.com/moby/buildkit/util/contentutil"
"github.com/moby/buildkit/util/tracing"
ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/sirupsen/logrus"
)

type Auth interface {
GetAuthConfig(registryHostname string) (clitypes.AuthConfig, error)
}

type Opt struct {
Auth Auth
Auth authprovider.AuthConfigProvider
RegistryConfig map[string]resolver.RegistryConfig
}

Expand All @@ -34,11 +31,10 @@ type Resolver struct {
}

func New(opt Opt) *Resolver {
ac := newAuthConfig(opt.Auth)
dockerAuth := docker.NewDockerAuthorizer(docker.WithAuthCreds(ac.credentials), docker.WithAuthClient(http.DefaultClient))
dockerAuth := auth.NewDockerAuthorizer(auth.WithAuthProvider(opt.Auth), auth.WithAuthClient(http.DefaultClient))
auth := &withBearerAuthorizer{
Authorizer: dockerAuth,
AuthConfig: ac,
AuthConfig: opt.Auth,
}
return &Resolver{
auth: auth,
Expand Down
Loading