package auth

nydus-snapshotter – github.com/containerd/nydus-snapshotter/pkg/auth Index | Files

import "github.com/containerd/nydus-snapshotter/pkg/auth"

Index ¶

Constants
func AddImageProxy(ctx context.Context, rpc *grpc.Server, imageServiceAddress string)
func EvictStaleCredentials(liveRefs map[string]struct{})
func InitCredentialStore(interval time.Duration)
func InitKubeSecretListener(ctx context.Context, kubeconfigPath string) error
func InitKubeletProvider(configPath, binDir string) error
type AuthProvider
type AuthRequest
type CRIProvider

func NewCRIProvider() *CRIProvider
func (p *CRIProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)
func (p *CRIProvider) String() string

type DockerProvider

func NewDockerProvider() *DockerProvider
func (p *DockerProvider) CanRenew() bool
func (p *DockerProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)
func (p *DockerProvider) String() string

type KubeSecretListener

func (kubelistener *KubeSecretListener) GetCredentialsStore(host string) *PassKeyChain
func (kubelistener *KubeSecretListener) SyncKubeSecrets(ctx context.Context, clientset *kubernetes.Clientset) error

type KubeSecretProvider

func NewKubeSecretProvider() *KubeSecretProvider
func (p *KubeSecretProvider) CanRenew() bool
func (p *KubeSecretProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)
func (p *KubeSecretProvider) String() string

type KubeletProvider

func NewKubeletProvider(configPath, binDir string) (*KubeletProvider, error)
func (p *KubeletProvider) CanRenew() bool
func (p *KubeletProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)
func (p *KubeletProvider) String() string

type LabelsProvider

func NewLabelsProvider() *LabelsProvider
func (p *LabelsProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)
func (p *LabelsProvider) String() string

type PassKeyChain

func FromBase64(str string) (PassKeyChain, error)
func GetKeyChainByRef(ref string, labels map[string]string) (*PassKeyChain, error)
func GetRegistryKeyChain(ref string, labels map[string]string) *PassKeyChain
func GetStoredCredential(ref string) *PassKeyChain
func RenewCredential(ref string) *PassKeyChain
func (kc PassKeyChain) Resolve(_ authn.Resource) (authn.Authenticator, error)
func (kc PassKeyChain) ToBase64() string
func (kc PassKeyChain) TokenBase() bool

type RenewableProvider

Constants ¶

const DefaultImageServiceAddress = "/run/containerd/containerd.sock"

Functions ¶

func AddImageProxy ¶

func AddImageProxy(ctx context.Context, rpc *grpc.Server, imageServiceAddress string)

AddImageProxy sets up a CRI image proxy that intercepts credentials. This should be called once at startup to enable CRI credential capture. from stargz-snapshotter/cmd/containerd-stargz-grpc/main.go#main

func EvictStaleCredentials ¶

func EvictStaleCredentials(liveRefs map[string]struct{})

EvictStaleCredentials removes store entries whose ref is not present in liveRefs. Entries added recently (within interval/2) are kept to avoid racing with a concurrent image pull: GetRegistryKeyChain adds the ref to the store on the first layer fetch, but the RAFS entry is only created later when the mount completes. Evicting here would cause redundant provider lookups for every remaining layer fetch in the pull.

func InitCredentialStore ¶

func InitCredentialStore(interval time.Duration)

InitCredentialStore creates the global credential store without starting any background goroutine. The caller is responsible for driving renewal (e.g., from snapshot/renewal.go).

func InitKubeSecretListener ¶

func InitKubeSecretListener(ctx context.Context, kubeconfigPath string) error

func InitKubeletProvider ¶

func InitKubeletProvider(configPath, binDir string) error

InitKubeletProvider initializes the global kubelet credential provider. This should be called once at startup if kubelet credential providers are enabled.

Types ¶

type AuthProvider ¶

type AuthProvider interface {
	// GetCredentials retrieves credentials for the given request.
	// Returns nil if no credentials are available.
	GetCredentials(req *AuthRequest) (*PassKeyChain, error)
	String() string
}

AuthProvider manage how credentials are retrieved for different sources

type AuthRequest ¶

type AuthRequest struct {
	// Ref is the full image reference (e.g., "docker.io/library/nginx:latest")
	Ref string
	// Labels are snapshot labels that may contain credentials
	Labels map[string]string
	// ValidUntil, when non-zero, instructs providers to return a credential
	// that remains valid at least until this time. Providers that do not
	// have a notion of expiration will ignore this..
	ValidUntil time.Time
}

AuthRequest contains parameters for retrieving registry credentials.

type CRIProvider ¶

type CRIProvider struct{}

CRIProvider retrieves credentials from CRI image pull requests.

func NewCRIProvider ¶

func NewCRIProvider() *CRIProvider

NewCRIProvider creates a new CRI-based auth provider.

func (*CRIProvider) GetCredentials ¶

func (p *CRIProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)

func (*CRIProvider) String ¶

func (p *CRIProvider) String() string

type DockerProvider ¶

type DockerProvider struct {
	// contains filtered or unexported fields
}

DockerProvider retrieves credentials from Docker's config.json.

func NewDockerProvider ¶

func NewDockerProvider() *DockerProvider

NewDockerProvider creates a new Docker config-based auth provider.

func (*DockerProvider) CanRenew ¶

func (p *DockerProvider) CanRenew() bool

CanRenew implements RenewableProvider. Docker credentials can be refreshed by re-reading the config file. Works well with docker credential helpers.

