Skip to content

Include referrers data for container repository tags query

What does this MR do and why?

On the Project -> Settings -> Deploy -> Container Registry page, we show a list of Docker container tags:

ksnip_20240506-161709

Each tag can be signed with a signature. We recently added the ability to fetch signatures in the GraphQL query. This MR actually does the fetching by sending a referrers: true variable to the GraphQL query. Note that this MR only fetches the signatures but doesn't use it; a follow-up MR will show them in the UI.

How to set up and validate locally

It's extremely involved to set up a local environment that can create the signatures and return it in the GraphQL data. You can see what the production data looks like by running this query (source project):

GraphQL query
query {
  containerRepository(id:"gid://gitlab/ContainerRepository/6340028") {
    manifest(reference: "sha256:ce9645c76a4695781d93febc2c259fe70b29c7d3bc9ad3750337e783ba1029da")
    tags(first: 100, referrers: true) {
      nodes {
        digest
        name
        referrers {
          artifactType
          digest
          
        }
      }
    }
  }
}

But locally, we will just verify that the GraphQL query is sending the referrers variable for the query rather than checking the response.

  1. On your local machine, you must set up Docker and a local GitLab runner using the docker executor.
  2. Stop your local GDK.
  3. Edit your config/gitlab.yml file. Find the top-level registry: key and change enabled: false to enabled: true:
registry:
  enabled: true
  1. Start your local GDK. Verify that the last line of output says A container registry is available at 127.0.0.1:5000.
  2. Clone this project locally: https://gitlab.com/bwill/container-signing/
  3. Check if the Settings -> Deploy -> Container Registry nav item is shown. If not, try restarting your GDK. This happens because the image is still starting up and is not ready by the time GDK has started. The registry stays running between GDK restarts.
  4. Run a pipeline against the master branch.
  5. Go to Settings -> Deploy -> Container Registry. There should be one registry shown. Click on it.
  6. A list of tags should be shown. Open DevTools and on the Network tab, verify that the getContainerRepositoryTags request is sending referrers: false:
ksnip_20240506-170630
  1. Enable the :show_container_registry_tag_signatures feature flag.
  2. Refresh the tags list page. Verify that the getContainerRepositoryTags request is sending referrers: true this time.

Related to #442848

Edited by Daniel Tian

Merge request reports

Loading