Documentation
¶
Overview ¶
Package oci provides functionality for packaging and pushing artifacts to OCI-compliant registries.
This package enables bundled artifacts to be pushed to any OCI-compliant registry (Docker Hub, GHCR, ECR, local registries, etc.) using the ORAS (OCI Registry As Storage) library. Artifacts are packaged as OCI Image Layout format and can be pushed to remote registries.
Overview ¶
The package provides four main operations:
- ParseOutputTarget: Parses output targets (file paths or OCI URIs) into Reference
- Package: Creates a local OCI artifact in OCI Image Layout format
- PushFromStore: Pushes a previously packaged artifact to a remote registry
- PackageAndPush: High-level workflow combining Package and PushFromStore
The Reference type encapsulates parsed output target information, making it easy to determine if output is destined for the local filesystem or an OCI registry.
Core Types ¶
- Reference: Parsed output target (file path or OCI URI with registry/repository/tag)
- OutputConfig: Configuration for PackageAndPush workflow
- PackageAndPushResult: Combined result of package and push operations
- PackageOptions: Configuration for local OCI packaging
- PackageResult: Result of local packaging (digest, reference, store path)
- PushOptions: Configuration for pushing to remote registries
- PushResult: Result of a successful push (digest, reference)
URI Scheme ¶
OCI output targets use the "oci://" URI scheme:
oci://registry/repository:tag oci://ghcr.io/nvidia/bundles:v1.0.0 oci://localhost:5000/test/bundle:latest
Local file paths are detected by absence of the oci:// scheme.
Usage ¶
Parse output target and use high-level workflow:
ref, err := oci.ParseOutputTarget("oci://ghcr.io/nvidia/bundle:v1.0.0")
if err != nil {
return err
}
if ref.IsOCI {
result, err := oci.PackageAndPush(ctx, oci.OutputConfig{
Ref: ref,
SourceDir: "/path/to/bundle",
})
}
Or use low-level Package and PushFromStore separately:
pkgResult, err := oci.Package(ctx, oci.PackageOptions{
SourceDir: "/path/to/bundle",
OutputDir: "/path/to/output",
Registry: "ghcr.io",
Repository: "nvidia/bundle",
Tag: "v1.0.0",
})
if err != nil {
return err
}
pushResult, err := oci.PushFromStore(ctx, pkgResult.StorePath, oci.PushOptions{
Registry: "ghcr.io",
Repository: "nvidia/bundle",
Tag: "v1.0.0",
})
Reference Type ¶
The Reference type represents a parsed output target:
- IsOCI: True if target is an OCI registry (oci:// scheme)
- Registry: OCI registry hostname (e.g., "ghcr.io")
- Repository: Image repository path (e.g., "nvidia/bundle")
- Tag: Image tag (e.g., "v1.0.0")
- LocalPath: File system path for non-OCI targets
The Reference.WithTag() method returns a copy with the tag modified, useful for applying a default tag when none was specified.
PackageOptions ¶
- SourceDir: Directory containing artifacts to package
- OutputDir: Where the OCI Image Layout will be created
- Registry, Repository, Tag: Image reference components
- SubDir: Optionally limit packaging to a subdirectory
- ReproducibleTimestamp: Fixed timestamp for reproducible builds
PushOptions ¶
- PlainHTTP: Use HTTP instead of HTTPS (for local development registries)
- InsecureTLS: Skip TLS certificate verification
Authentication ¶
The package automatically uses Docker credential helpers for authentication. Credentials are loaded from the standard Docker configuration (~/.docker/config.json) using the ORAS credentials package.
Artifact Type ¶
Artifacts are pushed with the media type "application/vnd.nvidia.aicr.artifact". This custom media type identifies AICR bundles and distinguishes them from runnable container images. Consumers that don't understand this type should treat the artifact as a non-executable blob.
Package oci provides utilities for packaging and pushing OCI artifacts.
Index ¶
Constants ¶
const URIScheme = "oci://"
URIScheme is the URI scheme for OCI registry references (e.g., "oci://ghcr.io/org/repo:tag"). Exported so other packages can build references without re-declaring the literal.
Variables ¶
This section is empty.
Functions ¶
func EnsureScheme ¶ added in v0.13.0
EnsureScheme returns ref with the oci:// prefix added when missing. Used by callers that accept user input in either form.
Refs that already carry a different URI scheme (e.g., "https://...") are returned unchanged so callers don't accidentally build "oci://https://..." when handed a non-oci URL by mistake.
func TrimScheme ¶ added in v0.13.0
TrimScheme returns ref with any oci:// prefix removed. Useful when emitting a registry/repo:tag form for cosign or for human-readable pointers that don't carry the URI scheme.
Types ¶
type HelmChartOptions ¶ added in v0.14.0
type HelmChartOptions struct {
// SourceDir is the directory containing the Helm chart (Chart.yaml,
// values.yaml, templates/, etc.). Mirrors PackageOptions.SourceDir.
