Temporary workaround to allow toggling redirects to storage backends on a per-repository basis
Problem to solve
As an intermediate step towards a final solution relying on the metadata database (#211), we need a temporary solution to allow admins to disable the redirection to storage backends when downloading blobs from specific repositories, as described in #211 (comment 430880300).
Please see #211 for additional context.
Intended users
User experience goal
Allow admins to bypass storage redirects when downloading blobs from specific repositories.
Proposal
Add a new parameter to the registry configuration file where admins can maintain a list of regular expressions. Blob download requests for repositories whose path matches one of these regular expressions would not be redirected to the storage backend but rather be served by the registry. Essentially a redirect bypass.
The registry configuration file (truncated) would look something like this:
storage:
gcs:
bucket: ...
keyfile: ...
redirect:
disable: false
exceptions: # new section
- group-a/project-a.* # bypass for repository `project-a` within group `group-a`, and any sub repositories it might have
- group-b/.* # bypass for any repositories within group `group-b`
Documentation
Changes will be documented in the Container Registry configuration docs.
What does success look like, and how can we measure that?
Admins are able to configure a set of regular expressions in the registry configuration file that allow bypassing storage redirects when downloading blobs from specific repositories.