Add X-Registry-Config support

* Refactor auth pkg to support X-Registry-Config
* Refactor build endpoint to support X-Registry-Config. Supports:
  * --creds
  * --authfile
* Added X-Reference-Id Header to http.Request to support log event
  correlation
* Log headers from http.Request

Signed-off-by: Jhon Honce <jhonce@redhat.com>

12 files changed, 222 insertions, 72 deletions

diff --git a/pkg/api/handlers/compat/images.go b/pkg/api/handlers/compat/images.go
index 0900d1793..940b57343 100644
--- a/pkg/api/handlers/compat/images.go
+++ b/pkg/api/handlers/compat/images.go
@@ -93,7 +93,7 @@ func PruneImages(w http.ResponseWriter, r *http.Request) {
 		})
 	}
 
-	//FIXME/TODO to do this exactly correct, pruneimages needs to return idrs and space-reclaimed, then we are golden
+	// FIXME/TODO to do this exactly correct, pruneimages needs to return idrs and space-reclaimed, then we are golden
 	ipr := types.ImagesPruneReport{
 		ImagesDeleted:  idr,
 		SpaceReclaimed: 1, // TODO we cannot supply this right now
@@ -113,7 +113,7 @@ func CommitContainer(w http.ResponseWriter, r *http.Request) {
 		Changes   string `schema:"changes"`
 		Comment   string `schema:"comment"`
 		Container string `schema:"container"`
-		//fromSrc   string  # fromSrc is currently unused
+		// fromSrc   string  # fromSrc is currently unused
 		Pause bool   `schema:"pause"`
 		Repo  string `schema:"repo"`
 		Tag   string `schema:"tag"`
@@ -224,7 +224,7 @@ func CreateImageFromSrc(w http.ResponseWriter, r *http.Request) {
 		Status         string            `json:"status"`
 		Progress       string            `json:"progress"`
 		ProgressDetail map[string]string `json:"progressDetail"`
-		Id             string            `json:"id"` //nolint
+		Id             string            `json:"id"` // nolint
 	}{
 		Status:         iid,
 		ProgressDetail: map[string]string{},
@@ -257,9 +257,9 @@ func CreateImageFromImage(w http.ResponseWriter, r *http.Request) {
 		fromImage = fmt.Sprintf("%s:%s", fromImage, query.Tag)
 	}
 
-	authConf, authfile, err := auth.GetCredentials(r)
+	authConf, authfile, key, err := auth.GetCredentials(r)
 	if err != nil {
-		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", auth.XRegistryAuthHeader, r.URL.String()))
+		utils.Error(w, "Failed to retrieve repository credentials", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", key, r.URL.String()))
 		return
 	}
 	defer auth.RemoveAuthfile(authfile)
@@ -299,7 +299,7 @@ func CreateImageFromImage(w http.ResponseWriter, r *http.Request) {
 		Error          string            `json:"error"`
 		Progress       string            `json:"progress"`
 		ProgressDetail map[string]string `json:"progressDetail"`
-		Id             string            `json:"id"` //nolint
+		Id             string            `json:"id"` // nolint
 	}{
 		Status:         fmt.Sprintf("pulling image (%s) from %s", img.Tag, strings.Join(img.Names(), ", ")),
 		ProgressDetail: map[string]string{},
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go
index fbaf8d10a..0ce70975d 100644
--- a/pkg/api/handlers/compat/images_build.go
+++ b/pkg/api/handlers/compat/images_build.go
@@ -2,7 +2,6 @@ package compat
 
 import (
 	"context"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -11,13 +10,13 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
-	"strings"
 
