Skip to content

Add global wave.inject-credentials flag to control proxy-pull credential injection#1088

Open
gavinelder wants to merge 3 commits into
masterfrom
ge/feat/inject-credentials
Open

Add global wave.inject-credentials flag to control proxy-pull credential injection#1088
gavinelder wants to merge 3 commits into
masterfrom
ge/feat/inject-credentials

Conversation

@gavinelder

Copy link
Copy Markdown
Contributor

Summary

Adds an installation-level configuration flag wave.inject-credentials (default true). When set to false, Wave no longer injects/brokers registry credentials on the proxy-pull path — RegistryProxyService.getCredentials returns no credentials — so images are expected to be pulled directly from the target registry using the caller's own credentials (for example an EC2 instance profile / IAM role). This gives pulls native attribution in the target registry's own logs and removes an unnecessary credential-brokering step where compute already has access.

Build, inspect and augmentation credential resolution use separate call sites and are unaffected. Default is true, so existing deployments behave exactly as before.

Changes

  • RegistryProxyService: @Value('${wave.inject-credentials:true}') flag; getCredentials returns null when disabled (the same anonymous path already used for public images).
  • application.yml: documented default wave.inject-credentials: true.
  • RegistryProxyServiceCredentialsTest: verifies the flag gates credential resolution (disabled → no provider call, null; enabled → delegates to the provider).

Scope

Scoped to Wave's registry-proxy credential injection (proxy pulls and request-time digest resolution). It does not change how image references are presented to clients, nor build/freeze/mirror credential brokering.

Testing

  • New RegistryProxyServiceCredentialsTest passes (2/2).
  • Existing RegistryProxyServiceTest is unchanged: its one failing case (should retrieve image digest) fails identically on master (it reaches a live registry), so no new failures are introduced by this change.

🤖 Generated with Claude Code

gavinelder and others added 3 commits July 16, 2026 16:25
…al injection

Introduce an installation-level flag 'wave.inject-credentials' (default true).
When false, RegistryProxyService no longer injects/brokers registry credentials
on the proxy-pull path (getCredentials returns null), so images are pulled
directly from the target registry with the caller's own credentials. Build,
inspect and augmentation credential resolution are unaffected. Default behaviour
is unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@gavinelder
gavinelder marked this pull request as ready for review July 16, 2026 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants