Packageless

Pull the internet once

Private registries and pull-through caches for every ecosystem your builds use, declared as Kubernetes resources. Stock clients, native protocols, one storage model.

Nothing in your toolchain has to know it’s there

Every service speaks its ecosystem’s real registry protocol rather than a proprietary API, so your existing commands, lockfiles, and CI steps keep working unchanged.

EcosystemPrivate registryPublic cache
npm
PyPI
Cargo
pub
Maven
apt

Private hosting for pub, Maven, and apt is on the roadmap, as are Go modules and further ecosystems — adding one is a type, a thin controller, and a service image, so tell us which you need.

Caching that can’t serve you a stale latest

Most caches make you choose between freshness and hit rate, then hand you a TTL dial to get it wrong with. This one splits the difference by type.

Metadata

Always live, never cached

Packuments, simple index pages, index files, and apt release files are proxied straight to the upstream on every request. Version ranges and dist-tags resolve against the truth.

Artifacts

Cached on first miss, forever after

Tarballs, wheels, crates, jars, and debs are immutable, so they are stored on the volume the first time anyone asks. Every response says whether it was a hit.

The part that ties it together

Artifact URLs inside the fetched live metadata are rewritten to point back at the cache. So the client resolves against fresh upstream metadata, then downloads through the cache and populates it. No TTL tuning, and no window where you get an old answer.

One model, every artifact your builds touch

Language packages are where it starts, not where it stops.

Private registries

Host internally published packages that should never leave the cluster. Publishes are verified against their declared checksum and are immutable once accepted.

  • npm, PyPI, and Cargo publishing
  • Checksum verified on upload
  • Republishing different bytes is rejected
  • Scope restrictions on who may publish what

Pull-through caches

Six ecosystems of public dependency caching, so a given version crosses your network boundary at most once no matter how many pipelines want it.

  • npm, PyPI, Cargo, pub, Maven, apt
  • Hit or miss reported per response
  • Survives upstream rate limits
  • Builds keep working through upstream outages

Container image cache

A pull-through proxy for public container registries plus a shared build engine, so base images and layer pulls stay inside the cluster.

  • Docker Hub and Quay by default
  • Registry credentials lift Docker Hub rate limits
  • Shared build engine for pipeline builds
  • Additional upstreams are configurable

Compiler object cache

A shared sccache backend over a single volume, so Rust and C/C++ objects compiled by one pipeline are reused by the next.

  • Shared across pipelines and branches
  • Standard sccache WebDAV backend
  • Falls back to a local cache when unset
  • Wired into library build steps

Large binary artifacts

Versioned, content-addressed objects for things too big to sit in a package registry, such as model snapshots and build outputs.

  • Content-addressed by digest
  • Large objects redirect to storage, not proxied
  • Resumable range downloads
  • Bearer token auth enforced

Delivery into running pods

Push a resolved package version into pods that opt in by label, without a rebuild or a redeploy, with an optional reload command the app defines.

  • Latest, pinned, or published-before policies
  • Concurrency and pod-age controls
  • Idempotent, stamped per pod
  • npm and Cargo today
The inverse of every artifact manager

Publish a version. It arrives.

Every artifact manager on the market waits to be asked. This one can deliver a newly published package straight into the pods that need it — no rebuild, no redeploy, no agent, no sidecar.

01

Pods opt in by label

A pod carries a label saying it wants a package. Nothing is pushed anywhere that did not ask for it.

02

The version resolves and streams in

On publish, the resolved artifact is fetched once from the in-cluster registry and streamed into each matching pod, stamped so it is never delivered twice.

03

Your app decides what reload means

An optional reload command you define runs after the drop. The platform stays dumb about your process model, because it should be.

The rollout rule worth stealing

By default only stale pods receive a delivery — a pod scheduled after the publish already pulled the new version on its own, so pushing to it would be redundant. Combined with concurrency limits and a minimum pod age, a fleet-wide dependency update rolls out without a deploy and without a thundering herd.

A registry is a resource, not a project

Teams don’t file a ticket and wait for someone to stand up another registry server. They declare the one they need and the platform provisions it.

