Move Ingress godeps to vendor/

vendor/k8s.io/kubernetes/pkg/credentialprovider/OWNERS

@@ -0,0 +1,3 @@
+assignees:
+  - erictune
+  - liggitt

vendor/k8s.io/kubernetes/pkg/credentialprovider/config.go

@@ -0,0 +1,256 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentialprovider
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"github.com/golang/glog"
+)
+
+// DockerConfigJson represents ~/.docker/config.json file info
+// see https://github.com/docker/docker/pull/12009
+type DockerConfigJson struct {
+	Auths       DockerConfig      `json:"auths"`
+	HttpHeaders map[string]string `json:"HttpHeaders,omitempty"`
+}
+
+// DockerConfig represents the config file used by the docker CLI.
+// This config that represents the credentials that should be used
+// when pulling images from specific image repositories.
+type DockerConfig map[string]DockerConfigEntry
+
+type DockerConfigEntry struct {
+	Username string
+	Password string
+	Email    string
+	Provider DockerConfigProvider
+}
+
+var (
+	preferredPathLock sync.Mutex
+	preferredPath     = ""
+	workingDirPath    = ""
+	homeDirPath       = os.Getenv("HOME")
+	rootDirPath       = "/"
+	homeJsonDirPath   = filepath.Join(homeDirPath, ".docker")
+	rootJsonDirPath   = filepath.Join(rootDirPath, ".docker")
+
+	configFileName     = ".dockercfg"
+	configJsonFileName = "config.json"
+)
+
+func SetPreferredDockercfgPath(path string) {
+	preferredPathLock.Lock()
+	defer preferredPathLock.Unlock()
+	preferredPath = path
+}
+
+func GetPreferredDockercfgPath() string {
+	preferredPathLock.Lock()
+	defer preferredPathLock.Unlock()
+	return preferredPath
+}
+
+func ReadDockerConfigFile() (cfg DockerConfig, err error) {
+	// Try happy path first - latest config file
+	dockerConfigJsonLocations := []string{GetPreferredDockercfgPath(), workingDirPath, homeJsonDirPath, rootJsonDirPath}
+	for _, configPath := range dockerConfigJsonLocations {
+		absDockerConfigFileLocation, err := filepath.Abs(filepath.Join(configPath, configJsonFileName))
+		if err != nil {
+			glog.Errorf("while trying to canonicalize %s: %v", configPath, err)
+			continue
+		}
+		glog.V(4).Infof("looking for .docker/config.json at %s", absDockerConfigFileLocation)
+		contents, err := ioutil.ReadFile(absDockerConfigFileLocation)
+		if os.IsNotExist(err) {
+			continue
+		}
+		if err != nil {
+			glog.V(4).Infof("while trying to read %s: %v", absDockerConfigFileLocation, err)
+			continue
+		}
+		cfg, err := readDockerConfigJsonFileFromBytes(contents)
+		if err == nil {
+			glog.V(4).Infof("found .docker/config.json at %s", absDockerConfigFileLocation)
+			return cfg, nil
+		}
+	}
+	glog.V(4).Infof("couldn't find valid .docker/config.json after checking in %v", dockerConfigJsonLocations)
+
+	// Can't find latest config file so check for the old one
+	dockerConfigFileLocations := []string{GetPreferredDockercfgPath(), workingDirPath, homeDirPath, rootDirPath}
+	for _, configPath := range dockerConfigFileLocations {
+		absDockerConfigFileLocation, err := filepath.Abs(filepath.Join(configPath, configFileName))
+		if err != nil {
+			glog.Errorf("while trying to canonicalize %s: %v", configPath, err)
+			continue
+		}
+		glog.V(4).Infof("looking for .dockercfg at %s", absDockerConfigFileLocation)
+		contents, err := ioutil.ReadFile(absDockerConfigFileLocation)
+		if os.IsNotExist(err) {
+			continue
+		}
+		if err != nil {
+			glog.V(4).Infof("while trying to read %s: %v", absDockerConfigFileLocation, err)
+			continue
+		}
+		cfg, err := readDockerConfigFileFromBytes(contents)
+		if err == nil {
+			glog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
+			return cfg, nil
+		}
+	}
+	return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", dockerConfigFileLocations)
+}
+
+// HttpError wraps a non-StatusOK error code as an error.
+type HttpError struct {
+	StatusCode int
+	Url        string
+}
+
+// Error implements error
+func (he *HttpError) Error() string {
+	return fmt.Sprintf("http status code: %d while fetching url %s",
+		he.StatusCode, he.Url)
+}
+
+func ReadUrl(url string, client *http.Client, header *http.Header) (body []byte, err error) {
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return nil, err
+	}
+	if header != nil {
+		req.Header = *header
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		glog.V(2).Infof("body of failing http response: %v", resp.Body)
+		return nil, &HttpError{
+			StatusCode: resp.StatusCode,
+			Url:        url,
+		}
+	}
+
+	contents, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	return contents, nil
+}
+
+func ReadDockerConfigFileFromUrl(url string, client *http.Client, header *http.Header) (cfg DockerConfig, err error) {
+	if contents, err := ReadUrl(url, client, header); err != nil {
+		return nil, err
+	} else {
+		return readDockerConfigFileFromBytes(contents)
+	}
+}
+
+func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
+	if err = json.Unmarshal(contents, &cfg); err != nil {
+		glog.Errorf("while trying to parse blob %q: %v", contents, err)
+		return nil, err
+	}
+	return
+}
+
+func readDockerConfigJsonFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
+	var cfgJson DockerConfigJson
+	if err = json.Unmarshal(contents, &cfgJson); err != nil {
+		glog.Errorf("while trying to parse blob %q: %v", contents, err)
+		return nil, err
+	}
+	cfg = cfgJson.Auths
+	return
+}
+
+// dockerConfigEntryWithAuth is used solely for deserializing the Auth field
+// into a dockerConfigEntry during JSON deserialization.
+type dockerConfigEntryWithAuth struct {
+	Username string `json:"username,omitempty"`
+	Password string `json:"password,omitempty"`
+	Email    string `json:"email,omitempty"`
+	Auth     string `json:"auth,omitempty"`
+}
+
+func (ident *DockerConfigEntry) UnmarshalJSON(data []byte) error {
+	var tmp dockerConfigEntryWithAuth
+	err := json.Unmarshal(data, &tmp)
+	if err != nil {
+		return err
+	}
+
+	ident.Username = tmp.Username
+	ident.Password = tmp.Password
+	ident.Email = tmp.Email
+
+	if len(tmp.Auth) == 0 {
+		return nil
+	}
+
+	ident.Username, ident.Password, err = decodeDockerConfigFieldAuth(tmp.Auth)
+	return err
+}
+
+func (ident DockerConfigEntry) MarshalJSON() ([]byte, error) {
+	toEncode := dockerConfigEntryWithAuth{ident.Username, ident.Password, ident.Email, ""}
+	toEncode.Auth = encodeDockerConfigFieldAuth(ident.Username, ident.Password)
+
+	return json.Marshal(toEncode)
+}
+
+// decodeDockerConfigFieldAuth deserializes the "auth" field from dockercfg into a
+// username and a password. The format of the auth field is base64(<username>:<password>).
+func decodeDockerConfigFieldAuth(field string) (username, password string, err error) {
+	decoded, err := base64.StdEncoding.DecodeString(field)
+	if err != nil {
+		return
+	}
+
+	parts := strings.SplitN(string(decoded), ":", 2)
+	if len(parts) != 2 {
+		err = fmt.Errorf("unable to parse auth field")
+		return
+	}
+
+	username = parts[0]
+	password = parts[1]
+
+	return
+}
+
+func encodeDockerConfigFieldAuth(username, password string) string {
+	fieldValue := username + ":" + password
+
+	return base64.StdEncoding.EncodeToString([]byte(fieldValue))
+}

vendor/k8s.io/kubernetes/pkg/credentialprovider/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package credentialprovider supplies interfaces and implementations for
+// docker registry providers to expose their authentication scheme.
+package credentialprovider

vendor/k8s.io/kubernetes/pkg/credentialprovider/keyring.go

@@ -0,0 +1,338 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentialprovider
+
+import (
+	"encoding/json"
+	"net"
+	"net/url"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/golang/glog"
+
+	dockertypes "github.com/docker/engine-api/types"
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/util/sets"
+)
+
+// DockerKeyring tracks a set of docker registry credentials, maintaining a
+// reverse index across the registry endpoints. A registry endpoint is made
+// up of a host (e.g. registry.example.com), but it may also contain a path
+// (e.g. registry.example.com/foo) This index is important for two reasons:
+// - registry endpoints may overlap, and when this happens we must find the
+//   most specific match for a given image
+// - iterating a map does not yield predictable results
+type DockerKeyring interface {
+	Lookup(image string) ([]LazyAuthConfiguration, bool)
+}
+
+// BasicDockerKeyring is a trivial map-backed implementation of DockerKeyring
+type BasicDockerKeyring struct {
+	index []string
+	creds map[string][]LazyAuthConfiguration
+}
+
+// lazyDockerKeyring is an implementation of DockerKeyring that lazily
+// materializes its dockercfg based on a set of dockerConfigProviders.
+type lazyDockerKeyring struct {
+	Providers []DockerConfigProvider
+}
+
+// LazyAuthConfiguration wraps dockertypes.AuthConfig, potentially deferring its
+// binding. If Provider is non-nil, it will be used to obtain new credentials
+// by calling LazyProvide() on it.
+type LazyAuthConfiguration struct {
+	dockertypes.AuthConfig
+	Provider DockerConfigProvider
+}
+
+func DockerConfigEntryToLazyAuthConfiguration(ident DockerConfigEntry) LazyAuthConfiguration {
+	return LazyAuthConfiguration{
+		AuthConfig: dockertypes.AuthConfig{
+			Username: ident.Username,
+			Password: ident.Password,
+			Email:    ident.Email,
+		},
+	}
+}
+
+func (dk *BasicDockerKeyring) Add(cfg DockerConfig) {
+	if dk.index == nil {
+		dk.index = make([]string, 0)
+		dk.creds = make(map[string][]LazyAuthConfiguration)
+	}
+	for loc, ident := range cfg {
+
+		var creds LazyAuthConfiguration
+		if ident.Provider != nil {
+			creds = LazyAuthConfiguration{
+				Provider: ident.Provider,
+			}
+		} else {
+			creds = DockerConfigEntryToLazyAuthConfiguration(ident)
+		}
+
+		value := loc
+		if !strings.HasPrefix(value, "https://") && !strings.HasPrefix(value, "http://") {
+			value = "https://" + value
+		}
+		parsed, err := url.Parse(value)
+		if err != nil {
+			glog.Errorf("Entry %q in dockercfg invalid (%v), ignoring", loc, err)
+			continue
+		}
+
+		// The docker client allows exact matches:
+		//    foo.bar.com/namespace
+		// Or hostname matches:
+		//    foo.bar.com
+		// It also considers /v2/  and /v1/ equivalent to the hostname
+		// See ResolveAuthConfig in docker/registry/auth.go.
+		effectivePath := parsed.Path
+		if strings.HasPrefix(effectivePath, "/v2/") || strings.HasPrefix(effectivePath, "/v1/") {
+			effectivePath = effectivePath[3:]
+		}
+		var key string
+		if (len(effectivePath) > 0) && (effectivePath != "/") {
+			key = parsed.Host + effectivePath
+		} else {
+			key = parsed.Host
+		}
+		dk.creds[key] = append(dk.creds[key], creds)
+		dk.index = append(dk.index, key)
+	}
+
+	eliminateDupes := sets.NewString(dk.index...)
