working commit

2026-02-21 13:16:56 +02:00
parent d650d58a6d
commit 7be3cf8de7
1136 changed files with 722443 additions and 0 deletions
@@ -0,0 +1,322 @@
+# `authn`
+
+[![GoDoc](https://godoc.org/github.com/google/go-containerregistry/pkg/authn?status.svg)](https://godoc.org/github.com/google/go-containerregistry/pkg/authn)
+
+This README outlines how we acquire and use credentials when interacting with a registry.
+
+As much as possible, we attempt to emulate `docker`'s authentication behavior and configuration so that this library "just works" if you've already configured credentials that work with `docker`; however, when things don't work, a basic understanding of what's going on can help with debugging.
+
+The official documentation for how authentication with `docker` works is (reasonably) scattered across several different sites and GitHub repositories, so we've tried to summarize the relevant bits here.
+
+## tl;dr for consumers of this package
+
+By default, [`pkg/v1/remote`](https://godoc.org/github.com/google/go-containerregistry/pkg/v1/remote) uses [`Anonymous`](https://godoc.org/github.com/google/go-containerregistry/pkg/authn#Anonymous) credentials (i.e. _none_), which for most registries will only allow read access to public images.
+
+To use the credentials found in your Docker config file, you can use the [`DefaultKeychain`](https://godoc.org/github.com/google/go-containerregistry/pkg/authn#DefaultKeychain), e.g.:
+
+```go
+package main
+
+import (
+	"fmt"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
+
+func main() {
+	ref, err := name.ParseReference("registry.example.com/private/repo")
+	if err != nil {
+		panic(err)
+	}
+
+	// Fetch the manifest using default credentials.
+	img, err := remote.Get(ref, remote.WithAuthFromKeychain(authn.DefaultKeychain))
+	if err != nil {
+		panic(err)
+	}
+
+	// Prints the digest of registry.example.com/private/repo
+	fmt.Println(img.Digest)
+}
+```
+
+The `DefaultKeychain` will use credentials as described in your Docker config file -- usually `~/.docker/config.json`, or `%USERPROFILE%\.docker\config.json` on Windows -- or the location described by the `DOCKER_CONFIG` environment variable, if set.
+
+If those are not found, `DefaultKeychain` will look for credentials configured using [Podman's expectation](https://docs.podman.io/en/latest/markdown/podman-login.1.html) that these are found in `${XDG_RUNTIME_DIR}/containers/auth.json`.
+
+[See below](#docker-config-auth) for more information about what is configured in this file.
+
+## Emulating Cloud Provider Credential Helpers
+
+[`pkg/v1/google.Keychain`](https://pkg.go.dev/github.com/google/go-containerregistry/pkg/v1/google#Keychain) provides a `Keychain` implementation that emulates [`docker-credential-gcr`](https://github.com/GoogleCloudPlatform/docker-credential-gcr) to find credentials in the environment.
+See [`google.NewEnvAuthenticator`](https://pkg.go.dev/github.com/google/go-containerregistry/pkg/v1/google#NewEnvAuthenticator) and [`google.NewGcloudAuthenticator`](https://pkg.go.dev/github.com/google/go-containerregistry/pkg/v1/google#NewGcloudAuthenticator) for more information.
+
+To emulate other credential helpers without requiring them to be available as executables, [`NewKeychainFromHelper`](https://pkg.go.dev/github.com/google/go-containerregistry/pkg/authn#NewKeychainFromHelper) provides an adapter that takes a Go implementation satisfying a subset of the [`credentials.Helper`](https://pkg.go.dev/github.com/docker/docker-credential-helpers/credentials#Helper) interface, and makes it available as a `Keychain`.
+
+This means that you can emulate, for example, [Amazon ECR's `docker-credential-ecr-login` credential helper](https://github.com/awslabs/amazon-ecr-credential-helper) using the same implementation:
+
+```go
+import (
+	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
+	"github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
+
+func main() {
+	// ...
+	ecrHelper := ecr.ECRHelper{ClientFactory: api.DefaultClientFactory{}}
+	img, err := remote.Get(ref, remote.WithAuthFromKeychain(authn.NewKeychainFromHelper(ecrHelper)))
+	if err != nil {
+		panic(err)
+	}
+	// ...
