[ingest/edgefunction] Fix .dockerconfigjson parsing

Author: dilyevsky

go.mod

@@ -374,6 +374,7 @@ require (
 k8s.io/apiextensions-apiserver v0.30.1 // indirect
 k8s.io/component-base v0.30.1 // indirect
 k8s.io/kms v0.30.1 // indirect
+k8s.io/kubernetes v1.30.1 // indirect
 lukechampine.com/uint128 v1.3.0 // indirect
 modernc.org/cc/v3 v3.41.0 // indirect
 modernc.org/ccgo/v3 v3.17.0 // indirect

go.sum

@@ -2805,6 +2805,8 @@ k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C
 k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
 k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 h1:Q8Z7VlGhcJgBHJHYugJ/K/7iB8a2eSxCyxdVjJp+lLY=
 k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
+k8s.io/kubernetes v1.30.1 h1:XlqS6KslLEA5mQzLK2AJrhr4Z1m8oJfkhHiWJ5lue+I=
+k8s.io/kubernetes v1.30.1/go.mod h1:yPbIk3MhmhGigX62FLJm+CphNtjxqCvAIFQXup6RKS0=
 k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=

pkg/apiserver/ingest/edgefunction.go

@@ -27,6 +27,7 @@ import (
 "k8s.io/client-go/kubernetes"
 "k8s.io/client-go/rest"
 "k8s.io/client-go/util/retry"
+"k8s.io/kubernetes/pkg/credentialprovider"
 "oras.land/oras-go/v2"
 "oras.land/oras-go/v2/content"
 "oras.land/oras-go/v2/content/file"
@@ -420,6 +421,8 @@ func (w *worker) pullOCIImage(
 return nil, errors.New("k8s environment is not set")
 }
 
+log.Info("Getting OCI credentials from secret", "SecretNamespace", secretRef.Namespace, "SecretName", secretRef.Name)
+
 secret, err := w.k8s.CoreV1().Secrets(string(secretRef.Namespace)).Get(ctx, string(secretRef.Name), metav1.GetOptions{})
 if err != nil {
 return nil, fmt.Errorf("failed to get secret: %w", err)
@@ -428,15 +431,25 @@ func (w *worker) pullOCIImage(
 return nil, fmt.Errorf("invalid secret type %q, expected %q", secret.Type, "kubernetes.io/dockerconfigjson")
 }
 encodedToken := secret.Data[".dockerconfigjson"]
-var dockerConfig struct {
-Auths map[string]auth.Credential `json:"auths"`
+if len(encodedToken) == 0 {
+return nil, fmt.Errorf("no .dockerconfigjson data found in secret")
 }
+var dockerConfig credentialprovider.DockerConfigJSON
 if err := json.Unmarshal(encodedToken, &dockerConfig); err != nil {
 return nil, fmt.Errorf("failed to parse dockerconfigjson: %w", err)
 }
 
 credsFunc = func(_ context.Context, _ string) (auth.Credential, error) {
-return dockerConfig.Auths[repo.Reference.Registry], nil
+authKey := filepath.Join(repo.Reference.Registry, repo.Reference.Repository)
+r, ok := dockerConfig.Auths[authKey]
+if !ok {
+return auth.EmptyCredential, fmt.Errorf("no credentials found for registry %s", authKey)
+}
+log.Info("Found credentials for registry", "registry", authKey, "username", r.Username)
+return auth.Credential{
+Username: r.Username,
+Password: r.Password,
+}, nil
 }
 } else {
 // TODO(dilyevsky): Support other kinds of secrets for non-k8s environments.