fluxcd · matheuscscp · Jan 18, 2026 · Jan 18, 2026 · Jan 24, 2026
@@ -15,7 +15,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.6.1
 	github.com/fluxcd/pkg/apis/meta v1.25.0
 	github.com/fluxcd/pkg/lockedfile v0.7.0
-	github.com/fluxcd/pkg/oci v0.59.0
+	github.com/fluxcd/pkg/oci v0.60.0
 	github.com/fluxcd/pkg/sourceignore v0.16.0
 	github.com/fluxcd/pkg/tar v0.17.0
 	github.com/go-git/go-git/v5 v5.16.4

@@ -164,7 +164,7 @@ func (p Provider) NewTokenForServiceAccount(ctx context.Context, oidcToken strin
 	return creds, nil
 }
 
-// GetAccessTokenOptionsForArtifactRepository implements auth.Provider.
+// GetAccessTokenOptionsForArtifactRepository implements auth.ArtifactRegistryCredentialsProvider.
 func (p Provider) GetAccessTokenOptionsForArtifactRepository(artifactRepository string) ([]auth.Option, error) {
 	// AWS requires a region for getting access credentials. To avoid requiring
 	// two regions to be passed in the Flux APIs we leverage the region present
@@ -191,7 +191,7 @@ const publicECR = "public.ecr.aws"
 
 var registryRegex = regexp.MustCompile(registryPattern)
 
-// ParseArtifactRepository implements auth.Provider.
+// ParseArtifactRepository implements auth.ArtifactRegistryCredentialsProvider.
 // ParseArtifactRepository returns the ECR region, unless the registry
 // is public.ecr.aws, in which case it returns public.ecr.aws.
 func (Provider) ParseArtifactRepository(artifactRepository string) (string, error) {
@@ -223,7 +223,7 @@ func getECRRegionFromRegistryInput(registryInput string) string {
 	return registryInput
 }
 
-// NewArtifactRegistryCredentials implements auth.Provider.
+// NewArtifactRegistryCredentials implements auth.ArtifactRegistryCredentialsProvider.
 func (p Provider) NewArtifactRegistryCredentials(ctx context.Context, registryInput string,
 	accessToken auth.Token, opts ...auth.Option) (*auth.ArtifactRegistryCredentials, error) {
 
@@ -284,15 +284,15 @@ func (p Provider) NewArtifactRegistryCredentials(ctx context.Context, registryIn
 		return nil, fmt.Errorf("invalid authorization token format")
 	}
 	return &auth.ArtifactRegistryCredentials{
-		Authenticator: authn.FromConfig(authn.AuthConfig{
+		Authenticator: &authn.Basic{
 			Username: s[0],
 			Password: s[1],
-		}),
+		},
 		ExpiresAt: expiresAt,
 	}, nil
 }
 
-// GetAccessTokenOptionsForCluster implements auth.Provider.
+// GetAccessTokenOptionsForCluster implements auth.RESTConfigProvider.
 func (Provider) GetAccessTokenOptionsForCluster(opts ...auth.Option) ([][]auth.Option, error) {
 	var o auth.Options
 	o.Apply(opts...)
@@ -304,7 +304,7 @@ func (Provider) GetAccessTokenOptionsForCluster(opts ...auth.Option) ([][]auth.O
 	return [][]auth.Option{{auth.WithSTSRegion(region)}}, nil
 }
 
-// NewRESTConfig implements auth.Provider.
+// NewRESTConfig implements auth.RESTConfigProvider.
 //
 // Reference:
 // https://docs.aws.amazon.com/eks/latest/best-practices/identity-and-access-management.html#_controlling_access_to_eks_clusters

@@ -267,10 +267,10 @@ func TestProvider_NewArtifactRegistryCredentials(t *testing.T) {
 				context.Background(), provider, tt.artifactRepository, opts...)
 			g.Expect(err).NotTo(HaveOccurred())
 			g.Expect(creds).To(Equal(&auth.ArtifactRegistryCredentials{
-				Authenticator: authn.FromConfig(authn.AuthConfig{
+				Authenticator: &authn.Basic{
 					Username: "username",
 					Password: "password",
-				}),
+				},
 			}))
 		})
 	}

@@ -125,7 +125,7 @@ func (p Provider) NewTokenForServiceAccount(ctx context.Context, oidcToken strin
 	return &Token{token}, nil
 }
 
-// GetAccessTokenOptionsForArtifactRepository implements auth.Provider.
+// GetAccessTokenOptionsForArtifactRepository implements auth.ArtifactRegistryCredentialsProvider.
 func (p Provider) GetAccessTokenOptionsForArtifactRepository(artifactRepository string) ([]auth.Option, error) {
 	// Azure requires scopes for getting access tokens. Here we compute
 	// the scope for ACR, which is based on the registry host.
@@ -160,7 +160,7 @@ const registryPattern = `^.+\.(azurecr\.io|azurecr\.cn|azurecr\.de|azurecr\.us)$
 
 var registryRegex = regexp.MustCompile(registryPattern)
 