+	dk.index = eliminateDupes.List()
+
+	// Update the index used to identify which credentials to use for a given
+	// image. The index is reverse-sorted so more specific paths are matched
+	// first. For example, if for the given image "quay.io/coreos/etcd",
+	// credentials for "quay.io/coreos" should match before "quay.io".
+	sort.Sort(sort.Reverse(sort.StringSlice(dk.index)))
+}
+
+const (
+	defaultRegistryHost = "index.docker.io"
+	defaultRegistryKey  = defaultRegistryHost + "/v1/"
+)
+
+// isDefaultRegistryMatch determines whether the given image will
+// pull from the default registry (DockerHub) based on the
+// characteristics of its name.
+func isDefaultRegistryMatch(image string) bool {
+	parts := strings.SplitN(image, "/", 2)
+
+	if len(parts[0]) == 0 {
+		return false
+	}
+
+	if len(parts) == 1 {
+		// e.g. library/ubuntu
+		return true
+	}
+
+	if parts[0] == "docker.io" || parts[0] == "index.docker.io" {
+		// resolve docker.io/image and index.docker.io/image as default registry
+		return true
+	}
+
+	// From: http://blog.docker.com/2013/07/how-to-use-your-own-registry/
+	// Docker looks for either a “.” (domain separator) or “:” (port separator)
+	// to learn that the first part of the repository name is a location and not
+	// a user name.
+	return !strings.ContainsAny(parts[0], ".:")
+}
+
+// url.Parse require a scheme, but ours don't have schemes.  Adding a
+// scheme to make url.Parse happy, then clear out the resulting scheme.
+func parseSchemelessUrl(schemelessUrl string) (*url.URL, error) {
+	parsed, err := url.Parse("https://" + schemelessUrl)
+	if err != nil {
+		return nil, err
+	}
+	// clear out the resulting scheme
+	parsed.Scheme = ""
+	return parsed, nil
+}
+
+// split the host name into parts, as well as the port
+func splitUrl(url *url.URL) (parts []string, port string) {
+	host, port, err := net.SplitHostPort(url.Host)
+	if err != nil {
+		// could not parse port
+		host, port = url.Host, ""
+	}
+	return strings.Split(host, "."), port
+}
+
+// overloaded version of urlsMatch, operating on strings instead of URLs.
+func urlsMatchStr(glob string, target string) (bool, error) {
+	globUrl, err := parseSchemelessUrl(glob)
+	if err != nil {
+		return false, err
+	}
+	targetUrl, err := parseSchemelessUrl(target)
+	if err != nil {
+		return false, err
+	}
+	return urlsMatch(globUrl, targetUrl)
+}
+
+// check whether the given target url matches the glob url, which may have
+// glob wild cards in the host name.
+//
+// Examples:
+//    globUrl=*.docker.io, targetUrl=blah.docker.io => match
+//    globUrl=*.docker.io, targetUrl=not.right.io   => no match
+//
+// Note that we don't support wildcards in ports and paths yet.
+func urlsMatch(globUrl *url.URL, targetUrl *url.URL) (bool, error) {
+	globUrlParts, globPort := splitUrl(globUrl)
+	targetUrlParts, targetPort := splitUrl(targetUrl)
+	if globPort != targetPort {
+		// port doesn't match
+		return false, nil
+	}
+	if len(globUrlParts) != len(targetUrlParts) {
+		// host name does not have the same number of parts
+		return false, nil
+	}
+	if !strings.HasPrefix(targetUrl.Path, globUrl.Path) {
+		// the path of the credential must be a prefix
+		return false, nil
+	}
+	for k, globUrlPart := range globUrlParts {
+		targetUrlPart := targetUrlParts[k]
+		matched, err := filepath.Match(globUrlPart, targetUrlPart)
+		if err != nil {
+			return false, err
+		}
+		if !matched {
+			// glob mismatch for some part
+			return false, nil
+		}
+	}
+	// everything matches
+	return true, nil
+}
+
