Skip to content

Dependency Proxy default host group-level setting

🥝 Proposal

In #331730 (closed) we made it possible to change the default host for the dependency proxy so alternative registries can be used outside of DockerHub.

Task 2: Allow groups to override the default dependency proxy host so they can set a different public registry as default than DockerHub (the GitLab.com instance-level default). This will allow individual groups on both Saas and self-managed to override the application default.

  1. Add settings to a new namespace_dependency_proxy_settings table:

    We want to use a new table because we will eventually have a one-to-many relationship between namespaces and dependency proxy hosts.

    id
namespace_id
default_host
dependency_proxy_type

    The dependency_proxy_type will be an enum, initially only containing container as a value. This is so we can eventually extend to include package formats as well.

    Although I'm describing a specific solution, if it makes more sense to not plan things this far so soon, feel free to modify the design.

    These settings should be found in the group-level Packages & Registries settings as well as the group-level API. There will be some graphql work to give the frontend access to these settings.

  2. Update the logic in the DependencyProxy::RequestTokenService flow and the values in DependencyProxy::Registry so that if a group setting is present, it will override the instance-level setting.

    If the image fails to be found, we should consider if we want to use the instance-level to fall back on. The next set of issues will allow groups to configure multiple registries which will create a fallback path, allowing users to be explicit with which registries they do and don't want to fallback to, whereas falling back on the instance-level allows no way to prevent that, which could present a security risk. The benefit of the fallback is so users can set something like DockerHub at the instance-level and not have to worry about setting it for each group if they always want to be able to fallback to DockerHub.

    Question?

    Should the group level settings cascade downward? Meaning, if I set the setting on a top level group, should all subgroups use the group level setting unless they too override it?

  3. Usage ping data for number of groups with a configured registry.

📄 Related issues and epics

Edited by 🤖 GitLab Bot 🤖