+}
+```
+
+Likewise, you can emulate [Azure's ACR `docker-credential-acr-env` credential helper](https://github.com/chrismellard/docker-credential-acr-env):
+
+```go
+import (
+	"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
+
+func main() {
+	// ...
+	acrHelper := credhelper.NewACRCredentialsHelper()
+	img, err := remote.Get(ref, remote.WithAuthFromKeychain(authn.NewKeychainFromHelper(acrHelper)))
+	if err != nil {
+		panic(err)
+	}
+	// ...
+}
+```
+
+<!-- TODO(jasonhall): Wrap these in docker-credential-magic and reference those from here. -->
+
+## Using Multiple `Keychain`s
+
+[`NewMultiKeychain`](https://pkg.go.dev/github.com/google/go-containerregistry/pkg/authn#NewMultiKeychain) allows you to specify multiple `Keychain` implementations, which will be checked in order when credentials are needed.
+
+For example:
+
+```go
+kc := authn.NewMultiKeychain(
+    authn.DefaultKeychain,
+    google.Keychain,
+    authn.NewKeychainFromHelper(ecr.ECRHelper{ClientFactory: api.DefaultClientFactory{}}),
+    authn.NewKeychainFromHelper(acr.ACRCredHelper{}),
+)
+```
+
+This multi-keychain will:
+
+- first check for credentials found in the Docker config file, as describe above, then
+- check for GCP credentials available in the environment, as described above, then
+- check for ECR credentials by emulating the ECR credential helper, then
+- check for ACR credentials by emulating the ACR credential helper.
+
+If any keychain implementation is able to provide credentials for the request, they will be used, and further keychain implementations will not be consulted.
+
+If no implementations are able to provide credentials, `Anonymous` credentials will be used.
+
+## Docker Config Auth
+
+What follows attempts to gather useful information about Docker's config.json and make it available in one place.
+
+If you have questions, please [file an issue](https://github.com/google/go-containerregistry/issues/new).
+
+### Plaintext
+
+The config file is where your credentials are stored when you invoke `docker login`, e.g. the contents may look something like this:
+
+```json
+{
+	"auths": {
+		"registry.example.com": {
+			"auth": "QXp1cmVEaWFtb25kOmh1bnRlcjI="
+		}
+	}
+}
+```
+
+The `auths` map has an entry per registry, and the `auth` field contains your username and password encoded as [HTTP 'Basic' Auth](https://tools.ietf.org/html/rfc7617).
+
+**NOTE**: This means that your credentials are stored _in plaintext_:
+
+```bash
+$ echo "QXp1cmVEaWFtb25kOmh1bnRlcjI=" | base64 -d
+AzureDiamond:hunter2
+```
+
+For what it's worth, this config file is equivalent to:
+
+```json
+{
+	"auths": {
+		"registry.example.com": {
+			"username": "AzureDiamond",
+			"password": "hunter2"
+		}
+	}
+}
+```
+
+... which is useful to know if e.g. your CI system provides you a registry username and password via environment variables and you want to populate this file manually without invoking `docker login`.
+
+### Helpers
+
+If you log in like this, `docker` will warn you that you should use a [credential helper](https://docs.docker.com/engine/reference/commandline/login/#credentials-store), and you should!
+
+To configure a global credential helper:
+```json
+{
+	"credsStore": "osxkeychain"
+}
+```
+
+To configure a per-registry credential helper:
+```json
+{
+	"credHelpers": {
+		"gcr.io": "gcr"
+	}
+}
+```
+
+We use [`github.com/docker/cli/cli/config.Load`](https://godoc.org/github.com/docker/cli/cli/config#Load) to parse the config file and invoke any necessary credential helpers. This handles the logic of taking a [`ConfigFile`](https://github.com/docker/cli/blob/ba63a92655c0bea4857b8d6cc4991498858b3c60/cli/config/configfile/file.go#L25-L54) + registry domain and producing an [`AuthConfig`](https://github.com/docker/cli/blob/ba63a92655c0bea4857b8d6cc4991498858b3c60/cli/config/types/authconfig.go#L3-L22), which determines how we authenticate to the registry.
+
+## Credential Helpers
+
+The [credential helper protocol](https://github.com/docker/docker-credential-helpers) allows you to configure a binary that supplies credentials for the registry, rather than hard-coding them in the config file.
+
+The protocol has several verbs, but the one we most care about is `get`.
