- remove a way to get token from docker library

- use `go-containerregistry` library to retrieve authConfig, make sure we use the same way to handle pulling image from private registry.

Signed-off-by: Chuan-Yen Chiang <[email protected]>

Author: cychiang

cmd/crank/render/runtime_docker.go

@@ -18,23 +18,19 @@ package render
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"net"
-	"os"
-	"path/filepath"
 
-	"github.com/distribution/reference"
-	"github.com/docker/cli/cli/config"
-	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	typesimage "github.com/docker/docker/api/types/image"
-	registrytypes "github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/registry"
 	"github.com/docker/go-connections/nat"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/name"
 
 	"github.com/crossplane/crossplane-runtime/pkg/errors"
 	"github.com/crossplane/crossplane-runtime/pkg/logging"
@@ -113,12 +109,12 @@ type RuntimeDocker struct {
 	// Cleanup controls how the containers are handled after rendering.
 	Cleanup DockerCleanup
 
-	// ConfigFile contains information like credentials for each registry, default to ~/.docker/config.json
-	ConfigFile *configfile.ConfigFile
-
 	// PullPolicy controls how the runtime image is pulled.
 	PullPolicy DockerPullPolicy
 
+	// Keychain to use for pulling images from private registry.
+	Keychain authn.Keychain
+
 	// log is the logger for this runtime.
 	log logging.Logger
 }
@@ -163,31 +159,12 @@ func GetRuntimeDocker(fn pkgv1.Function, log logging.Logger) (*RuntimeDocker, er
 		return nil, errors.Wrapf(err, "cannot get pull policy for Function %q", fn.GetName())
 	}
 
-	// Initial ConfigFile, first check environment variable XDG_RUNTIME_DIR for Podman if it exists
-	// Otherwise, use the default Docker config file
-	var configFile *configfile.ConfigFile
-	if _, err := os.Stat(filepath.Join(os.Getenv("XDG_RUNTIME_DIR"), "containers/auth.json")); err == nil {
-		// Use the auth.json file if specified XDG_RUNTIME_DIR and file exists
-		f, err := os.Open(filepath.Join(os.Getenv("XDG_RUNTIME_DIR"), "containers/auth.json"))
-		if err != nil {
-			return nil, errors.Wrapf(err, "cannot open file %s", filepath.Join(os.Getenv("XDG_RUNTIME_DIR"), "containers/auth.json"))
-		}
-		defer f.Close() //nolint:errcheck // Only open for reading.
-
-		configFile, err = config.LoadFromReader(f)
-		if err != nil {
-			return nil, errors.Wrapf(err, "cannot load config file from reader")
-		}
-	} else {
-		configFile = config.LoadDefaultConfigFile(os.Stderr)
-	}
-
 	r := &RuntimeDocker{
 		Image:      fn.Spec.Package,
 		Name:       "",
 		Cleanup:    cleanup,
-		ConfigFile: configFile,
 		PullPolicy: pullPolicy,
+		Keychain:   authn.DefaultKeychain,
 		log:        log,
 	}
 
@@ -318,33 +295,29 @@ func (r *RuntimeDocker) createContainer(ctx context.Context, cli *client.Client)
 }
 
 func (r *RuntimeDocker) getPullOptions() (typesimage.PullOptions, error) {
-	// Resolve auth token by looking into config file
-	named, err := reference.ParseNormalizedNamed(r.Image)
+	// Resolve auth token by looking into keychain
+	ref, err := name.ParseReference(r.Image)
 	if err != nil {
 		return typesimage.PullOptions{}, errors.Wrapf(err, "Image is not a valid reference %s", r.Image)
 	}
 
-	repoInfo, err := registry.ParseRepositoryInfo(named)
+	auth, err := r.Keychain.Resolve(ref.Context().Registry)
 	if err != nil {
-		return typesimage.PullOptions{}, errors.Wrapf(err, "Cannot parse repository info: %s", named.String())
+		return typesimage.PullOptions{}, errors.Wrapf(err, "Cannot resolve auth for %s", ref.Context().RegistryStr())
 	}
 
-	configKey := repoInfo.Index.Name
-	if repoInfo.Index.Official {
-		configKey = registry.IndexServer
-	}
-	authConfig, err := r.ConfigFile.GetAuthConfig(configKey)
+	authConfig, err := auth.Authorization()
 	if err != nil {
-		return typesimage.PullOptions{}, errors.Wrapf(err, "Cannot get auth config info with configKey: %s", configKey)
+		return typesimage.PullOptions{}, errors.Wrapf(err, "Cannot get auth config for %s", ref.Context().RegistryStr())
 	}
 
