oci: Support DOCKERHUB_AUTH

Also update FAQ to thank Docker for supporting the public instance.

Author: jonjohnsonjr

cmd/oci/main.go

@@ -7,10 +7,12 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"strings"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/gcrane"
 	"github.com/google/go-containerregistry/pkg/logs"
+	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/jonjohnsonjr/dagdotdev/internal/explore"
 
 	sha256simd "github.com/minio/sha256-simd"
@@ -57,9 +59,45 @@ func main() {
 		kcs = append(kcs, gcrane.Keychain)
 	}
 
+	if dh := os.Getenv("DOCKERHUB_AUTH"); dh != "" {
+		kc, err := newHubKeychain(dh)
+		if err != nil {
+			log.Fatal(err)
+		}
+		kcs = append(kcs, kc)
+	}
+
 	if len(kcs) != 0 {
 		opt = append(opt, explore.WithKeychain(authn.NewMultiKeychain(kcs...)))
 	}
 
 	log.Fatal(http.ListenAndServe(fmt.Sprintf(":%s", port), explore.New(opt...)))
 }
+
+func newHubKeychain(env string) (*keychain, error) {
+	user, pass, ok := strings.Cut(env, ":")
+	if !ok {
+		return nil, fmt.Errorf("invalid DOCKERHUB_AUTH, expected user:pass")
+	}
+
+	return &keychain{
+		user: user,
+		pass: pass,
+	}, nil
+}
+
+type keychain struct {
+	user string
+	pass string
+}
+
+func (k *keychain) Resolve(r authn.Resource) (authn.Authenticator, error) {
+	if r.RegistryStr() != name.DefaultRegistry {
+		return authn.Anonymous, nil
+	}
+
+	return authn.FromConfig(authn.AuthConfig{
+		Username: k.user,
+		Password: k.pass,
+	}), nil
+}

internal/explore/templates.go

@@ -121,10 +121,14 @@ Enter a <strong>public</strong> repository, e.g. <tt>"ubuntu"</tt>:
 <p>
 This service lives on <a href="https://cloud.run">Cloud Run</a> and uses <a href="https://github.com/google/go-containerregistry">google/go-containerregistry</a> for registry interactions.
 </p>
+<h4>Isn't this expensive to run?</h4>
+<p>Not really! Ingress is cheap, Cloud Run is cheap, and GCS is cheap.</p>
+<p>To avoid paying for egress, I limit the amount of data that I'll serve directly and instead give you a command you can run on your own machine.</p>
+<p>The most expensive part of this is actually the domain name.</p>
 <h4>Isn't this expensive for the registry?</h4>
-<p>
-Not really! The first time a layer is accessed, I download and index it. Browsing the filesystem just uses that index, and opening a file uses Range requests to load small chunks of the layer as needed.
-</p>
+<p>Not really! The first time a layer is accessed, I download and index it. Browsing the filesystem just uses that index, and opening a file uses Range requests to load small chunks of the layer as needed.</p>
+<p>Since I only have to download the whole layer once, this actually reduces traffic to the registry in a lot of cases, e.g. if you share a link with someone rather than having them pull the whole image on their machine.</p>
+<p>In fact, Docker has graciously sponsored this service by providing me an account with unlimited public Docker Hub access. Thanks, Docker!</p>
 <h4>That can't be true, gzip doesn't support random access!</h4>
 <p>
 That's not a question.