Documentation
¶
Overview ¶
Package oci implements the source.Fetcher for KindOCIRepository via oras-go. Generic provider only — IRSA / Workload Identity is out of scope for offline flate.
File map:
fetcher.go — Fetcher type, Fetch entry, authIdentity, ociID fetch.go — fetch pipeline (resolve → slot → copy → publish) client.go — registry client: TLS, registry-config, credentials cache.go — cache keys, resolve-cache, cache-hit gate, artifact resolve.go — OCI ref parsing, semver tag picking, revision shape marker.go — cached-digest / verify-policy slot meta sidecar cosign.go — cosign signature verification layer.go — media types, spec.layerSelector copy/extract
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Fetcher ¶
type Fetcher struct {
Cache *source.Cache
RegistryConfig string
Secrets source.SecretGetter
}
Fetcher is the Fetcher implementation for KindOCIRepository. RegistryConfig is the global --registry-config docker-style config.json path used when no per-repo SecretRef is set. Secrets is the per-repo source.SecretGetter (typically the orchestrator-provided Store.GetByName), required when any OCIRepository has spec.secretRef pointing at a kubernetes.io/dockerconfigjson Secret.
func (*Fetcher) Fetch ¶
func (f *Fetcher) Fetch(ctx context.Context, repo *manifest.OCIRepository) (*store.SourceArtifact, error)
Fetch implements source.TypedFetcher[*manifest.OCIRepository]. The typed signature is wrapped via source.Wrap at orchestrator registration — a payload mismatch returns ErrInput once at the adapter site rather than panicking here.
Fetch resolves credentials, TLS, and proxy from the CR's *SecretRef fields, then hands off to fetch() — the workhorse in fetch.go that owns slot lifecycle, oras Copy, cosign verification, layer extraction, and marker writes.
Source Files