+
+For example, using the following config file:
+```json
+{
+	"credHelpers": {
+		"gcr.io": "gcr",
+		"eu.gcr.io": "gcr"
+	}
+}
+```
+
+To acquire credentials for `gcr.io`, we look in the `credHelpers` map to find
+the credential helper for `gcr.io` is `gcr`. By appending that value to
+`docker-credential-`, we can get the name of the binary we need to use.
+
+For this example, that's `docker-credential-gcr`, which must be on our `$PATH`.
+We'll then invoke that binary to get credentials:
+
+```bash
+$ echo "gcr.io" | docker-credential-gcr get
+{"Username":"_token","Secret":"<long access token>"}
+```
+
+You can configure the same credential helper for multiple registries, which is
+why we need to pass the domain in via STDIN, e.g. if we were trying to access
+`eu.gcr.io`, we'd do this instead:
+
+```bash
+$ echo "eu.gcr.io" | docker-credential-gcr get
+{"Username":"_token","Secret":"<long access token>"}
+```
+
+### Debugging credential helpers
+
+If a credential helper is configured but doesn't seem to be working, it can be
+challenging to debug. Implementing a fake credential helper lets you poke around
+to make it easier to see where the failure is happening.
+
+This "implements" a credential helper with hard-coded values:
+```
+#!/usr/bin/env bash
+echo '{"Username":"<token>","Secret":"hunter2"}'
+```
+
+
+This implements a credential helper that prints the output of
+`docker-credential-gcr` to both stderr and whatever called it, which allows you
+to snoop on another credential helper:
+```
+#!/usr/bin/env bash
+docker-credential-gcr $@ | tee >(cat 1>&2)
+```
+
+Put those files somewhere on your path, naming them e.g.
+`docker-credential-hardcoded` and `docker-credential-tee`, then modify the
+config file to use them:
+
+```json
+{
+	"credHelpers": {
+		"gcr.io": "tee",
+		"eu.gcr.io": "hardcoded"
+	}
+}
+```
+
+The `docker-credential-tee` trick works with both `crane` and `docker`:
+
+```bash
+$ crane manifest gcr.io/google-containers/pause > /dev/null
+{"ServerURL":"","Username":"_dcgcr_1_5_0_token","Secret":"<redacted>"}
+
+$ docker pull gcr.io/google-containers/pause
+Using default tag: latest
+{"ServerURL":"","Username":"_dcgcr_1_5_0_token","Secret":"<redacted>"}
+latest: Pulling from google-containers/pause
+a3ed95caeb02: Pull complete
+4964c72cd024: Pull complete
+Digest: sha256:a78c2d6208eff9b672de43f880093100050983047b7b0afe0217d3656e1b0d5f
+Status: Downloaded newer image for gcr.io/google-containers/pause:latest
+gcr.io/google-containers/pause:latest
+```
+
+## The Registry
+
+There are two methods for authenticating against a registry:
+[token](https://docs.docker.com/registry/spec/auth/token/) and
+[oauth2](https://docs.docker.com/registry/spec/auth/oauth/).
+
+Both methods are used to acquire an opaque `Bearer` token (or
+[RegistryToken](https://github.com/docker/cli/blob/ba63a92655c0bea4857b8d6cc4991498858b3c60/cli/config/types/authconfig.go#L21))
+to use in the `Authorization` header. The registry will return a `401
+Unauthorized` during the [version
+check](https://github.com/opencontainers/distribution-spec/blob/2c3975d1f03b67c9a0203199038adea0413f0573/spec.md#api-version-check)
+(or during normal operations) with
+[Www-Authenticate](https://tools.ietf.org/html/rfc7235#section-4.1) challenge
+indicating how to proceed.
+
+### Token
+
+If we get back an `AuthConfig` containing a [`Username/Password`](https://github.com/docker/cli/blob/ba63a92655c0bea4857b8d6cc4991498858b3c60/cli/config/types/authconfig.go#L5-L6)
+or
+[`Auth`](https://github.com/docker/cli/blob/ba63a92655c0bea4857b8d6cc4991498858b3c60/cli/config/types/authconfig.go#L7),
+we'll use the token method for authentication:
+
+![basic](../../images/credhelper-basic.svg)
+
+### OAuth 2
+
+If we get back an `AuthConfig` containing an [`IdentityToken`](https://github.com/docker/cli/blob/ba63a92655c0bea4857b8d6cc4991498858b3c60/cli/config/types/authconfig.go#L18)
+we'll use the oauth2 method for authentication:
+
+![oauth](../../images/credhelper-oauth.svg)
+
+This happens when a credential helper returns a response with the
+[`Username`](https://github.com/docker/docker-credential-helpers/blob/f78081d1f7fef6ad74ad6b79368de6348386e591/credentials/credentials.go#L16)
+set to `<token>` (no, that's not a placeholder, the literal string `"<token>"`).