+// Lookup implements the DockerKeyring method for fetching credentials based on image name.
+// Multiple credentials may be returned if there are multiple potentially valid credentials
+// available.  This allows for rotation.
+func (dk *BasicDockerKeyring) Lookup(image string) ([]LazyAuthConfiguration, bool) {
+	// range over the index as iterating over a map does not provide a predictable ordering
+	ret := []LazyAuthConfiguration{}
+	for _, k := range dk.index {
+		// both k and image are schemeless URLs because even though schemes are allowed
+		// in the credential configurations, we remove them in Add.
+		if matched, _ := urlsMatchStr(k, image); !matched {
+			continue
+		}
+
+		ret = append(ret, dk.creds[k]...)
+	}
+
+	if len(ret) > 0 {
+		return ret, true
+	}
+
+	// Use credentials for the default registry if provided, and appropriate
+	if isDefaultRegistryMatch(image) {
+		if auth, ok := dk.creds[defaultRegistryHost]; ok {
+			return auth, true
+		}
+	}
+
+	return []LazyAuthConfiguration{}, false
+}
+
+// Lookup implements the DockerKeyring method for fetching credentials
+// based on image name.
+func (dk *lazyDockerKeyring) Lookup(image string) ([]LazyAuthConfiguration, bool) {
+	keyring := &BasicDockerKeyring{}
+
+	for _, p := range dk.Providers {
+		keyring.Add(p.Provide())
+	}
+
+	return keyring.Lookup(image)
+}
+
+type FakeKeyring struct {
+	auth []LazyAuthConfiguration
+	ok   bool
+}
+
+func (f *FakeKeyring) Lookup(image string) ([]LazyAuthConfiguration, bool) {
+	return f.auth, f.ok
+}
+
+// unionDockerKeyring delegates to a set of keyrings.
+type unionDockerKeyring struct {
+	keyrings []DockerKeyring
+}
+
+func (k *unionDockerKeyring) Lookup(image string) ([]LazyAuthConfiguration, bool) {
+	authConfigs := []LazyAuthConfiguration{}
+	for _, subKeyring := range k.keyrings {
+		if subKeyring == nil {
+			continue
+		}
+
+		currAuthResults, _ := subKeyring.Lookup(image)
+		authConfigs = append(authConfigs, currAuthResults...)
+	}
+
+	return authConfigs, (len(authConfigs) > 0)
+}
+
+// MakeDockerKeyring inspects the passedSecrets to see if they contain any DockerConfig secrets.  If they do,
+// then a DockerKeyring is built based on every hit and unioned with the defaultKeyring.
+// If they do not, then the default keyring is returned
+func MakeDockerKeyring(passedSecrets []api.Secret, defaultKeyring DockerKeyring) (DockerKeyring, error) {
+	passedCredentials := []DockerConfig{}
+	for _, passedSecret := range passedSecrets {
+		if dockerConfigJsonBytes, dockerConfigJsonExists := passedSecret.Data[api.DockerConfigJsonKey]; (passedSecret.Type == api.SecretTypeDockerConfigJson) && dockerConfigJsonExists && (len(dockerConfigJsonBytes) > 0) {
+			dockerConfigJson := DockerConfigJson{}
+			if err := json.Unmarshal(dockerConfigJsonBytes, &dockerConfigJson); err != nil {
+				return nil, err
+			}
+
+			passedCredentials = append(passedCredentials, dockerConfigJson.Auths)
+		} else if dockercfgBytes, dockercfgExists := passedSecret.Data[api.DockerConfigKey]; (passedSecret.Type == api.SecretTypeDockercfg) && dockercfgExists && (len(dockercfgBytes) > 0) {
+			dockercfg := DockerConfig{}
+			if err := json.Unmarshal(dockercfgBytes, &dockercfg); err != nil {
+				return nil, err
+			}
+
+			passedCredentials = append(passedCredentials, dockercfg)
+		}
+	}
+
+	if len(passedCredentials) > 0 {
+		basicKeyring := &BasicDockerKeyring{}
+		for _, currCredentials := range passedCredentials {
+			basicKeyring.Add(currCredentials)
+		}
+		return &unionDockerKeyring{[]DockerKeyring{basicKeyring, defaultKeyring}}, nil
+	}
+
+	return defaultKeyring, nil
+}