 	"github.com/containers/buildah"
 	"github.com/containers/buildah/imagebuildah"
+	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v2/libpod"
-	"github.com/containers/podman/v2/pkg/api/handlers"
 	"github.com/containers/podman/v2/pkg/api/handlers/utils"
+	"github.com/containers/podman/v2/pkg/auth"
 	"github.com/containers/podman/v2/pkg/channel"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/gorilla/schema"
@@ -26,15 +25,6 @@ import (
 )
 
 func BuildImage(w http.ResponseWriter, r *http.Request) {
-	authConfigs := map[string]handlers.AuthConfig{}
-	if hdr, found := r.Header["X-Registry-Config"]; found && len(hdr) > 0 {
-		authConfigsJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(hdr[0]))
-		if json.NewDecoder(authConfigsJSON).Decode(&authConfigs) != nil {
-			utils.BadRequest(w, "X-Registry-Config", hdr[0], json.NewDecoder(authConfigsJSON).Decode(&authConfigs))
-			return
-		}
-	}
-
 	if hdr, found := r.Header["Content-Type"]; found && len(hdr) > 0 {
 		contentType := hdr[0]
 		switch contentType {
@@ -151,6 +141,14 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	creds, authfile, key, err := auth.GetCredentials(r)
+	if err != nil {
+		// Credential value(s) not returned as their value is not human readable
+		utils.BadRequest(w, key.String(), "n/a", err)
+		return
+	}
+	defer auth.RemoveAuthfile(authfile)
+
 	// Channels all mux'ed in select{} below to follow API build protocol
 	stdout := channel.NewWriter(make(chan []byte, 1))
 	defer stdout.Close()
@@ -179,6 +177,10 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 		Err:                            auxout,
 		ReportWriter:                   reporter,
 		OutputFormat:                   buildah.Dockerv2ImageManifest,
+		SystemContext: &types.SystemContext{
+			AuthFilePath:     authfile,
+			DockerAuthConfig: creds,
+		},
 		CommonBuildOpts: &buildah.CommonBuildOptions{
 			CPUPeriod:  query.CpuPeriod,
 			CPUQuota:   query.CpuQuota,
diff --git a/pkg/api/handlers/compat/images_push.go b/pkg/api/handlers/compat/images_push.go
index e69a2212a..dd706a156 100644
--- a/pkg/api/handlers/compat/images_push.go
+++ b/pkg/api/handlers/compat/images_push.go
@@ -49,9 +49,9 @@ func PushImage(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	authConf, authfile, err := auth.GetCredentials(r)
+	authConf, authfile, key, err := auth.GetCredentials(r)
 	if err != nil {
-		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", auth.XRegistryAuthHeader, r.URL.String()))
+		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", key, r.URL.String()))
 		return
 	}
 	defer auth.RemoveAuthfile(authfile)
diff --git a/pkg/api/handlers/libpod/images.go b/pkg/api/handlers/libpod/images.go
index bc1bdc287..3ebf6e4c6 100644
--- a/pkg/api/handlers/libpod/images.go
+++ b/pkg/api/handlers/libpod/images.go
@@ -438,9 +438,9 @@ func PushImage(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	authConf, authfile, err := auth.GetCredentials(r)
+	authConf, authfile, key, err := auth.GetCredentials(r)
 	if err != nil {
-		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", auth.XRegistryAuthHeader, r.URL.String()))
+		utils.Error(w, "Failed to retrieve repository credentials", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", key, r.URL.String()))
 		return
 	}
 	defer auth.RemoveAuthfile(authfile)
diff --git a/pkg/api/handlers/libpod/images_pull.go b/pkg/api/handlers/libpod/images_pull.go
index ad8d1f38e..791ef7a48 100644
--- a/pkg/api/handlers/libpod/images_pull.go
+++ b/pkg/api/handlers/libpod/images_pull.go
@@ -74,9 +74,9 @@ func ImagesPull(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	authConf, authfile, err := auth.GetCredentials(r)
+	authConf, authfile, key, err := auth.GetCredentials(r)
 	if err != nil {
-		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", auth.XRegistryAuthHeader, r.URL.String()))
+		utils.Error(w, "Failed to retrieve repository credentials", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", key, r.URL.String()))
 		return
 	}
 	defer auth.RemoveAuthfile(authfile)
diff --git a/pkg/api/handlers/libpod/play.go b/pkg/api/handlers/libpod/play.go
index 59f78da8c..2296e170a 100644
--- a/pkg/api/handlers/libpod/play.go
+++ b/pkg/api/handlers/libpod/play.go
@@ -48,9 +48,9 @@ func PlayKube(w http.ResponseWriter, r *http.Request) {
 		utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "error closing temporary file"))
 		return
 	}
-	authConf, authfile, err := auth.GetCredentials(r)
+	authConf, authfile, key, err := auth.GetCredentials(r)
 	if err != nil {
-		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", auth.XRegistryAuthHeader, r.URL.String()))
+		utils.Error(w, "Failed to retrieve repository credentials", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", key, r.URL.String()))
 		return
 	}
 	defer auth.RemoveAuthfile(authfile)
diff --git a/pkg/api/server/handler_api.go b/pkg/api/server/handler_api.go
index 920811c51..28f5a0b42 100644
--- a/pkg/api/server/handler_api.go
+++ b/pkg/api/server/handler_api.go
@@ -7,7 +7,9 @@ import (
 	"runtime"
 