+It is unclear why: [moby/moby#36926](https://github.com/moby/moby/issues/36926).
+
+We only support the oauth2 `grant_type` for `refresh_token` ([#629](https://github.com/google/go-containerregistry/issues/629)),
+since it's impossible to determine from the registry response whether we should
+use oauth, and the token method for authentication is widely implemented by
+registries.
@@ -0,0 +1,26 @@
+// Copyright 2018 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authn
+
+// anonymous implements Authenticator for anonymous authentication.
+type anonymous struct{}
+
+// Authorization implements Authenticator.
+func (a *anonymous) Authorization() (*AuthConfig, error) {
+	return &AuthConfig{}, nil
+}
+
+// Anonymous is a singleton Authenticator for providing anonymous auth.
+var Anonymous Authenticator = &anonymous{}
@@ -0,0 +1,30 @@
+// Copyright 2018 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authn
+
+// auth is an Authenticator that simply returns the wrapped AuthConfig.
+type auth struct {
+	config AuthConfig
+}
+
+// FromConfig returns an Authenticator that just returns the given AuthConfig.
+func FromConfig(cfg AuthConfig) Authenticator {
+	return &auth{cfg}
+}
+
+// Authorization implements Authenticator.
+func (a *auth) Authorization() (*AuthConfig, error) {
+	return &a.config, nil
+}
@@ -0,0 +1,132 @@
+// Copyright 2018 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authn
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"strings"
+)
+
+// Authenticator is used to authenticate Docker transports.
+type Authenticator interface {
+	// Authorization returns the value to use in an http transport's Authorization header.
+	Authorization() (*AuthConfig, error)
+}
+
+// ContextAuthenticator is like Authenticator, but allows for context to be passed in.
+type ContextAuthenticator interface {
+	// Authorization returns the value to use in an http transport's Authorization header.
+	AuthorizationContext(context.Context) (*AuthConfig, error)
+}
+
+// Authorization calls AuthorizationContext with ctx if the given [Authenticator] implements [ContextAuthenticator],
+// otherwise it calls Resolve with the given [Resource].
+func Authorization(ctx context.Context, authn Authenticator) (*AuthConfig, error) {
+	if actx, ok := authn.(ContextAuthenticator); ok {
+		return actx.AuthorizationContext(ctx)
+	}
+
+	return authn.Authorization()
+}
+
+// AuthConfig contains authorization information for connecting to a Registry
+// Inlined what we use from github.com/docker/cli/cli/config/types
+type AuthConfig struct {
+	Username string `json:"username,omitempty"`
+	Password string `json:"password,omitempty"`
+	Auth     string `json:"auth,omitempty"`
+
+	// IdentityToken is used to authenticate the user and get
+	// an access token for the registry.
+	IdentityToken string `json:"identitytoken,omitempty"`
+
+	// RegistryToken is a bearer token to be sent to a registry
+	RegistryToken string `json:"registrytoken,omitempty"`
+}
+
+// This is effectively a copy of the type AuthConfig. This simplifies
+// JSON unmarshalling since AuthConfig methods are not inherited
+type authConfig AuthConfig
+
+// UnmarshalJSON implements json.Unmarshaler
+func (a *AuthConfig) UnmarshalJSON(data []byte) error {
+	var shadow authConfig
+	err := json.Unmarshal(data, &shadow)
+	if err != nil {
+		return err
+	}
+
+	*a = (AuthConfig)(shadow)
+
+	if len(shadow.Auth) != 0 {
+		var derr error
+		a.Username, a.Password, derr = decodeDockerConfigFieldAuth(shadow.Auth)
+		if derr != nil {
+			err = fmt.Errorf("unable to decode auth field: %w", derr)
+		}
+	} else if len(a.Username) != 0 && len(a.Password) != 0 {
+		a.Auth = encodeDockerConfigFieldAuth(shadow.Username, shadow.Password)
+	}
+
+	return err
+}
+
+// MarshalJSON implements json.Marshaler
+func (a AuthConfig) MarshalJSON() ([]byte, error) {
+	shadow := (authConfig)(a)
+	shadow.Auth = encodeDockerConfigFieldAuth(shadow.Username, shadow.Password)
+	return json.Marshal(shadow)
+}
+
+// decodeDockerConfigFieldAuth deserializes the "auth" field from dockercfg into a
+// username and a password. The format of the auth field is base64(<username>:<password>).
