From 8ce33e5d9c6d4337b7e057bd93912691f7832f22 Mon Sep 17 00:00:00 2001 From: Steven Gettys Date: Fri, 21 Nov 2025 16:03:31 -0800 Subject: [PATCH 1/2] feat: added transport modifier to NewOrasRemote Signed-off-by: Steven Gettys --- oci/common.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/oci/common.go b/oci/common.go index 86da7bf..274a921 100644 --- a/oci/common.go +++ b/oci/common.go @@ -96,6 +96,13 @@ func WithCache(cache *oci.Store) Modifier { } } +// WithTransport sets the transport for the remote +func WithTransport(transport *http.Transport) Modifier { + return func(o *OrasRemote) { + o.progTransport = helpers.NewTransport(transport, nil) + } +} + // NewOrasRemote returns an oras remote repository client and context for the given url. // // Registry auth is handled by the Docker CLI's credential store and checked before returning the client From ff1873778d920bf6ca397237818ba36922a77b7d Mon Sep 17 00:00:00 2001 From: Steven Gettys Date: Fri, 21 Nov 2025 16:23:48 -0800 Subject: [PATCH 2/2] chore: moved client cache configuration to before oras instantiation Signed-off-by: Steven Gettys --- oci/common.go | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/oci/common.go b/oci/common.go index 274a921..adf7e06 100644 --- a/oci/common.go +++ b/oci/common.go @@ -100,6 +100,14 @@ func WithCache(cache *oci.Store) Modifier { func WithTransport(transport *http.Transport) Modifier { return func(o *OrasRemote) { o.progTransport = helpers.NewTransport(transport, nil) + client, ok := o.repo.Client.(*auth.Client) + if ok { + client.Client.Transport = o.progTransport + return + } + if o.log != nil { + o.log.Warn("unable to set repo client transport, client is not an auth.Client") + } } } @@ -111,19 +119,30 @@ func NewOrasRemote(url string, platform ocispec.Platform, mods ...Modifier) (*Or if err != nil { return nil, fmt.Errorf("failed to parse OCI reference %q: %w", url, err) } + httpTransport, ok := http.DefaultTransport.(*http.Transport) if !ok { return nil, fmt.Errorf("http.DefaultTransport is not an *http.Transport, something mutated global net/http variables") } + transport := httpTransport.Clone() + + storeOpts := credentials.StoreOptions{} + credStore, err := credentials.NewStoreFromDocker(storeOpts) + if err != nil { + return nil, fmt.Errorf("failed to get credentials: %w", err) + } + client := &auth.Client{ Client: retry.DefaultClient, Header: http.Header{ "User-Agent": {"oras-go"}, }, - Cache: auth.DefaultCache, + Cache: auth.NewCache(), + Credential: credentials.Credential(credStore), } client.Client.Transport = transport + o := &OrasRemote{ repo: &remote.Repository{Client: client}, progTransport: helpers.NewTransport(transport, nil), @@ -135,6 +154,10 @@ func NewOrasRemote(url string, platform ocispec.Platform, mods ...Modifier) (*Or mod(o) } + if o.log != nil { + o.log.Debug("gathered credentials from default Docker config file", "credentials_configured", credStore.IsAuthConfigured()) + } + if err := o.setRepository(ref); err != nil { return nil, err } @@ -191,20 +214,8 @@ func (o *OrasRemote) setRepository(ref registry.Reference) error { ref.Registry = "ghcr.io" ref.Repository = "defenseunicorns/packages/" + ref.Repository } - storeOpts := credentials.StoreOptions{} - credStore, err := credentials.NewStoreFromDocker(storeOpts) - if err != nil { - return fmt.Errorf("failed to get credentials: %w", err) - } - client := &auth.Client{ - Client: retry.DefaultClient, - Cache: auth.NewCache(), - Credential: credentials.Credential(credStore), - } - o.log.Debug("gathering credentials from default Docker config file", "credentials_configured", credStore.IsAuthConfigured()) o.repo.Reference = ref - o.repo.Client = client return nil }