func (*DockerProvider) GetCredentials ¶

func (p *DockerProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)

GetCredentials retrieves credentials from Docker's config.json. Returns nil if no credentials are found for the registry.

func (*DockerProvider) String ¶

func (p *DockerProvider) String() string

type KubeSecretListener ¶

type KubeSecretListener struct {
	// contains filtered or unexported fields
}

func (*KubeSecretListener) GetCredentialsStore ¶

func (kubelistener *KubeSecretListener) GetCredentialsStore(host string) *PassKeyChain

func (*KubeSecretListener) SyncKubeSecrets ¶

func (kubelistener *KubeSecretListener) SyncKubeSecrets(ctx context.Context, clientset *kubernetes.Clientset) error

type KubeSecretProvider ¶

type KubeSecretProvider struct{}

KubeSecretProvider implements AuthProvider for Kubernetes secrets.

func NewKubeSecretProvider ¶

func NewKubeSecretProvider() *KubeSecretProvider

NewKubeSecretProvider creates a new Kubernetes secret-based auth provider.

func (*KubeSecretProvider) CanRenew ¶

func (p *KubeSecretProvider) CanRenew() bool

CanRenew implements RenewableProvider. KubeSecret credentials can be refreshed because the underlying informer watches for secret changes.

func (*KubeSecretProvider) GetCredentials ¶

func (p *KubeSecretProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)

GetCredentials retrieves credentials from Kubernetes secrets. Returns nil if no credentials are found or the listener is not initialized.

func (*KubeSecretProvider) String ¶

func (p *KubeSecretProvider) String() string

type KubeletProvider ¶

type KubeletProvider struct {
	// contains filtered or unexported fields
}

KubeletProvider retrieves credentials using Kubernetes credential provider plugins.

func NewKubeletProvider ¶

func NewKubeletProvider(configPath, binDir string) (*KubeletProvider, error)

NewKubeletProvider creates a new kubelet credential helpers-based auth provider.

func (*KubeletProvider) CanRenew ¶

func (p *KubeletProvider) CanRenew() bool

CanRenew implements RenewableProvider. Kubelet credentials can be refreshed by re-executing the credential provider plugins.

func (*KubeletProvider) GetCredentials ¶

func (p *KubeletProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)

GetCredentials retrieves credentials using kubelet credential provider plugins. It first checks the cache using the same cacheKeyType-based lookup as the kubelet (image -> registry -> global). On a cache miss it executes all matching plugins, stores results keyed by cacheKeyType, and returns the most specific match for the requested ref.

func (*KubeletProvider) String ¶

func (p *KubeletProvider) String() string

type LabelsProvider ¶

type LabelsProvider struct{}

LabelsProvider retrieves credentials from snapshot labels.

func NewLabelsProvider ¶

func NewLabelsProvider() *LabelsProvider

NewLabelsProvider creates a new labels-based auth provider.

func (*LabelsProvider) GetCredentials ¶

func (p *LabelsProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)

GetCredentials retrieves credentials from snapshot labels. Returns nil if labels don't contain valid credentials.

func (*LabelsProvider) String ¶

func (p *LabelsProvider) String() string

type PassKeyChain ¶

type PassKeyChain struct {
	Username string
	Password string
}

PassKeyChain is user/password based key chain

func FromBase64 ¶

func FromBase64(str string) (PassKeyChain, error)

func GetKeyChainByRef ¶

func GetKeyChainByRef(ref string, labels map[string]string) (*PassKeyChain, error)

func GetRegistryKeyChain ¶

func GetRegistryKeyChain(ref string, labels map[string]string) *PassKeyChain

GetRegistryKeyChain retrieves image pull credentials from the first provider that returns a result, checked in priority order: 1. credential renewal store (if enabled) 2. username and secrets labels 3. cri request 4. docker config 5. kubelet credential helpers 6. k8s docker config secret

When a renewable provider returns credentials and the renewal store is enabled, the credentials are cached for periodic renewal.

func GetStoredCredential ¶

func GetStoredCredential(ref string) *PassKeyChain

GetStoredCredential returns the cached keychain for ref from the global store, or nil if not present or the store is not initialized.

func RenewCredential ¶

func RenewCredential(ref string) *PassKeyChain

RenewCredential fetches fresh credentials for ref from the renewable provider list and caches them in the global store. Returns the keychain on success or nil on failure. Emits renewal metrics.

func (PassKeyChain) Resolve ¶

func (kc PassKeyChain) Resolve(_ authn.Resource) (authn.Authenticator, error)

func (PassKeyChain) ToBase64 ¶

func (kc PassKeyChain) ToBase64() string

func (PassKeyChain) TokenBase ¶

func (kc PassKeyChain) TokenBase() bool

TokenBase check if PassKeyChain is token based, when username is empty and password is not empty then password is registry token

type RenewableProvider ¶

type RenewableProvider interface {
	AuthProvider
	// CanRenew reports whether this provider can renew credentials.
	CanRenew() bool
}

RenewableProvider extends AuthProvider with credential renewal capability. Providers that can refresh credentials implement this interface.

Source Files ¶

cri.go docker.go keychain.go kubelet.go kubesecret.go labels.go provider.go renewal.go

Version: v0.15.15 (latest)
Published: Apr 17, 2026
Platform: linux/amd64
Imports: 45 packages
Last checked: 1 hour ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples