containerd/pull: Use authorization

- containerd/pull: Use authorization
- containerd/auth: Check if registry hostname matches

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

daemon/containerd/image_pull.go

@@ -41,6 +41,9 @@ func (i *ImageService) PullImage(ctx context.Context, image, tagOrDigest string,
 		}
 	}
 
+	resolver := newResolverFromAuthConfig(authConfig)
+	opts = append(opts, containerd.WithResolver(resolver))
+
 	_, err = i.client.Pull(ctx, ref.String(), opts...)
 	return err
 }

daemon/containerd/resolver.go

@@ -0,0 +1,35 @@
+package containerd
+
+import (
+	"github.com/containerd/containerd/remotes"
+	"github.com/containerd/containerd/remotes/docker"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/registry"
+	"github.com/sirupsen/logrus"
+)
+
+func newResolverFromAuthConfig(authConfig *registrytypes.AuthConfig) remotes.Resolver {
+	opts := []docker.RegistryOpt{}
+	if authConfig != nil {
+		cfgHost := registry.ConvertToHostname(authConfig.ServerAddress)
+		if cfgHost == registry.IndexHostname {
+			cfgHost = registry.DefaultRegistryHost
+		}
+		authorizer := docker.NewDockerAuthorizer(docker.WithAuthCreds(func(host string) (string, string, error) {
+			if cfgHost != host {
+				logrus.WithField("host", host).WithField("cfgHost", cfgHost).Warn("Host doesn't match")
+				return "", "", nil
+			}
+			if authConfig.IdentityToken != "" {
+				return "", authConfig.IdentityToken, nil
+			}
+			return authConfig.Username, authConfig.Password, nil
+		}))
+
+		opts = append(opts, docker.WithAuthorizer(authorizer))
+	}
+
+	return docker.NewResolver(docker.ResolverOptions{
+		Hosts: docker.ConfigureDefaultRegistries(opts...),
+	})
+}