  • One storage model everywhere

    Every registry and cache embeds the same storage type, so storage class and sizing are set once in a shared profile and inherited structurally.

  • Shared defaults, per-resource overrides

    A profile carries the defaults for a namespace. Individual resources override only what they need, and what actually got resolved is reported on status.

  • Published versions are queryable

    Every publish records a version resource, so you can see what shipped with kubectl without needing network access to the registry itself.

Routing consumers to the caches

Pods across the cluster get their default package registries injected by policy, and CI pipelines get per-build config files written into the workspace. Both are opt-out per pod.

Why config files, not just environment

Some toolchains only honor source replacement from a config file. Cargo is the clearest example, which is why per-build config writing exists alongside environment injection rather than instead of it.

Known edge

Dependencies pulled inside a container build don’t inherit pod environment, so those are routed through the build configuration instead.

More in Packageless

Durability, access control, and reach across every ecosystem your builds touch.

Durable object storage as source of truth

Blob storage becomes authoritative and the local volume becomes a disposable read-through cache. Lose a volume, rebuild it from blob. Write-through mode means a publish is not acknowledged until the bytes are durable. S3, Azure Blob, GCS, MinIO, and R2 behind one interface.

Authentication, RBAC, and policy-enforced access

Bearer-token auth across every registry kind, scoped publish rights through platform-wide Sampleless RBAC, and admission-time access policy enforced by Driftless. Transport encryption comes from service-mesh mTLS rather than per-registry certificates. This lands before Packageless is released beyond a single operated cluster.

Multi-replica registries

Horizontal scale-out using compare-and-swap on the small mutable metadata. Immutable artifacts need no coordination at all, which is what makes this tractable.

Cache eviction and garbage collection

Least-recently-used eviction of re-fetchable artifacts once blob is the source of truth, plus mark-and-sweep collection of unreferenced content.

Private registries for pub, Maven, and apt

Publishing, not just caching, for the three ecosystems that are cache-only today. The pattern is identical to the three that already accept publishes.

Nodes pulling images from the in-cluster registry

Your own built images served to kubelet from inside the cluster, so a node replacement does not go out to a cloud registry at all.

Go modules and further ecosystems

Adding an ecosystem is a type, a thin controller, and one service image — storage, profiles, caching, and access logging come free. Tell us which one you need.

Adding an ecosystem here is mechanical by design. Tell us which one you need and we’ll give you a date.

Frequently asked questions

Why not just run Artifactory or Nexus?
If you need vulnerability scanning or a mature permissions UI today, run them — they do that better. Packageless wins when registries are something teams should declare rather than something you operate. One resource per registry, one storage policy inherited across every ecosystem, no per-team server to maintain.
What happens to my builds if the cache goes down?
Anything already cached keeps resolving. New packages nobody has fetched before will block until the cache is back, which is the honest cost of routing resolution through one. Private registries hold the only copy of your internal packages, so their storage is provisioned to be retained rather than reconstructed.
Do I have to change how my developers work?
No. npm install, pip install, cargo publish, twine upload, and apt-get behave exactly as they do now, because each service speaks the real protocol rather than a proprietary API. The registry URL changes, and inside a Sampleless cluster that is configured for you.
Will it serve me a stale version?
No. Package metadata is always fetched live from upstream, so latest, version ranges, and dist-tags resolve against the truth every time. Only immutable artifacts are stored locally. You get cache hit rates without the class of bug where a build resolves to yesterday.
Who can publish, and who decides?
Tokens authenticate the client, platform RBAC decides which identities publish to which repositories, and Driftless enforces the cluster rules on top — approved upstreams only, signatures required, whatever you declare. Three layers, one place to change them.
What does this actually save us?
Every dependency version crosses your network boundary once instead of once per build, per agent, per developer. For a fleet doing hundreds of builds a day that is most of your registry egress and most of your exposure to upstream rate limits and outages.

Stop paying for the same download

See what your build fleet actually pulls, and how much of it it pulls more than once.