 	"github.com/containers/podman/v2/pkg/api/handlers/utils"
-	log "github.com/sirupsen/logrus"
+	"github.com/containers/podman/v2/pkg/auth"
+	"github.com/google/uuid"
+	"github.com/sirupsen/logrus"
 )
 
 // APIHandler is a wrapper to enhance HandlerFunc's and remove redundant code
@@ -19,7 +21,7 @@ func (s *APIServer) APIHandler(h http.HandlerFunc) http.HandlerFunc {
 			if err != nil {
 				buf := make([]byte, 1<<20)
 				n := runtime.Stack(buf, true)
-				log.Warnf("Recovering from API handler panic: %v, %s", err, buf[:n])
+				logrus.Warnf("Recovering from API handler panic: %v, %s", err, buf[:n])
 				// Try to inform client things went south... won't work if handler already started writing response body
 				utils.InternalServerError(w, fmt.Errorf("%v", err))
 			}
@@ -27,10 +29,23 @@ func (s *APIServer) APIHandler(h http.HandlerFunc) http.HandlerFunc {
 
 		// Wrapper to hide some boiler plate
 		fn := func(w http.ResponseWriter, r *http.Request) {
-			log.Debugf("APIHandler -- Method: %s URL: %s", r.Method, r.URL.String())
+			rid := uuid.New().String()
+			if logrus.IsLevelEnabled(logrus.DebugLevel) {
+				logrus.Debugf("APIHandler(%s) -- Method: %s URL: %s", rid, r.Method, r.URL.String())
+				for k, v := range r.Header {
+					switch auth.HeaderAuthName(k) {
+					case auth.XRegistryConfigHeader, auth.XRegistryAuthHeader:
+						logrus.Debugf("APIHandler(%s) -- Header: %s: <hidden>", rid, k)
+					default:
+						logrus.Debugf("APIHandler(%s) -- Header: %s: %v", rid, k, v)
+					}
+				}
+			}
+			// Set in case handler wishes to correlate logging events
+			r.Header.Set("X-Reference-Id", rid)
 
 			if err := r.ParseForm(); err != nil {
-				log.Infof("Failed Request: unable to parse form: %q", err)
+				logrus.Infof("Failed Request: unable to parse form: %q (%s)", err, rid)
 			}
 
 			// TODO: Use r.ConnContext when ported to go 1.13
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index 69a7da869..fcbf6fe39 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -3,6 +3,7 @@ package auth
 import (
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"io/ioutil"
 	"net/http"
 	"os"
@@ -15,21 +16,98 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// XRegistryAuthHeader is the key to the encoded registry authentication
-// configuration in an http-request header.
-const XRegistryAuthHeader = "X-Registry-Auth"
+type HeaderAuthName string
 