vendor/k8s.io/kubernetes/pkg/credentialprovider/plugins.go

@@ -0,0 +1,62 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentialprovider
+
+import (
+	"sync"
+
+	"github.com/golang/glog"
+)
+
+// All registered credential providers.
+var providersMutex sync.Mutex
+var providers = make(map[string]DockerConfigProvider)
+
+// RegisterCredentialProvider is called by provider implementations on
+// initialization to register themselves, like so:
+//   func init() {
+//    	RegisterCredentialProvider("name", &myProvider{...})
+//   }
+func RegisterCredentialProvider(name string, provider DockerConfigProvider) {
+	providersMutex.Lock()
+	defer providersMutex.Unlock()
+	_, found := providers[name]
+	if found {
+		glog.Fatalf("Credential provider %q was registered twice", name)
+	}
+	glog.V(4).Infof("Registered credential provider %q", name)
+	providers[name] = provider
+}
+
+// NewDockerKeyring creates a DockerKeyring to use for resolving credentials,
+// which lazily draws from the set of registered credential providers.
+func NewDockerKeyring() DockerKeyring {
+	keyring := &lazyDockerKeyring{
+		Providers: make([]DockerConfigProvider, 0),
+	}
+
+	// TODO(mattmoor): iterating over the map is non-deterministic.  We should
+	// introduce the notion of priorities for conflict resolution.
+	for name, provider := range providers {
+		if provider.Enabled() {
+			glog.V(4).Infof("Registering credential provider: %v", name)
+			keyring.Providers = append(keyring.Providers, provider)
+		}
+	}
+
+	return keyring
+}

