in container_images/registry-image-forked/types.go [155:212]
func (source Source) AuthOptions(repo name.Repository, scopeActions []string) ([]remote.Option, error) {
ctx := context.Background()
var auth authn.Authenticator
if source.Username != "" && source.Password != "" {
auth = &authn.Basic{
Username: source.Username,
Password: source.Password,
}
} else if source.Google {
logrus.Warnf("Forked registry image: will use Google default credentials")
var err error
if auth, err = google.NewEnvAuthenticator(ctx); err != nil {
logrus.Errorf("failed to determine Google default credentials: %v.", err)
logrus.Warnf("Will use anonymous access.")
auth = authn.Anonymous
}
} else {
auth = authn.Anonymous
}
tr := http.DefaultTransport.(*http.Transport)
// a cert was provided
if len(source.DomainCerts) > 0 {
rootCAs, err := x509.SystemCertPool()
if err != nil {
return nil, err
}
if rootCAs == nil {
rootCAs = x509.NewCertPool()
}
for _, cert := range source.DomainCerts {
// append our cert to the system pool
if ok := rootCAs.AppendCertsFromPEM([]byte(cert)); !ok {
return nil, fmt.Errorf("failed to append registry certificate: %w", err)
}
}
// trust the augmented cert pool in our client
config := &tls.Config{
RootCAs: rootCAs,
}
tr.TLSClientConfig = config
}
scopes := make([]string, len(scopeActions))
for i, action := range scopeActions {
scopes[i] = repo.Scope(action)
}
rt, err := transport.NewWithContext(ctx, repo.Registry, auth, tr, scopes)
if err != nil {
return nil, fmt.Errorf("initialize transport: %w", err)
}
return []remote.Option{remote.WithAuth(auth), remote.WithTransport(rt)}, nil
}