Use Docker CLI's RetrieveAuthTokenFromImage for non-Hub registries

jchangx · claude · jchangx · commit 2fddfaf33793 · 2026-03-25T18:56:46.000-07:00
Replace hand-rolled credential encoding with command.RetrieveAuthTokenFromImage
which correctly handles IdentityToken auth, base64url encoding, and hostname
normalization — the same auth path docker pull uses natively.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/pkg/docker/images.go b/pkg/docker/images.go
@@ -2,8 +2,6 @@ package docker
 
 import (
 	"context"
-	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"io"
 	"os"
@@ -13,6 +11,7 @@ import (
 
 	cerrdefs "github.com/containerd/errdefs"
 	"github.com/distribution/reference"
+	"github.com/docker/cli/cli/command"
 	"github.com/docker/docker/api/types/image"
 	"golang.org/x/sync/errgroup"
 )
@@ -53,25 +52,6 @@ func (c *dockerClient) InspectImage(ctx context.Context, name string) (image.Ins
 	return c.apiClient().ImageInspect(ctx, name)
 }
 
-// getCredStoreAuth resolves registry credentials from the Docker CLI credential store.
-func (c *dockerClient) getCredStoreAuth(hostname string) string {
-	if c.cli == nil {
-		return ""
-	}
-	authConfig, err := c.cli.ConfigFile().GetAuthConfig(hostname)
-	if err != nil || authConfig.Username == "" {
-		return ""
-	}
-	buf, err := json.Marshal(map[string]string{
-		"username": authConfig.Username,
-		"password": authConfig.Password,
-	})
-	if err != nil {
-		return ""
-	}
-	return base64.StdEncoding.EncodeToString(buf)
-}
-
 func (c *dockerClient) pullImage(ctx context.Context, imageName string, registryAuthFn func() string) error {
 	inspect, err := c.apiClient().ImageInspect(ctx, imageName)
 	if err != nil && !cerrdefs.IsNotFound(err) {
@@ -99,8 +79,14 @@ func (c *dockerClient) pullImage(ctx context.Context, imageName string, registry
 	var pullOptions image.PullOptions
 	if strings.HasPrefix(ref.Name(), "docker.io/") {
 		pullOptions.RegistryAuth = registryAuthFn()
-	} else {
-		pullOptions.RegistryAuth = c.getCredStoreAuth(reference.Domain(ref))
+	} else if c.cli != nil {
+		// For non-Hub registries (e.g. dhi.io), resolve credentials from the
+		// Docker CLI credential store. This uses the same auth path as
+		// "docker pull" and works with any configured credential helper.
+		encodedAuth, err := command.RetrieveAuthTokenFromImage(c.cli.ConfigFile(), imageName)
+		if err == nil {
+			pullOptions.RegistryAuth = encodedAuth
+		}
 	}
 
 	response, err := c.apiClient().ImagePull(ctx, imageName, pullOptions)