-	encodedAuth, err := registrytypes.EncodeAuthConfig(registrytypes.AuthConfig(authConfig))
+	token, err := authConfig.MarshalJSON()
 	if err != nil {
-		return typesimage.PullOptions{}, errors.Wrapf(err, "Cannot encode auth config with configKey: %s", configKey)
+		return typesimage.PullOptions{}, errors.Wrapf(err, "Cannot marshal auth config for %s", ref.Context().RegistryStr())
 	}
 
 	return typesimage.PullOptions{
-		RegistryAuth: encodedAuth,
+		RegistryAuth: base64.URLEncoding.EncodeToString(token),
 	}, nil
 }
 

cmd/crank/render/runtime_docker_test.go

@@ -19,10 +19,8 @@ package render
 import (
 	"context"
 	"io"
-	"os"
 	"testing"
 
-	"github.com/docker/cli/cli/config"
 	"github.com/docker/docker/api/types/image"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
@@ -78,7 +76,6 @@ func TestGetRuntimeDocker(t *testing.T) {
 			want: want{
 				rd: &RuntimeDocker{
 					Image:      "test-image-from-annotation",
-					ConfigFile: config.LoadDefaultConfigFile(os.Stderr),
 					Cleanup:    AnnotationValueRuntimeDockerCleanupOrphan,
 					PullPolicy: AnnotationValueRuntimeDockerPullPolicyAlways,
 				},
@@ -105,7 +102,6 @@ func TestGetRuntimeDocker(t *testing.T) {
 			want: want{
 				rd: &RuntimeDocker{
 					Image:      "test-image-from-annotation",
-					ConfigFile: config.LoadDefaultConfigFile(os.Stderr),
 					Cleanup:    AnnotationValueRuntimeDockerCleanupOrphan,
 					Name:       "test-container-name-function",
 					PullPolicy: AnnotationValueRuntimeDockerPullPolicyIfNotPresent,
@@ -129,7 +125,6 @@ func TestGetRuntimeDocker(t *testing.T) {
 			want: want{
 				rd: &RuntimeDocker{
 					Image:      "test-package",
-					ConfigFile: config.LoadDefaultConfigFile(os.Stderr),
 					Cleanup:    AnnotationValueRuntimeDockerCleanupRemove,
 					PullPolicy: AnnotationValueRuntimeDockerPullPolicyIfNotPresent,
 				},
@@ -194,7 +189,6 @@ func TestGetRuntimeDocker(t *testing.T) {
 			want: want{
 				rd: &RuntimeDocker{
 					Image:      "test-package",
-					ConfigFile: config.LoadDefaultConfigFile(os.Stderr),
 					Cleanup:    AnnotationValueRuntimeDockerCleanupStop,
 					PullPolicy: AnnotationValueRuntimeDockerPullPolicyIfNotPresent,
 				},
@@ -204,7 +198,7 @@ func TestGetRuntimeDocker(t *testing.T) {
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			rd, err := GetRuntimeDocker(tc.args.fn, logging.NewNopLogger())
-			if diff := cmp.Diff(tc.want.rd, rd, cmpopts.IgnoreUnexported(RuntimeDocker{})); diff != "" {
+			if diff := cmp.Diff(tc.want.rd, rd, cmpopts.IgnoreUnexported(RuntimeDocker{}), cmpopts.IgnoreFields(RuntimeDocker{}, "Keychain")); diff != "" {
 				t.Errorf("\n%s\nGetRuntimeDocker(...): -want, +got:\n%s", tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.err, err, cmpopts.EquateErrors()); diff != "" {

go.mod

@@ -8,7 +8,6 @@ require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/alecthomas/kong v0.9.0
 	github.com/crossplane/crossplane-runtime v1.19.0-rc.0.0.20241105071456-19d95a69cc03
-	github.com/distribution/reference v0.5.0
 	github.com/docker/docker v27.1.1+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/emicklei/dot v1.6.2
@@ -64,8 +63,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.5 // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
-	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
+	github.com/distribution/reference v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
@@ -89,7 +87,6 @@ require (
 	github.com/google/certificate-transparency-go v1.2.1 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
@@ -192,7 +189,7 @@ require (
 	github.com/dave/jennifer v1.6.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/docker/cli v27.4.1+incompatible
+	github.com/docker/cli v27.4.1+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.2
 	github.com/docker/go-units v0.5.0 // indirect