1
0
Fork 0
mirror of https://github.com/imjasonh/krust synced 2026-07-09 15:17:12 +00:00
Commit graph

7 commits

Author SHA1 Message Date
Jason Hall
5d730a36da implement auth
Signed-off-by: Jason Hall <jason@chainguard.dev>
2025-10-15 08:51:46 -04:00
Jason Hall
9dc786c3f1
feat: replace vendor/oci-distribution with direct OCI Distribution Spec implementation
Replace the vendor/oci-distribution dependency with a custom implementation
that directly follows the OCI Distribution Specification using hyper for HTTP.

Key improvements:
- Direct HTTP implementation using hyper, hyper-util, and hyper-tls
- Support for Bearer token, Basic auth, and Anonymous authentication
- Cross-registry blob copying for layered images
- Multi-platform manifest list support
- Better error handling and redirect support
- Reduced dependency footprint

Technical changes:
- Remove vendor/oci-distribution dependency
- Add hyper ecosystem dependencies for HTTP client
- Implement OCI types: OciDescriptor, OciImageManifest, OciImageIndex
- Add ImageReference parsing with registry/repository/tag/digest support
- Implement registry authentication flows (Bearer token requests)
- Add blob upload/download with redirect handling
- Support manifest pulling with image index resolution
- Fix manifest size validation for Docker compatibility
- Update integration tests to use new registry auth types
- Handle docker.io redirect to registry-1.docker.io correctly

This enables more flexible authentication handling and reduces external
dependencies while maintaining full OCI compliance.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-08 22:25:10 -04:00
Jason Hall
047d6de9ef
refactor: consolidate authentication systems
Remove the custom keychain implementation and keep only the simple wrapper
around oci-distribution's built-in auth. This change:

- Removes 300+ lines of duplicate authentication code
- Leverages well-tested oci-distribution auth functionality
- Simplifies the codebase and reduces maintenance burden
- Maintains full backward compatibility

The custom keychain implementation was never used in production code,
only the simple resolve_auth function was called. All tests have been
updated and are passing.

Fixes #17

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-08 16:49:35 -04:00
Jason Hall
672ada3dd2
feat: Add RegistryAuth::from_default() convenience methods
- Add from_default() and from_default_str() methods to RegistryAuth
- These methods automatically resolve auth from Docker config and credential helpers
- Update example to demonstrate both explicit and auto auth approaches
- Simplify krust's auth wrapper to use the new convenience method
- Fix test environment variable pollution

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-08 10:49:28 -04:00
Jason Hall
a6ae83c3b2
feat: Add credential helper support to oci-distribution
- Move Docker config parsing and credential helper execution from krust
- Add automatic auth resolution methods (*_auto) to the client
- Support standard Docker config locations and environment variables
- Add comprehensive tests and examples
- Simplify krust to use the new credential helper functionality
2025-06-08 10:30:41 -04:00
Jason Hall
7827c25d9b
feat: Fork oci-distribution and add enhanced features
- Fork oci-distribution v0.11.0 into vendor/oci-distribution
- Add get_image_platforms() method for proper platform detection
- Support fetching config blobs for single-platform images
- Add OAuth2/Bearer token authentication support
- Add push_manifest_and_get_digest() for reliable digest extraction
- Update krust to use the forked version with enhanced features
2025-06-08 09:49:41 -04:00
Jason Hall
b6b0c71d0c
feat: Implement registry authentication support
This implements authentication for container registries, porting
functionality from go-containerregistry's authn package to Rust.

Key features:
- AuthConfig struct for various auth types (basic, bearer, anonymous)
- Authenticator trait for pluggable auth providers
- DefaultKeychain that reads Docker config files from standard locations
- Support for credential helpers (docker-credential-*)
- Integration with oci-distribution for registry operations

The implementation checks for credentials in this order:
1. DOCKER_CONFIG environment variable
2. REGISTRY_AUTH_FILE environment variable
3. XDG_RUNTIME_DIR/containers/auth.json
4. HOME/.docker/config.json

Credential helpers are supported if configured in the Docker config.

This enables krust to:
- Pull private base images
- Push to authenticated registries
- Support various auth methods (basic, token, oauth2)

Closes #2

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-08 09:19:04 -04:00