+//
+// From https://github.com/kubernetes/kubernetes/blob/75e49ec824b183288e1dbaccfd7dbe77d89db381/pkg/credentialprovider/config.go
+// Copyright 2014 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+func decodeDockerConfigFieldAuth(field string) (username, password string, err error) {
+	var decoded []byte
+	// StdEncoding can only decode padded string
+	// RawStdEncoding can only decode unpadded string
+	if strings.HasSuffix(strings.TrimSpace(field), "=") {
+		// decode padded data
+		decoded, err = base64.StdEncoding.DecodeString(field)
+	} else {
+		// decode unpadded data
+		decoded, err = base64.RawStdEncoding.DecodeString(field)
+	}
+
+	if err != nil {
+		return
+	}
+
+	parts := strings.SplitN(string(decoded), ":", 2)
+	if len(parts) != 2 {
+		err = fmt.Errorf("must be formatted as base64(username:password)")
+		return
+	}
+
+	username = parts[0]
+	password = parts[1]
+
+	return
+}
+
+func encodeDockerConfigFieldAuth(username, password string) string {
+	return base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
+}
@@ -0,0 +1,29 @@
+// Copyright 2018 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authn
+
+// Basic implements Authenticator for basic authentication.
+type Basic struct {
+	Username string
+	Password string
+}
+
+// Authorization implements Authenticator.
+func (b *Basic) Authorization() (*AuthConfig, error) {
+	return &AuthConfig{
+		Username: b.Username,
+		Password: b.Password,
+	}, nil
+}
@@ -0,0 +1,27 @@
+// Copyright 2018 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authn
+
+// Bearer implements Authenticator for bearer authentication.
+type Bearer struct {
+	Token string `json:"token"`
+}
+
+// Authorization implements Authenticator.
+func (b *Bearer) Authorization() (*AuthConfig, error) {
+	return &AuthConfig{
+		RegistryToken: b.Token,
+	}, nil
+}
@@ -0,0 +1,17 @@
+// Copyright 2018 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package authn defines different methods of authentication for
+// talking to a container registry.
+package authn
@@ -0,0 +1,294 @@
+// Copyright 2018 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authn
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/config/types"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/mitchellh/go-homedir"
+)
+
+// Resource represents a registry or repository that can be authenticated against.
+type Resource interface {
+	// String returns the full string representation of the target, e.g.
+	// gcr.io/my-project or just gcr.io.
+	String() string
+
+	// RegistryStr returns just the registry portion of the target, e.g. for
+	// gcr.io/my-project, this should just return gcr.io. This is needed to
+	// pull out an appropriate hostname.
+	RegistryStr() string
+}
+
+// Keychain is an interface for resolving an image reference to a credential.
+type Keychain interface {
+	// Resolve looks up the most appropriate credential for the specified target.
+	Resolve(Resource) (Authenticator, error)
+}
+
+// ContextKeychain is like Keychain, but allows for context to be passed in.
+type ContextKeychain interface {
+	ResolveContext(context.Context, Resource) (Authenticator, error)
+}
+
+// defaultKeychain implements Keychain with the semantics of the standard Docker
+// credential keychain.
+type defaultKeychain struct {
+	mu sync.Mutex
+}
+
+var (
+	// DefaultKeychain implements Keychain by interpreting the docker config file.
+	DefaultKeychain = &defaultKeychain{}
+)
+
+const (
+	// DefaultAuthKey is the key used for dockerhub in config files, which
+	// is hardcoded for historical reasons.
+	DefaultAuthKey = "https://" + name.DefaultRegistry + "/v1/"
+)
+
+// Resolve calls ResolveContext with ctx if the given [Keychain] implements [ContextKeychain],
+// otherwise it calls Resolve with the given [Resource].