SourceDir string
// OutputDir is where the temporary OCI Image Layout is created;
// callers usually pass the bundle output directory so cleanup is
// scoped to one tree.
OutputDir string
// Reference is the OCI registry reference. The reference's Tag MUST
// match the chart version that helm install / helm pull will look
// for; the push flow rewrites the in-source Chart.yaml so this
// invariant holds even when the recipe metadata version differs
// from the user-supplied --output tag.
Reference *Reference
// PlainHTTP uses HTTP instead of HTTPS (local test registries).
PlainHTTP bool
// InsecureTLS skips TLS certificate verification.
InsecureTLS bool
// Version threads the AICR CLI version into manifest annotations
// alongside the chart-derived ones. Pure metadata; not consulted
// by Helm at install time.
Version string
}
HelmChartOptions configures the Helm OCI push flow.
type OutputConfig ¶
type OutputConfig struct {
// SourceDir is the directory containing artifacts to package.
SourceDir string
// OutputDir is where temporary OCI artifacts will be created.
OutputDir string
// Reference contains the parsed OCI registry reference.
Reference *Reference
// Version is used for OCI annotations (org.opencontainers.image.version).
Version string
// PlainHTTP uses HTTP instead of HTTPS for the registry connection.
PlainHTTP bool
// InsecureTLS skips TLS certificate verification.
InsecureTLS bool
// Annotations are additional manifest annotations to include.
// If nil, default AICR annotations will be used.
Annotations map[string]string
}
OutputConfig configures the OCI package and push workflow.
type PackageAndPushResult ¶
type PackageAndPushResult struct {
// Digest is the SHA256 digest of the pushed artifact.
Digest string
// MediaType is the manifest media type.
MediaType string
// Size is the manifest's byte length. Surfaced for OCI Referrers
// attachment, which needs a full subject descriptor.
Size int64
// Reference is the full image reference (registry/repository:tag).
Reference string
// StorePath is the path to the local OCI Image Layout directory.
StorePath string
}
PackageAndPushResult contains the result of a successful package and push operation.
func PackageAndPush ¶
func PackageAndPush(ctx context.Context, cfg OutputConfig) (*PackageAndPushResult, error)
PackageAndPush packages a directory as an OCI artifact and pushes it to a registry. This is a convenience function that combines Package and PushFromStore operations.
func PackageAndPushHelmChart ¶ added in v0.14.0
func PackageAndPushHelmChart(ctx context.Context, opts HelmChartOptions) (*PackageAndPushResult, error)
PackageAndPushHelmChart packages a Helm chart directory into a Helm-OCI compatible artifact and pushes it to a registry. Closes the gap described in #961: the standard AICR OCI flow uses `application/vnd.nvidia.aicr.artifact` for the manifest's artifactType and `application/vnd.oci.image.layer.v1.tar+gzip` for the layer; helm v3 rejects those during pull discovery and the user sees `unable to locate any tags in provided repository` — even though the tag exists and `/v2/<name>/tags/list` returns it.
SourceDir is NOT mutated. The Chart.yaml rewrite (so its version matches Reference.Tag — see helm's chart-version invariant below) happens on a copy inside OutputDir, leaving the caller's source tree byte-identical. Earlier revisions of this function rewrote SourceDir in place, which (a) leaked the OCI tag back into the caller's working copy and (b) was non-atomic — a crash mid-write left a corrupt Chart.yaml the next run would refuse to parse.
Helm OCI tags ARE chart versions: `helm install … --version <tag>` looks up `<repo>:<tag>` and verifies the chart manifest's version against `<tag>`. Without the rewrite, a user who supplies `--output oci://…/foo:5bc50950-helm` for a recipe whose metadata version is `0.1.0` ends up with `Chart.yaml: 0.1.0` at the `:5bc50950-helm` tag, and helm rejects the version mismatch.
type PackageOptions ¶
type PackageOptions struct {
// SourceDir is the directory containing artifacts to package.
SourceDir string
// OutputDir is where the OCI Image Layout will be created.
OutputDir string
// Registry is the OCI registry host for the reference (e.g., "ghcr.io").
Registry string
// Repository is the image repository path (e.g., "nvidia/aicr").
Repository string
// Tag is the image tag (e.g., "v1.0.0", "latest").
Tag string
// SubDir optionally limits packaging to a subdirectory within SourceDir.
SubDir string
// Annotations are additional manifest annotations to include.
// Standard OCI annotations (org.opencontainers.image.*) are recommended.
Annotations map[string]string
}
PackageOptions configures local OCI packaging.
type PackageResult ¶
type PackageResult struct {
// Digest is the SHA256 digest of the packaged artifact.
Digest string
// MediaType is the manifest media type
// (typically application/vnd.oci.image.manifest.v1+json).
MediaType string
// Size is the manifest's byte length. Surfaced so callers can
// construct an OCI subject descriptor for the Referrers API
// without re-fetching the manifest from the registry.
Size int64
// Reference is the full image reference (registry/repository:tag).
Reference string
// StorePath is the path to the OCI Image Layout directory.