-// ParseArtifactRepository implements auth.Provider.
+// ParseArtifactRepository implements auth.ArtifactRegistryCredentialsProvider.
 // ParseArtifactRepository returns the ACR registry host.
 func (Provider) ParseArtifactRepository(artifactRepository string) (string, error) {
 	registry, err := auth.GetRegistryFromArtifactRepository(artifactRepository)
@@ -191,7 +191,7 @@ func (Provider) ParseArtifactRepository(artifactRepository string) (string, erro
 		registry, registryPattern)
 }
 
-// NewArtifactRegistryCredentials implements auth.Provider.
+// NewArtifactRegistryCredentials implements auth.ArtifactRegistryCredentialsProvider.
 func (p Provider) NewArtifactRegistryCredentials(ctx context.Context, registry string,
 	accessToken auth.Token, opts ...auth.Option) (*auth.ArtifactRegistryCredentials, error) {
 
@@ -234,16 +234,16 @@ func (p Provider) NewArtifactRegistryCredentials(ctx context.Context, registry s
 
 	// Return the credentials.
 	return &auth.ArtifactRegistryCredentials{
-		Authenticator: authn.FromConfig(authn.AuthConfig{
+		Authenticator: &authn.Basic{
 			// https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#az-acr-login-with---expose-token
 			Username: "00000000-0000-0000-0000-000000000000",
 			Password: token,
-		}),
+		},
 		ExpiresAt: expiry.Time,
 	}, nil
 }
 
-// GetAccessTokenOptionsForCluster implements auth.Provider.
+// GetAccessTokenOptionsForCluster implements auth.RESTConfigProvider.
 func (Provider) GetAccessTokenOptionsForCluster(opts ...auth.Option) ([][]auth.Option, error) {
 	var o auth.Options
 	o.Apply(opts...)
@@ -278,7 +278,7 @@ func (Provider) GetAccessTokenOptionsForCluster(opts ...auth.Option) ([][]auth.O
 	return atOpts, nil
 }
 
-// NewRESTConfig implements auth.Provider.
+// NewRESTConfig implements auth.RESTConfigProvider.
 func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
 	opts ...auth.Option) (*auth.RESTConfig, error) {
 

@@ -225,10 +225,10 @@ func TestProvider_NewArtifactRegistryCredentials(t *testing.T) {
 			creds, err := auth.GetArtifactRegistryCredentials(context.Background(), provider, artifactRepository, opts...)
 			g.Expect(err).NotTo(HaveOccurred())
 			g.Expect(creds).To(Equal(&auth.ArtifactRegistryCredentials{
-				Authenticator: authn.FromConfig(authn.AuthConfig{
+				Authenticator: &authn.Basic{
 					Username: "00000000-0000-0000-0000-000000000000",
 					Password: refreshToken,
-				}),
+				},
 				ExpiresAt: time.Unix(exp, 0),
 			}))
 		})

@@ -14,5 +14,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// auth is a package for handling secret-less authentication with cloud providers.
+// auth is a package for handling short-lived credentials.
+// Flux APIs using this package will never pass in contents
+// of a Secret specified directly in the API object under
+// reconciliation. Instead, options to generate short-lived
+// credentials on-the-fly shall be provided. The package
+// supports caching of generated credentials to avoid
+// rate-limiting by external services that are part of
+// the credential generation process.
 package auth
@@ -157,7 +157,7 @@ func (p Provider) NewTokenForServiceAccount(ctx context.Context, oidcToken strin
 	return &Token{*token}, nil
 }
 
-// GetAccessTokenOptionsForArtifactRepository implements auth.Provider.
+// GetAccessTokenOptionsForArtifactRepository implements auth.ArtifactRegistryCredentialsProvider.
 func (Provider) GetAccessTokenOptionsForArtifactRepository(string) ([]auth.Option, error) {
 	// GCP does not require any special options to retrieve access tokens.
 	return nil, nil
@@ -167,8 +167,8 @@ const registryPattern = `^(((.+\.)?gcr\.io)|(.+-docker\.pkg\.dev))$`
 
 var registryRegex = regexp.MustCompile(registryPattern)
 
-// ParseArtifactRepository implements auth.Provider.
-func (Provider) ParseArtifactRepository(artifactRepository string) (string, error) {
+// ParseArtifactRepository implements auth.ArtifactRegistryCredentialsProvider.
+func (p Provider) ParseArtifactRepository(artifactRepository string) (string, error) {
 	registry, err := auth.GetRegistryFromArtifactRepository(artifactRepository)
 	if err != nil {
 		return "", err
@@ -181,31 +181,31 @@ func (Provider) ParseArtifactRepository(artifactRepository string) (string, erro
 
 	// The artifact repository is irrelevant for issuing GCP registry credentials,
 	// just return the provider name for inclusion in the cache key.
-	return ProviderName, nil
+	return p.GetName(), nil
 }
 