+func Resolve(ctx context.Context, keychain Keychain, target Resource) (Authenticator, error) {
+	if rctx, ok := keychain.(ContextKeychain); ok {
+		return rctx.ResolveContext(ctx, target)
+	}
+
+	return keychain.Resolve(target)
+}
+
+// ResolveContext implements ContextKeychain.
+func (dk *defaultKeychain) Resolve(target Resource) (Authenticator, error) {
+	return dk.ResolveContext(context.Background(), target)
+}
+
+// Resolve implements Keychain.
+func (dk *defaultKeychain) ResolveContext(_ context.Context, target Resource) (Authenticator, error) {
+	dk.mu.Lock()
+	defer dk.mu.Unlock()
+
+	// Podman users may have their container registry auth configured in a
+	// different location, that Docker packages aren't aware of.
+	// If the Docker config file isn't found, we'll fallback to look where
+	// Podman configures it, and parse that as a Docker auth config instead.
+
+	// First, check $HOME/.docker/config.json
+	foundDockerConfig := false
+	home, err := homedir.Dir()
+	if err == nil {
+		foundDockerConfig = fileExists(filepath.Join(home, ".docker/config.json"))
+	}
+	// If $HOME/.docker/config.json isn't found, check $DOCKER_CONFIG (if set)
+	if !foundDockerConfig && os.Getenv("DOCKER_CONFIG") != "" {
+		foundDockerConfig = fileExists(filepath.Join(os.Getenv("DOCKER_CONFIG"), "config.json"))
+	}
+	// If either of those locations are found, load it using Docker's
+	// config.Load, which may fail if the config can't be parsed.
+	//
+	// If neither was found, look for Podman's auth at
+	// $REGISTRY_AUTH_FILE or $XDG_RUNTIME_DIR/containers/auth.json
+	// and attempt to load it as a Docker config.
+	//
+	// If neither are found, fallback to Anonymous.
+	var cf *configfile.ConfigFile
+	if foundDockerConfig {
+		cf, err = config.Load(os.Getenv("DOCKER_CONFIG"))
+		if err != nil {
+			return nil, err
+		}
+	} else if path := filepath.Clean(os.Getenv("REGISTRY_AUTH_FILE")); fileExists(path) {
+		f, err := os.Open(path)
+		if err != nil {
+			return nil, err
+		}
+		defer f.Close()
+		cf, err = config.LoadFromReader(f)
+		if err != nil {
+			return nil, err
+		}
+	} else if path := filepath.Clean(filepath.Join(os.Getenv("XDG_RUNTIME_DIR"), "containers/auth.json")); fileExists(path) {
+		f, err := os.Open(path)
+		if err != nil {
+			return nil, err
+		}
+		defer f.Close()
+		cf, err = config.LoadFromReader(f)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		return Anonymous, nil
+	}
+
+	// See:
+	// https://github.com/google/ko/issues/90
+	// https://github.com/moby/moby/blob/fc01c2b481097a6057bec3cd1ab2d7b4488c50c4/registry/config.go#L397-L404
+	var cfg, empty types.AuthConfig
+	for _, key := range []string{
+		target.String(),
+		target.RegistryStr(),
+	} {
+		if key == name.DefaultRegistry {
+			key = DefaultAuthKey
+		}
+
+		cfg, err = cf.GetAuthConfig(key)
+		if err != nil {
+			return nil, err
+		}
+		// cf.GetAuthConfig automatically sets the ServerAddress attribute. Since
+		// we don't make use of it, clear the value for a proper "is-empty" test.
+		// See: https://github.com/google/go-containerregistry/issues/1510
+		cfg.ServerAddress = ""
+		if cfg != empty {
+			break
+		}
+	}
+	if cfg == empty {
+		return Anonymous, nil
+	}
+
+	return FromConfig(AuthConfig{
+		Username:      cfg.Username,
+		Password:      cfg.Password,
+		Auth:          cfg.Auth,
+		IdentityToken: cfg.IdentityToken,
+		RegistryToken: cfg.RegistryToken,
+	}), nil
+}
+
+// fileExists returns true if the given path exists and is not a directory.
+func fileExists(path string) bool {
+	fi, err := os.Stat(path)
+	return err == nil && !fi.IsDir()
+}
+
+// Helper is a subset of the Docker credential helper credentials.Helper
+// interface used by NewKeychainFromHelper.
