Replace the vendor/oci-distribution dependency with a custom implementation
that directly follows the OCI Distribution Specification using hyper for HTTP.
Key improvements:
- Direct HTTP implementation using hyper, hyper-util, and hyper-tls
- Support for Bearer token, Basic auth, and Anonymous authentication
- Cross-registry blob copying for layered images
- Multi-platform manifest list support
- Better error handling and redirect support
- Reduced dependency footprint
Technical changes:
- Remove vendor/oci-distribution dependency
- Add hyper ecosystem dependencies for HTTP client
- Implement OCI types: OciDescriptor, OciImageManifest, OciImageIndex
- Add ImageReference parsing with registry/repository/tag/digest support
- Implement registry authentication flows (Bearer token requests)
- Add blob upload/download with redirect handling
- Support manifest pulling with image index resolution
- Fix manifest size validation for Docker compatibility
- Update integration tests to use new registry auth types
- Handle docker.io redirect to registry-1.docker.io correctly
This enables more flexible authentication handling and reduces external
dependencies while maintaining full OCI compliance.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove the custom keychain implementation and keep only the simple wrapper
around oci-distribution's built-in auth. This change:
- Removes 300+ lines of duplicate authentication code
- Leverages well-tested oci-distribution auth functionality
- Simplifies the codebase and reduces maintenance burden
- Maintains full backward compatibility
The custom keychain implementation was never used in production code,
only the simple resolve_auth function was called. All tests have been
updated and are passing.
Fixes#17🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add from_default() and from_default_str() methods to RegistryAuth
- These methods automatically resolve auth from Docker config and credential helpers
- Update example to demonstrate both explicit and auto auth approaches
- Simplify krust's auth wrapper to use the new convenience method
- Fix test environment variable pollution
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Move Docker config parsing and credential helper execution from krust
- Add automatic auth resolution methods (*_auto) to the client
- Support standard Docker config locations and environment variables
- Add comprehensive tests and examples
- Simplify krust to use the new credential helper functionality
- Fork oci-distribution v0.11.0 into vendor/oci-distribution
- Add get_image_platforms() method for proper platform detection
- Support fetching config blobs for single-platform images
- Add OAuth2/Bearer token authentication support
- Add push_manifest_and_get_digest() for reliable digest extraction
- Update krust to use the forked version with enhanced features
This implements authentication for container registries, porting
functionality from go-containerregistry's authn package to Rust.
Key features:
- AuthConfig struct for various auth types (basic, bearer, anonymous)
- Authenticator trait for pluggable auth providers
- DefaultKeychain that reads Docker config files from standard locations
- Support for credential helpers (docker-credential-*)
- Integration with oci-distribution for registry operations
The implementation checks for credentials in this order:
1. DOCKER_CONFIG environment variable
2. REGISTRY_AUTH_FILE environment variable
3. XDG_RUNTIME_DIR/containers/auth.json
4. HOME/.docker/config.json
Credential helpers are supported if configured in the Docker config.
This enables krust to:
- Pull private base images
- Push to authenticated registries
- Support various auth methods (basic, token, oauth2)
Closes#2🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>