vendor/k8s.io/kubernetes/pkg/credentialprovider/provider.go

@@ -0,0 +1,119 @@
+/*
+Copyright 2014 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentialprovider
+
+import (
+	"os"
+	"reflect"
+	"sync"
+	"time"
+
+	dockertypes "github.com/docker/engine-api/types"
+	"github.com/golang/glog"
+)
+
+// DockerConfigProvider is the interface that registered extensions implement
+// to materialize 'dockercfg' credentials.
+type DockerConfigProvider interface {
+	Enabled() bool
+	Provide() DockerConfig
+	// LazyProvide() gets called after URL matches have been performed, so the
+	// location used as the key in DockerConfig would be redundant.
+	LazyProvide() *DockerConfigEntry
+}
+
+func LazyProvide(creds LazyAuthConfiguration) dockertypes.AuthConfig {
+	if creds.Provider != nil {
+		entry := *creds.Provider.LazyProvide()
+		return DockerConfigEntryToLazyAuthConfiguration(entry).AuthConfig
+	} else {
+		return creds.AuthConfig
+	}
+
+}
+
+// A DockerConfigProvider that simply reads the .dockercfg file
+type defaultDockerConfigProvider struct{}
+
+// init registers our default provider, which simply reads the .dockercfg file.
+func init() {
+	RegisterCredentialProvider(".dockercfg",
+		&CachingDockerConfigProvider{
+			Provider: &defaultDockerConfigProvider{},
+			Lifetime: 5 * time.Minute,
+		})
+}
+
+// CachingDockerConfigProvider implements DockerConfigProvider by composing
+// with another DockerConfigProvider and caching the DockerConfig it provides
+// for a pre-specified lifetime.
+type CachingDockerConfigProvider struct {
+	Provider DockerConfigProvider
+	Lifetime time.Duration
+
+	// cache fields
+	cacheDockerConfig DockerConfig
+	expiration        time.Time
+	mu                sync.Mutex
+}
+
+// Enabled implements dockerConfigProvider
+func (d *defaultDockerConfigProvider) Enabled() bool {
+	return true
+}
+
+// Provide implements dockerConfigProvider
+func (d *defaultDockerConfigProvider) Provide() DockerConfig {
+	// Read the standard Docker credentials from .dockercfg
+	if cfg, err := ReadDockerConfigFile(); err == nil {
+		return cfg
+	} else if !os.IsNotExist(err) {
+		glog.V(4).Infof("Unable to parse Docker config file: %v", err)
+	}
+	return DockerConfig{}
+}
+
+// LazyProvide implements dockerConfigProvider. Should never be called.
+func (d *defaultDockerConfigProvider) LazyProvide() *DockerConfigEntry {
+	return nil
+}
+
+// Enabled implements dockerConfigProvider
+func (d *CachingDockerConfigProvider) Enabled() bool {
+	return d.Provider.Enabled()
+}
+
+// LazyProvide implements dockerConfigProvider. Should never be called.
+func (d *CachingDockerConfigProvider) LazyProvide() *DockerConfigEntry {
+	return nil
+}
+
+// Provide implements dockerConfigProvider
+func (d *CachingDockerConfigProvider) Provide() DockerConfig {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	// If the cache hasn't expired, return our cache
+	if time.Now().Before(d.expiration) {
+		return d.cacheDockerConfig
+	}
+
+	glog.V(2).Infof("Refreshing cache for provider: %v", reflect.TypeOf(d.Provider).String())
+	d.cacheDockerConfig = d.Provider.Provide()
+	d.expiration = time.Now().Add(d.Lifetime)
+	return d.cacheDockerConfig
+}