Skip to content

feat: auth rework - passthrough and environment-based credential modes#4

Draft
pdylanross wants to merge 1 commit intomainfrom
feat/auth-rework-v2
Draft

feat: auth rework - passthrough and environment-based credential modes#4
pdylanross wants to merge 1 commit intomainfrom
feat/auth-rework-v2

Conversation

@pdylanross
Copy link
Copy Markdown
Owner

@pdylanross pdylanross commented Apr 3, 2026

Summary

Rework upstream authentication to replace hardcoded per-upstream credentials with two new modes:

  • Passthrough auth — barnacle forwards client Authorization headers directly to the upstream registry. No credentials stored in barnacle. Upstream 401/WWW-Authenticate responses forwarded back to client. Cached content is revalidated via HEAD with client credentials on every hit.
  • Environment auth — barnacle discovers credentials from its runtime environment: static config, dockercfg, k8s ImagePullSecrets, or cloud provider (GCR/ECR/ACR). Clients pull without credentials. Token refresh handled automatically.

Modes are mutually exclusive per-upstream. No client-facing auth enforcement planned — that's a separate concern.

Architecture Docs

  • docs/architecture/auth/current.md — documents the current auth implementation
  • docs/architecture/auth/next.md — full design for the rework

🤖 Generated with Claude Code

@pdylanross @claude
doc: add architecture docs for auth current state and rework plan
826c83c 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feat/auth-v2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pdylanross