Replace the vendor/oci-distribution dependency with a custom implementation
that directly follows the OCI Distribution Specification using hyper for HTTP.
Key improvements:
- Direct HTTP implementation using hyper, hyper-util, and hyper-tls
- Support for Bearer token, Basic auth, and Anonymous authentication
- Cross-registry blob copying for layered images
- Multi-platform manifest list support
- Better error handling and redirect support
- Reduced dependency footprint
Technical changes:
- Remove vendor/oci-distribution dependency
- Add hyper ecosystem dependencies for HTTP client
- Implement OCI types: OciDescriptor, OciImageManifest, OciImageIndex
- Add ImageReference parsing with registry/repository/tag/digest support
- Implement registry authentication flows (Bearer token requests)
- Add blob upload/download with redirect handling
- Support manifest pulling with image index resolution
- Fix manifest size validation for Docker compatibility
- Update integration tests to use new registry auth types
- Handle docker.io redirect to registry-1.docker.io correctly
This enables more flexible authentication handling and reduces external
dependencies while maintaining full OCI compliance.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove the custom keychain implementation and keep only the simple wrapper
around oci-distribution's built-in auth. This change:
- Removes 300+ lines of duplicate authentication code
- Leverages well-tested oci-distribution auth functionality
- Simplifies the codebase and reduces maintenance burden
- Maintains full backward compatibility
The custom keychain implementation was never used in production code,
only the simple resolve_auth function was called. All tests have been
updated and are passing.
Fixes#17🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This implements authentication for container registries, porting
functionality from go-containerregistry's authn package to Rust.
Key features:
- AuthConfig struct for various auth types (basic, bearer, anonymous)
- Authenticator trait for pluggable auth providers
- DefaultKeychain that reads Docker config files from standard locations
- Support for credential helpers (docker-credential-*)
- Integration with oci-distribution for registry operations
The implementation checks for credentials in this order:
1. DOCKER_CONFIG environment variable
2. REGISTRY_AUTH_FILE environment variable
3. XDG_RUNTIME_DIR/containers/auth.json
4. HOME/.docker/config.json
Credential helpers are supported if configured in the Docker config.
This enables krust to:
- Pull private base images
- Push to authenticated registries
- Support various auth methods (basic, token, oauth2)
Closes#2🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>