-// GetCredentials extracts one or more DockerAuthConfigs from the request's
+func (h HeaderAuthName) String() string { return string(h) }
+
+// XRegistryAuthHeader is the key to the encoded registry authentication configuration in an http-request header.
+// This header supports one registry per header occurrence. To support N registries provided N headers, one per registry.
+// As of Docker API 1.40 and Libpod API 1.0.0, this header is supported by all endpoints.
+const XRegistryAuthHeader HeaderAuthName = "X-Registry-Auth"
+
+// XRegistryConfigHeader is the key to the encoded registry authentication configuration in an http-request header.
+// This header supports N registries in one header via a Base64 encoded, JSON map.
+// As of Docker API 1.40 and Libpod API 2.0.0, this header is supported by build endpoints.
+const XRegistryConfigHeader HeaderAuthName = "X-Registry-Config"
+
+// GetCredentials queries the http.Request for X-Registry-.* headers and extracts
+// the necessary authentication information for libpod operations
+func GetCredentials(r *http.Request) (*types.DockerAuthConfig, string, HeaderAuthName, error) {
+	has := func(key HeaderAuthName) bool { hdr, found := r.Header[string(key)]; return found && len(hdr) > 0 }
+	switch {
+	case has(XRegistryConfigHeader):
+		c, f, err := getConfigCredentials(r)
+		return c, f, XRegistryConfigHeader, err
+	case has(XRegistryAuthHeader):
+		c, f, err := getAuthCredentials(r)
+		return c, f, XRegistryAuthHeader, err
+
+	}
+	return nil, "", "", nil
+}
+
+// getConfigCredentials extracts one or more docker.AuthConfig from the request's
+// header.  An empty key will be used as default while a named registry will be
+// returned as types.DockerAuthConfig
+func getConfigCredentials(r *http.Request) (*types.DockerAuthConfig, string, error) {
+	var auth *types.DockerAuthConfig
+	configs := make(map[string]types.DockerAuthConfig)
+
+	for _, h := range r.Header[string(XRegistryConfigHeader)] {
+		param, err := base64.URLEncoding.DecodeString(h)
+		if err != nil {
+			return nil, "", errors.Wrapf(err, "failed to decode %q", XRegistryConfigHeader)
+		}
+
+		ac := make(map[string]dockerAPITypes.AuthConfig)
+		err = json.Unmarshal(param, &ac)
+		if err != nil {
+			return nil, "", errors.Wrapf(err, "failed to unmarshal %q", XRegistryConfigHeader)
+		}
+
+		for k, v := range ac {
+			configs[k] = dockerAuthToImageAuth(v)
+		}
+	}
+
+	// Empty key implies no registry given in API
+	if c, found := configs[""]; found {
+		auth = &c
+	}
+
+	// Override any default given above if specialized credentials provided
+	if registries, found := r.URL.Query()["registry"]; found {
+		for _, r := range registries {
+			for k, v := range configs {
+				if strings.Contains(k, r) {
+					v := v
+					auth = &v
+					break
+				}
+			}
+			if auth != nil {
+				break
+			}
+		}
+
+		if auth == nil {
+			logrus.Debugf("%q header found in request, but \"registry=%v\" query parameter not provided",
+				XRegistryConfigHeader, registries)
+		} else {
+			logrus.Debugf("%q header found in request for username %q", XRegistryConfigHeader, auth.Username)
+		}
+	}
+
+	authfile, err := authConfigsToAuthFile(configs)
+	return auth, authfile, err
+}
+
+// getAuthCredentials extracts one or more DockerAuthConfigs from the request's
 // header.  The header could specify a single-auth config in which case the
 // first return value is set.  In case of a multi-auth header, the contents are
 // stored in a temporary auth file (2nd return value).  Note that the auth file
 // should be removed after usage.
-func GetCredentials(r *http.Request) (*types.DockerAuthConfig, string, error) {
-	authHeader := r.Header.Get(XRegistryAuthHeader)
-	if len(authHeader) == 0 {
-		return nil, "", nil
-	}
-
+func getAuthCredentials(r *http.Request) (*types.DockerAuthConfig, string, error) {
 	// First look for a multi-auth header (i.e., a map).
 	authConfigs, err := multiAuthHeader(r)
 	if err == nil {
@@ -51,38 +129,75 @@ func GetCredentials(r *http.Request) (*types.DockerAuthConfig, string, error) {
 	return conf, "", nil
 }
 
