Anonymous auth for openfaasltd images

alexellis · alexellis · commit ed0f2f4002d0 · 2026-03-24T13:26:49.000Z
Signed-off-by: Alex Ellis (OpenFaaS Ltd) &lt;alexellis2@gmail.com&gt;
diff --git a/cmd/oci/install.go b/cmd/oci/install.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/alexellis/arkade/pkg/archive"
 	"github.com/alexellis/arkade/pkg/env"
+	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/crane"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/spf13/cobra"
@@ -79,16 +80,7 @@ OCI image.`,
 			installPath, _ = cmd.Flags().GetString("path")
 		}
 
-		switch imageName {
-		case "vmmeter":
-			imageName = "ghcr.io/openfaasltd/vmmeter"
-		case "slicer":
-			imageName = "ghcr.io/openfaasltd/slicer"
-		case "superterm":
-			imageName = "ghcr.io/openfaasltd/superterm"
-		case "k3sup-pro":
-			imageName = "ghcr.io/openfaasltd/k3sup-pro"
-		}
+		imageName, forceAnonymousAuth := resolveShortcutImage(imageName)
 
 		if !strings.Contains(imageName, ":") {
 			imageName = imageName + ":" + version
@@ -133,7 +125,7 @@ OCI image.`,
 
 		downloadArch, downloadOS := getDownloadArch(clientArch, clientOS)
 
-		img, err = crane.Pull(imageName, crane.WithPlatform(&v1.Platform{Architecture: downloadArch, OS: downloadOS}))
+		img, err = crane.Pull(imageName, buildPullOptions(&v1.Platform{Architecture: downloadArch, OS: downloadOS}, forceAnonymousAuth)...)
 		if err != nil {
 			return fmt.Errorf("pulling %s: %w", imageName, err)
 		}
@@ -160,6 +152,33 @@ OCI image.`,
 	return command
 }
 
+func resolveShortcutImage(imageName string) (string, bool) {
+	switch imageName {
+	case "vmmeter":
+		return "ghcr.io/openfaasltd/vmmeter", true
+	case "slicer":
+		return "ghcr.io/openfaasltd/slicer", true
+	case "superterm":
+		return "ghcr.io/openfaasltd/superterm", true
+	case "k3sup-pro":
+		return "ghcr.io/openfaasltd/k3sup-pro", true
+	default:
+		return imageName, false
+	}
+}
+
+func buildPullOptions(platform *v1.Platform, forceAnonymousAuth bool) []crane.Option {
+	options := []crane.Option{
+		crane.WithPlatform(platform),
+	}
+
+	if forceAnonymousAuth {
+		options = append(options, crane.WithAuth(authn.Anonymous))
+	}
+
+	return options
+}
+
 func getDownloadArch(clientArch, clientOS string) (arch string, os string) {
 	downloadArch := strings.ToLower(clientArch)
 	downloadOS := strings.ToLower(clientOS)
diff --git a/cmd/oci/install_test.go b/cmd/oci/install_test.go
@@ -0,0 +1,94 @@
+// Copyright (c) arkade author(s) 2022. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+package oci
+
+import (
+	"reflect"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/google/go-containerregistry/pkg/crane"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
+
+func TestResolveShortcutImage(t *testing.T) {
+	tests := []struct {
+		name              string
+		input             string
+		wantImage         string
+		wantAnonymousAuth bool
+	}{
+		{
+			name:              "vmmeter shortcut uses anonymous auth",
+			input:             "vmmeter",
+			wantImage:         "ghcr.io/openfaasltd/vmmeter",
+			wantAnonymousAuth: true,
+		},
+		{
+			name:              "slicer shortcut uses anonymous auth",
+			input:             "slicer",
+			wantImage:         "ghcr.io/openfaasltd/slicer",
+			wantAnonymousAuth: true,
+		},
+		{
+			name:              "superterm shortcut uses anonymous auth",
+			input:             "superterm",
+			wantImage:         "ghcr.io/openfaasltd/superterm",
+			wantAnonymousAuth: true,
+		},
+		{
+			name:              "k3sup-pro shortcut uses anonymous auth",
+			input:             "k3sup-pro",
+			wantImage:         "ghcr.io/openfaasltd/k3sup-pro",
+			wantAnonymousAuth: true,
+		},
+		{
+			name:              "fully qualified image is unchanged",
+			input:             "ghcr.io/openfaasltd/custom-tool",
+			wantImage:         "ghcr.io/openfaasltd/custom-tool",
+			wantAnonymousAuth: false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			gotImage, gotAnonymousAuth := resolveShortcutImage(tc.input)
+			if gotImage != tc.wantImage {
+				t.Fatalf("want image %q, got %q", tc.wantImage, gotImage)
+			}
+			if gotAnonymousAuth != tc.wantAnonymousAuth {
+				t.Fatalf("want anonymous auth %v, got %v", tc.wantAnonymousAuth, gotAnonymousAuth)
+			}
+		})
+	}
+}
+
+func TestBuildPullOptions(t *testing.T) {
+	platform := &v1.Platform{Architecture: "amd64", OS: "linux"}
+
+	t.Run("default uses keychain auth", func(t *testing.T) {
+		opts := crane.GetOptions(buildPullOptions(platform, false)...)
+		if opts.Platform != platform {
+			t.Fatalf("want platform %p, got %p", platform, opts.Platform)
+		}
+
+		authOptionName := runtime.FuncForPC(reflect.ValueOf(opts.Remote[0]).Pointer()).Name()
+		if !strings.Contains(authOptionName, "WithAuthFromKeychain") {
+			t.Fatalf("want keychain auth option, got %q", authOptionName)
+		}
+	})
+
+	t.Run("anonymous auth overrides keychain", func(t *testing.T) {
+		opts := crane.GetOptions(buildPullOptions(platform, true)...)
+		if opts.Platform != platform {
+			t.Fatalf("want platform %p, got %p", platform, opts.Platform)
+		}
+
+		authOptionName := runtime.FuncForPC(reflect.ValueOf(opts.Remote[0]).Pointer()).Name()
+		if !strings.Contains(authOptionName, "WithAuth") || strings.Contains(authOptionName, "WithAuthFromKeychain") {
+			t.Fatalf("want anonymous auth option, got %q", authOptionName)
+		}
+	})
+}
