Feature Request: authentication when using oci-sync with third-party registry

[mishanti]

Hi guys,

thanks for all your work. I'm actively using ConfigSync, but due to company policy am bound to use Artifactory with traditional credentials.

It took me some time to understand that oci mode is the only one where there is no way to pass any kind of token. I assume oci-sync was envisioned with Google-native services in mind, but are there any other potential hurdles in implementing auth or picking up environmental credentials in the usual locations?

I was exploring creating a PR myself but atm my Go skills are not there yet :-( Please give me your view on this or an obvious alternative I may not be aware of. Thank you.

[nan-yu]

Thanks for raising this feature request! We appreciate you bringing this to our attention. We're tracking this internally and will keep you updated on our progress and ETA.

In the meantime, we'd welcome a contribution from you if you're interested in tackling this. Config Sync uses go-containerregistry to interact with OCI registries, and you could introduce the token auth type and create a specific authn.Authenticator around https://github.com/GoogleContainerTools/kpt-config-sync/blob/v1.19.0/pkg/oci/fetcher.go#L44.

Please include e2e tests along with your implementation. Feel free to reach out if you have any questions or need further guidance.