-// Header returns a map with the XRegistryAuthHeader set which can
+// Header builds the requested Authentication Header
+func Header(sys *types.SystemContext, headerName HeaderAuthName, authfile, username, password string) (map[string]string, error) {
+	var (
+		content string
+		err     error
+	)
+	switch headerName {
+	case XRegistryAuthHeader:
+		content, err = headerAuth(sys, authfile, username, password)
+	case XRegistryConfigHeader:
+		content, err = headerConfig(sys, authfile, username, password)
+	default:
+		err = fmt.Errorf("unsupported authentication header: %q", headerName)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if len(content) > 0 {
+		return map[string]string{string(headerName): content}, nil
+	}
+	return nil, nil
+}
+
+// headerConfig returns a map with the XRegistryConfigHeader set which can
 // conveniently be used in the http stack.
-func Header(sys *types.SystemContext, authfile, username, password string) (map[string]string, error) {
-	var content string
-	var err error
+func headerConfig(sys *types.SystemContext, authfile, username, password string) (string, error) {
+	if sys == nil {
+		sys = &types.SystemContext{}
+	}
+	if authfile != "" {
+		sys.AuthFilePath = authfile
+	}
+	authConfigs, err := imageAuth.GetAllCredentials(sys)
+	if err != nil {
+		return "", err
+	}
 
 	if username != "" {
-		content, err = encodeSingleAuthConfig(types.DockerAuthConfig{Username: username, Password: password})
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		if sys == nil {
-			sys = &types.SystemContext{}
-		}
-		if authfile != "" {
-			sys.AuthFilePath = authfile
-		}
-		authConfigs, err := imageAuth.GetAllCredentials(sys)
-		if err != nil {
-			return nil, err
-		}
-		content, err = encodeMultiAuthConfigs(authConfigs)
-		if err != nil {
-			return nil, err
+		authConfigs[""] = types.DockerAuthConfig{
+			Username: username,
+			Password: password,
 		}
 	}
 
-	header := make(map[string]string)
-	header[XRegistryAuthHeader] = content
+	if len(authConfigs) == 0 {
+		return "", nil
+	}
+	return encodeMultiAuthConfigs(authConfigs)
+}
 
-	return header, nil
+// headerAuth returns a base64 encoded map with the XRegistryAuthHeader set which can
+// conveniently be used in the http stack.
+func headerAuth(sys *types.SystemContext, authfile, username, password string) (string, error) {
+	if username != "" {
+		return encodeSingleAuthConfig(types.DockerAuthConfig{Username: username, Password: password})
+	}
+
+	if sys == nil {
+		sys = &types.SystemContext{}
+	}
+	if authfile != "" {
+		sys.AuthFilePath = authfile
+	}
+	authConfigs, err := imageAuth.GetAllCredentials(sys)
+	if err != nil {
+		return "", err
+	}
+	return encodeMultiAuthConfigs(authConfigs)
 }
 
 // RemoveAuthfile is a convenience function that is meant to be called in a
@@ -180,7 +295,7 @@ func imageAuthToDockerAuth(authConfig types.DockerAuthConfig) dockerAPITypes.Aut
 // singleAuthHeader extracts a DockerAuthConfig from the request's header.
 // The header content is a single DockerAuthConfig.
 func singleAuthHeader(r *http.Request) (map[string]types.DockerAuthConfig, error) {
-	authHeader := r.Header.Get(XRegistryAuthHeader)
+	authHeader := r.Header.Get(string(XRegistryAuthHeader))
 	authConfig := dockerAPITypes.AuthConfig{}
 	if len(authHeader) > 0 {
 		authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authHeader))
@@ -196,7 +311,7 @@ func singleAuthHeader(r *http.Request) (map[string]types.DockerAuthConfig, error
 // multiAuthHeader extracts a DockerAuthConfig from the request's header.
 // The header content is a map[string]DockerAuthConfigs.
 func multiAuthHeader(r *http.Request) (map[string]types.DockerAuthConfig, error) {
-	authHeader := r.Header.Get(XRegistryAuthHeader)
+	authHeader := r.Header.Get(string(XRegistryAuthHeader))
 	if len(authHeader) == 0 {
 		return nil, nil
 	}
diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go
index 9082670a7..f52ba4e72 100644
--- a/pkg/bindings/images/build.go
+++ b/pkg/bindings/images/build.go
@@ -15,6 +15,7 @@ import (
 	"strings"
 
 	"github.com/containers/buildah"
+	"github.com/containers/podman/v2/pkg/auth"
 	"github.com/containers/podman/v2/pkg/bindings"
 	"github.com/containers/podman/v2/pkg/domain/entities"
 	"github.com/docker/go-units"
@@ -93,6 +94,23 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO
 		params.Set("labels", l)
 	}
 
+	var (
+		headers map[string]string
+		err     error
+	)
+	if options.SystemContext == nil {
+		headers, err = auth.Header(options.SystemContext, auth.XRegistryConfigHeader, "", "", "")
+	} else {
+		if options.SystemContext.DockerAuthConfig != nil {
+			headers, err = auth.Header(options.SystemContext, auth.XRegistryAuthHeader, options.SystemContext.AuthFilePath, options.SystemContext.DockerAuthConfig.Username, options.SystemContext.DockerAuthConfig.Password)
+		} else {
+			headers, err = auth.Header(options.SystemContext, auth.XRegistryConfigHeader, options.SystemContext.AuthFilePath, "", "")
+		}
+	}
+	if err != nil {
+		return nil, err
+	}
+
 	stdout := io.Writer(os.Stdout)
 	if options.Out != nil {
 		stdout = options.Out
@@ -125,7 +143,7 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO
 	if err != nil {
 		return nil, err
 	}
-	response, err := conn.DoRequest(tarfile, http.MethodPost, "/build", params, nil)
+	response, err := conn.DoRequest(tarfile, http.MethodPost, "/build", params, headers)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/bindings/images/images.go b/pkg/bindings/images/images.go
index 596491044..a78e7f4c6 100644
--- a/pkg/bindings/images/images.go
+++ b/pkg/bindings/images/images.go
@@ -282,7 +282,7 @@ func Push(ctx context.Context, source string, destination string, options entiti
 	}
 
 	// TODO: have a global system context we can pass around (1st argument)
-	header, err := auth.Header(nil, options.Authfile, options.Username, options.Password)
+	header, err := auth.Header(nil, auth.XRegistryAuthHeader, options.Authfile, options.Username, options.Password)
 	if err != nil {
 		return err
 	}
@@ -325,7 +325,7 @@ func Search(ctx context.Context, term string, opts entities.ImageSearchOptions)
 	}
 
 	// TODO: have a global system context we can pass around (1st argument)
-	header, err := auth.Header(nil, opts.Authfile, "", "")
+	header, err := auth.Header(nil, auth.XRegistryAuthHeader, opts.Authfile, "", "")
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/bindings/images/pull.go b/pkg/bindings/images/pull.go
index 2bfbbb2ac..c827b3283 100644
--- a/pkg/bindings/images/pull.go
+++ b/pkg/bindings/images/pull.go
@@ -42,7 +42,7 @@ func Pull(ctx context.Context, rawImage string, options entities.ImagePullOption
 	params.Set("allTags", strconv.FormatBool(options.AllTags))
 
 	// TODO: have a global system context we can pass around (1st argument)
-	header, err := auth.Header(nil, options.Authfile, options.Username, options.Password)
+	header, err := auth.Header(nil, auth.XRegistryAuthHeader, options.Authfile, options.Username, options.Password)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/bindings/play/play.go b/pkg/bindings/play/play.go
index 32f9bb4a9..ffaee3208 100644
--- a/pkg/bindings/play/play.go
+++ b/pkg/bindings/play/play.go
@@ -33,7 +33,7 @@ func Kube(ctx context.Context, path string, options entities.PlayKubeOptions) (*
 	}
 
 	// TODO: have a global system context we can pass around (1st argument)
-	header, err := auth.Header(nil, options.Authfile, options.Username, options.Password)
+	header, err := auth.Header(nil, auth.XRegistryAuthHeader, options.Authfile, options.Username, options.Password)
 	if err != nil {
 		return nil, err
 	}