StorePath string
}
PackageResult contains the result of local OCI packaging.
func Package ¶
func Package(ctx context.Context, opts PackageOptions) (retResult *PackageResult, retErr error)
Package creates a local OCI artifact in OCI Image Layout format. This stores the artifact locally without pushing to a remote registry.
type PushOptions ¶
type PushOptions struct {
// SourceDir is the directory containing artifacts to push.
SourceDir string
// Registry is the OCI registry host (e.g., "ghcr.io", "localhost:5000").
Registry string
// Repository is the image repository path (e.g., "nvidia/aicr").
Repository string
// Tag is the image tag (e.g., "v1.0.0", "latest").
Tag string
// PlainHTTP uses HTTP instead of HTTPS for the registry connection.
PlainHTTP bool
// InsecureTLS skips TLS certificate verification.
InsecureTLS bool
}
PushOptions configures the OCI push operation.
type PushResult ¶
type PushResult struct {
// Digest is the SHA256 digest of the pushed artifact.
Digest string
// MediaType is the manifest media type.
MediaType string
// Size is the manifest's byte length. Surfaced so the caller can
// build a subject descriptor for OCI Referrers attachment without
// re-fetching the manifest.
Size int64
// Reference is the full image reference (registry/repository:tag).
Reference string
}
PushResult contains the result of a successful OCI push.
func PushFromStore ¶
func PushFromStore(ctx context.Context, storePath string, opts PushOptions) (*PushResult, error)
PushFromStore pushes an already-packaged OCI artifact from a local OCI store to a remote registry.
func PushReferrer ¶ added in v0.13.0
func PushReferrer(ctx context.Context, opts ReferrerOptions) (*PushResult, error)
PushReferrer pushes a single-layer OCI manifest with a Subject set, attaching it as a Referrer of the subject artifact. cosign discovers signatures attached this way via the OCI Distribution 1.1 Referrers API. The tag is derived from the referrer manifest digest so multiple referrers can coexist without colliding on a fixed tag.
type Reference ¶
type Reference struct {
// IsOCI indicates whether this is an OCI registry reference (true) or local path (false).
IsOCI bool
// Registry is the OCI registry host (e.g., "ghcr.io", "localhost:5000").
// Only populated when IsOCI is true.
Registry string
// Repository is the image repository path (e.g., "nvidia/bundle").
// Only populated when IsOCI is true.
Repository string
// Tag is the image tag (e.g., "v1.0.0").
// Empty string means no tag was specified; caller should apply a default.
// Only populated when IsOCI is true.
Tag string
// LocalPath is the local directory path for non-OCI output.
// Only populated when IsOCI is false.
LocalPath string
}
Reference represents a parsed output target, which can be either an OCI registry reference or a local directory path.
func ParseOutputTarget ¶
ParseOutputTarget parses an output target string to detect OCI URI or local directory. For OCI URIs (oci://registry/repository:tag), it extracts the components. For plain paths, it treats them as local directories.
If no tag is specified in an OCI URI, Tag will be empty; the caller is responsible for applying a default (e.g., CLI version).
func (*Reference) ChartName ¶ added in v0.14.0
ChartName returns the last path segment of Repository, which is the chart name a Helm consumer (or ArgoCD's `source.chart`) sees when pulling the artifact at `registry/repository:tag`. For non-OCI references and references whose Repository is empty, the empty string is returned; callers should treat that as "no derived chart name available" and apply their own default.
Example: oci://ghcr.io/myorg/my-bundle-name:v1
- Registry = "ghcr.io"
- Repository = "myorg/my-bundle-name"
- ChartName() = "my-bundle-name"
This is consumed by the argocd-helm bundler so the generated Chart.yaml and parent Application's `source.chart` match what `helm push` actually publishes — see issue #1019.
type ReferrerOptions ¶ added in v0.13.0
type ReferrerOptions struct {
// Registry is the OCI registry host (e.g., "ghcr.io").
Registry string
// Repository is the same repository the subject artifact lives in.
Repository string
// PlainHTTP forces HTTP (used for local registry tests).
PlainHTTP bool
// InsecureTLS disables TLS verification for self-signed registries.
InsecureTLS bool
// ArtifactType identifies the referrer manifest's purpose, e.g.
// "application/vnd.dev.sigstore.bundle.v0.3+json". The same value
// is used as the layer media type so a referrer with one blob is
// self-describing.
ArtifactType string
// LayerContent is the single blob the referrer wraps.
LayerContent []byte
// Subject is the descriptor of the artifact this referrer points
// at. cosign's /v2/<name>/referrers/<digest> discovery uses
// Subject.Digest to match.
Subject ociv1.Descriptor
// Annotations apply to the referrer manifest.
Annotations map[string]string
}
ReferrerOptions configures a single-blob OCI manifest attached via the OCI 1.1 Referrers API. Used by Sigstore Bundle attachment and similar "annotation manifest" patterns where the *referring* manifest is the artifact and the subject points at what it refers to.
Source Files