Container registry JWT tokens for internal use (Rails API/UI) are not being marked with the eligibility flag when in migration mode
Context
In !63907 (merged) we introduced the required logic to drive the upcoming container registry migration using Rails feature flags (#335260 (closed)).
We do so by modifying the JWT tokens that Rails emit and are then sent to the registry with every request. The modified tokens include a special migration_eligible
flag which will tell the registry whether a new container repository should be migrated or not. It's important to note that this flag does not represent a new claim/grant or any kind of authorization, it's just used to communicate the value of a feature flag to the registry.
This logic continues to sit behind a feature flag introduced in !63907 (merged).
Problem
The code we changed in !63907 (merged) is for external use only, it is not used internally for the GitLab Rails API/UI. If an external client (e.g. Docker) is requesting a token (through the /jwt/auth
endpoint), the migration eligibility flag will be added to the token, if applicable (here). However, for internal use, such as for listing tags through the Rails API or the UI, we are using a different code path to generate these tokens (here), and that code path hasn't been updated to inject the migration eligibility flag.
Therefore, as consequence, when in migration mode, listing or deleting tags through the Rails API/UI may fail because the token does not include the flag and therefore the registry is unable to process the requests in the correct way.
Solution
Modify the internal function used to generate tokens for internal use so that they include the migration eligibility flag.