-// NewArtifactRegistryCredentials implements auth.Provider.
+// NewArtifactRegistryCredentials implements auth.ArtifactRegistryCredentialsProvider.
 func (Provider) NewArtifactRegistryCredentials(_ context.Context, _ string,
 	accessToken auth.Token, _ ...auth.Option) (*auth.ArtifactRegistryCredentials, error) {
 
 	t := accessToken.(*Token)
 
 	return &auth.ArtifactRegistryCredentials{
-		Authenticator: authn.FromConfig(authn.AuthConfig{
+		Authenticator: &authn.Basic{
 			Username: "oauth2accesstoken",
 			Password: t.AccessToken,
-		}),
+		},
 		ExpiresAt: t.Expiry,
 	}, nil
 }
 
-// GetAccessTokenOptionsForCluster implements auth.Provider.
+// GetAccessTokenOptionsForCluster implements auth.RESTConfigProvider.
 func (Provider) GetAccessTokenOptionsForCluster(opts ...auth.Option) ([][]auth.Option, error) {
 	// A single token is needed. No options.
 	return [][]auth.Option{{}}, nil
 }
 
-// NewRESTConfig implements auth.Provider.
+// NewRESTConfig implements auth.RESTConfigProvider.
 func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
 	opts ...auth.Option) (*auth.RESTConfig, error) {
 

@@ -274,14 +274,12 @@ func TestProvider_NewArtifactRegistryCredentials(t *testing.T) {
 	creds, err := auth.GetArtifactRegistryCredentials(context.Background(), provider, "gcr.io",
 		auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}))
 	g.Expect(err).NotTo(HaveOccurred())
-	g.Expect(creds).NotTo(BeNil())
-	g.Expect(creds.ExpiresAt).To(Equal(exp))
-	g.Expect(creds.Authenticator).NotTo(BeNil())
-	authConf, err := creds.Authenticator.Authorization()
-	g.Expect(err).NotTo(HaveOccurred())
-	g.Expect(authConf).To(Equal(&authn.AuthConfig{
-		Username: "oauth2accesstoken",
-		Password: "access-token",
+	g.Expect(creds).To(Equal(&auth.ArtifactRegistryCredentials{
+		Authenticator: &authn.Basic{
+			Username: "oauth2accesstoken",
+			Password: "access-token",
+		},
+		ExpiresAt: exp,
 	}))
 }
 

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package generic
+package serviceaccounttoken
 
 import "os"
 

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package generic_test
+package serviceaccounttoken_test
 
 import (
 	"testing"

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package generic
+package serviceaccounttoken
 
 import (
 	"context"
@@ -24,6 +24,7 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/go-containerregistry/pkg/authn"
 	authnv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -32,15 +33,21 @@ import (
 	"github.com/fluxcd/pkg/auth"
 )
 
-// ProviderName is the name of the generic authentication provider.
+// ProviderName is the name of the provider implemented by this package.
+// Only the Kustomization and HelmRelease APIs refer to this package as
+// a provider for historical reasons. New APIs should refer to it as the
+// ServiceAccountToken credential provider (see CredentialName).
 const ProviderName = "generic"
 
+// CredentialName is the name of the credential type implemented by this package.
+const CredentialName = "ServiceAccountToken"
+
 // Provider implements the auth.Provider interface for generic authentication.
 type Provider struct{ Implementation }
 
 // GetName implements auth.RESTConfigProvider.
 func (p Provider) GetName() string {
-	return ProviderName
+	return CredentialName
 }
 
 // NewControllerToken implements auth.RESTConfigProvider.
@@ -132,6 +139,31 @@ func (Provider) NewTokenForServiceAccount(ctx context.Context, oidcToken string,
 	}, nil
 }
 
+// GetAccessTokenOptionsForArtifactRepository implements auth.ArtifactRegistryCredentialsProvider.
+func (Provider) GetAccessTokenOptionsForArtifactRepository(string) ([]auth.Option, error) {
+	// No special options are needed to get an access token for artifact registry.
+	return nil, nil
+}
+
+// ParseArtifactRepository implements auth.ArtifactRegistryCredentialsProvider.
+func (p Provider) ParseArtifactRepository(artifactRepository string) (string, error) {
+	// The artifact repository is irrelevant for issuing the ServiceAccount token,
+	// just return the provider name for inclusion in the cache key.
+	return p.GetName(), nil
+}
+
+// NewArtifactRegistryCredentials implements auth.ArtifactRegistryCredentialsProvider.
+func (p Provider) NewArtifactRegistryCredentials(ctx context.Context, registryInput string,
+	accessToken auth.Token, opts ...auth.Option) (*auth.ArtifactRegistryCredentials, error) {
+
+	token := accessToken.(*Token)
+
+	return &auth.ArtifactRegistryCredentials{
+		Authenticator: &authn.Bearer{Token: token.Token},
+		ExpiresAt:     token.ExpiresAt,
+	}, nil
+}
+
 // GetAccessTokenOptionsForCluster implements auth.RESTConfigProvider.
 func (Provider) GetAccessTokenOptionsForCluster(opts ...auth.Option) ([][]auth.Option, error) {