+//
+// See:
+// https://pkg.go.dev/github.com/docker/docker-credential-helpers/credentials#Helper
+type Helper interface {
+	Get(serverURL string) (string, string, error)
+}
+
+// NewKeychainFromHelper returns a Keychain based on a Docker credential helper
+// implementation that can Get username and password credentials for a given
+// server URL.
+func NewKeychainFromHelper(h Helper) Keychain { return wrapper{h} }
+
+type wrapper struct{ h Helper }
+
+func (w wrapper) Resolve(r Resource) (Authenticator, error) {
+	return w.ResolveContext(context.Background(), r)
+}
+
+func (w wrapper) ResolveContext(_ context.Context, r Resource) (Authenticator, error) {
+	u, p, err := w.h.Get(r.RegistryStr())
+	if err != nil {
+		return Anonymous, nil
+	}
+	// If the secret being stored is an identity token, the Username should be set to <token>
+	// ref: https://docs.docker.com/engine/reference/commandline/login/#credential-helper-protocol
+	if u == "<token>" {
+		return FromConfig(AuthConfig{Username: u, IdentityToken: p}), nil
+	}
+	return FromConfig(AuthConfig{Username: u, Password: p}), nil
+}
+
+func RefreshingKeychain(inner Keychain, duration time.Duration) Keychain {
+	return &refreshingKeychain{
+		keychain: inner,
+		duration: duration,
+	}
+}
+
+type refreshingKeychain struct {
+	keychain Keychain
+	duration time.Duration
+	clock    func() time.Time
+}
+
+func (r *refreshingKeychain) Resolve(target Resource) (Authenticator, error) {
+	return r.ResolveContext(context.Background(), target)
+}
+
+func (r *refreshingKeychain) ResolveContext(ctx context.Context, target Resource) (Authenticator, error) {
+	last := time.Now()
+	auth, err := Resolve(ctx, r.keychain, target)
+	if err != nil || auth == Anonymous {
+		return auth, err
+	}
+	return &refreshing{
+		target:   target,
+		keychain: r.keychain,
+		last:     last,
+		cached:   auth,
+		duration: r.duration,
+		clock:    r.clock,
+	}, nil
+}
+
+type refreshing struct {
+	sync.Mutex
+	target   Resource
+	keychain Keychain
+
+	duration time.Duration
+
+	last   time.Time
+	cached Authenticator
+
+	// for testing
+	clock func() time.Time
+}
+
+func (r *refreshing) Authorization() (*AuthConfig, error) {
+	return r.AuthorizationContext(context.Background())
+}
+
+func (r *refreshing) AuthorizationContext(ctx context.Context) (*AuthConfig, error) {
+	r.Lock()
+	defer r.Unlock()
+	if r.cached == nil || r.expired() {
+		r.last = r.now()
+		auth, err := Resolve(ctx, r.keychain, r.target)
+		if err != nil {
+			return nil, err
+		}
+		r.cached = auth
+	}
+	return Authorization(ctx, r.cached)
+}
+
+func (r *refreshing) now() time.Time {
+	if r.clock == nil {
+		return time.Now()
+	}
+	return r.clock()
+}
+
+func (r *refreshing) expired() bool {
+	return r.now().Sub(r.last) > r.duration
+}
@@ -0,0 +1,47 @@
+// Copyright 2018 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authn
+
+import "context"
+
+type multiKeychain struct {
+	keychains []Keychain
+}
+
+// Assert that our multi-keychain implements Keychain.
+var _ (Keychain) = (*multiKeychain)(nil)
+
+// NewMultiKeychain composes a list of keychains into one new keychain.
+func NewMultiKeychain(kcs ...Keychain) Keychain {
+	return &multiKeychain{keychains: kcs}
+}
+
+// Resolve implements Keychain.
+func (mk *multiKeychain) Resolve(target Resource) (Authenticator, error) {
+	return mk.ResolveContext(context.Background(), target)
+}
+
+func (mk *multiKeychain) ResolveContext(ctx context.Context, target Resource) (Authenticator, error) {
+	for _, kc := range mk.keychains {
+		auth, err := Resolve(ctx, kc, target)
+		if err != nil {
+			return nil, err
+		}
+		if auth != Anonymous {
+			return auth, nil
+		}
+	}
+	return Anonymous, nil
+}