From 8528d77e42c2aff74d86fabfa0b867ad50069249 Mon Sep 17 00:00:00 2001 From: Laurent Goderre Date: Mon, 3 Nov 2025 10:36:54 -0500 Subject: [PATCH 1/4] add auth test for the default registry --- docker_auth_test.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docker_auth_test.go b/docker_auth_test.go index 74042fc573..6fbd054bed 100644 --- a/docker_auth_test.go +++ b/docker_auth_test.go @@ -123,6 +123,20 @@ func TestDockerImageAuth(t *testing.T) { require.Equal(t, base64, cfg.Auth) }) + t.Run("match the default registry authentication by host", func(t *testing.T) { + imageReg := "docker.io" + imagePath := "/my/image:latest" + reg := defaultRegistry(context.Background()) + base64 := setAuthConfig(t, reg, "gopher", "secret") + + registry, cfg, err := DockerImageAuth(context.Background(), imageReg+imagePath) + require.NoError(t, err) + require.Equal(t, reg, registry) + require.Equal(t, "gopher", cfg.Username) + require.Equal(t, "secret", cfg.Password) + require.Equal(t, base64, cfg.Auth) + }) + t.Run("fail to match registry authentication due to invalid host", func(t *testing.T) { imageReg := "example-auth.com" imagePath := "/my/image:latest" From 326fd773928c67d67a0e359946aad2747e514aa4 Mon Sep 17 00:00:00 2001 From: Laurent Goderre Date: Mon, 3 Nov 2025 11:09:33 -0500 Subject: [PATCH 2/4] fix: docker auth for docker.io images --- internal/core/images.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/core/images.go b/internal/core/images.go index e00160262f..a436f1578b 100644 --- a/internal/core/images.go +++ b/internal/core/images.go @@ -100,6 +100,11 @@ func ExtractRegistry(image string, fallback string) string { registry := exp[1] + // Make comparison case-insensitive and handle both aliases + if strings.EqualFold(registry, "docker.io") || strings.EqualFold(registry, "registry.hub.docker.com") { + return fallback + } + if IsURL(registry) { return registry } From b2ddec38c04a7f76212f3054aeb6d8106afd1aa9 Mon Sep 17 00:00:00 2001 From: mdelapenya Date: Tue, 25 Nov 2025 11:21:05 +0100 Subject: [PATCH 3/4] chore: separate concerns --- internal/core/images.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/internal/core/images.go b/internal/core/images.go index a436f1578b..90793f3fc4 100644 --- a/internal/core/images.go +++ b/internal/core/images.go @@ -100,11 +100,16 @@ func ExtractRegistry(image string, fallback string) string { registry := exp[1] - // Make comparison case-insensitive and handle both aliases - if strings.EqualFold(registry, "docker.io") || strings.EqualFold(registry, "registry.hub.docker.com") { + // docker.io is an implicit reference, return fallback for normalization + if strings.EqualFold(registry, "docker.io") { return fallback } + // registry.hub.docker.com is an explicit registry reference, preserve it + if strings.EqualFold(registry, "registry.hub.docker.com") { + return "registry.hub.docker.com" + } + if IsURL(registry) { return registry } From bb3223a5cedf3d07c0b83f255b618327b90ac34e Mon Sep 17 00:00:00 2001 From: mdelapenya Date: Tue, 25 Nov 2025 11:22:37 +0100 Subject: [PATCH 4/4] chore: normalize Hub aliases for credential lookup --- docker_auth.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docker_auth.go b/docker_auth.go index 58b3ef2637..6472a9738e 100644 --- a/docker_auth.go +++ b/docker_auth.go @@ -10,6 +10,7 @@ import ( "fmt" "net/url" "os" + "strings" "sync" "github.com/cpuguy83/dockercfg" @@ -42,6 +43,13 @@ func dockerImageAuth(ctx context.Context, image string, configs map[string]regis defaultRegistry := defaultRegistryFn(ctx) reg := core.ExtractRegistry(image, defaultRegistry) + // Normalize Docker Hub aliases for credential lookup + if strings.EqualFold(reg, "docker.io") || + strings.EqualFold(reg, "registry.hub.docker.com") || + strings.EqualFold(reg, "registry-1.docker.io") { + reg = defaultRegistry // This is https://index.docker.io/v1/ + } + if cfg, ok := getRegistryAuth(reg, configs); ok { return reg, cfg, nil }