Tank.Image.Registry (Tank v0.2.0)

Copy Markdown View Source

OCI registry access for image pulls — a thin shim over Stevedore.Registry.

Tank fetches all OCI data through Stevedore. This module preserves the historical return contracts so the rest of Tank.Image is unchanged:

  • manifest/4{:ok, info, token_cache} (an image index / manifest list, or a single image manifest);
  • blob/4{:ok, bytes} (a layer or the image config).

The bearer-token handshake, manifest fetch, and digest-verified blob download all live in Stevedore now. The 4th argument is an optional Stevedore.Auth.Cache (token_cache/0) that Tank.Image threads across a pull so the bearer token is earned once rather than re-fetched per call.

Summary

Types

info()

A fetched manifest: its media type, content digest, raw bytes, and parsed JSON. digest is always a "sha256:…" string now — Stevedore computes it from raw when the registry omits the Docker-Content-Digest header.

token_cache()

An optional Stevedore.Auth.Cache threaded across a pull's fetches so the bearer token is reused instead of re-earned on every call. nil disables caching. manifest/4 echoes it back so the caller can thread it onward — it occupies the slot the old client used for the bearer token.

Functions

blob(registry, repo, digest, token_cache \\ nil)

Downloads the blob digest (a sha256: string) from repo on registry.

manifest(registry, repo, reference, token_cache \\ nil)

Fetches the manifest for repo:reference from registry.

Types

info()

@type info() :: %{
  media_type: String.t() | nil,
  digest: String.t(),
  raw: binary(),
  json: map()
}

A fetched manifest: its media type, content digest, raw bytes, and parsed JSON. digest is always a "sha256:…" string now — Stevedore computes it from raw when the registry omits the Docker-Content-Digest header.

token_cache()

@type token_cache() :: Agent.agent() | nil

An optional Stevedore.Auth.Cache threaded across a pull's fetches so the bearer token is reused instead of re-earned on every call. nil disables caching. manifest/4 echoes it back so the caller can thread it onward — it occupies the slot the old client used for the bearer token.

Functions

blob(registry, repo, digest, token_cache \\ nil)

@spec blob(String.t(), String.t(), String.t(), token_cache()) ::
  {:ok, binary()} | {:error, term()}

Downloads the blob digest (a sha256: string) from repo on registry.

Returns {:ok, bytes}. Stevedore verifies the bytes against digest and drops the Authorization header across CDN redirects, so the blob arrives already-verified and the token is never handed to the CDN.

manifest(registry, repo, reference, token_cache \\ nil)

@spec manifest(String.t(), String.t(), String.t(), token_cache()) ::
  {:ok, info(), token_cache()} | {:error, term()}

Fetches the manifest for repo:reference from registry.

reference is a tag or a sha256: digest; token_cache is an optional Stevedore.Auth.Cache. Returns {:ok, info, token_cache}, echoing the cache back so the caller threads it into the pull's later fetches.