Validate user-generated regular expression issues with the Tag Cleanup Policy

Problem to solve

The GitLab Tag Cleanup Policy allows you to create a per-project expiration policy so that you can make sure that older tags and images are regularly removed from the Container Registry. When defining a policy, you may use regular expression to determine which tags should be expired.

However, The container_repository:cleanup_container_repository job is spiking up to error rates of 25%. These errors are being caused by user-generated regular expressions that considered invalid by Gitlab::UntrustedRegexp. If this is due to users having entered invalid regexes into the name_regex field and the users are unaware that the job is failing, it's likely these will continue to occur regularly as the job runs.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)

User experience goal

• Users are aware of when they have entered an invalid regex and have the opportunity to fix it before it fails.

Proposal

• Set enabled = false when an expiration policy fails in this manner and somehow notify the user or admin that the policy has been disabled and must be fixed and re-enabled.
• Add a validation that checks the input against the Gitlab::UntrustedRegexp rules.

Permissions and Security

• There are no permissions changes required for this change

Documentation

• Add a note to https://docs.gitlab.com/ee/user/packages/container_registry/#expiration-policy to ensure users are aware that we will validate their regex

Availability & Testing

What does success look like, and how can we measure that?

• Success looks like we see an acceptable amount of errors being thrown for the Image expiration policy. We can measure this by using our existing sidekiq dashboard.