Include referrers data for container repository tags query
What does this MR do and why?
On the Project
-> Settings
-> Deploy
-> Container Registry
page, we show a list of Docker container tags:
Each tag can be signed with a signature. We recently added the ability to fetch signatures in the GraphQL query. This MR actually does the fetching by sending a referrers: true
variable to the GraphQL query. Note that this MR only fetches the signatures but doesn't use it; a follow-up MR will show them in the UI.
How to set up and validate locally
It's extremely involved to set up a local environment that can create the signatures and return it in the GraphQL data. You can see what the production data looks like by running this query (source project):
GraphQL query
query {
containerRepository(id:"gid://gitlab/ContainerRepository/6340028") {
manifest(reference: "sha256:ce9645c76a4695781d93febc2c259fe70b29c7d3bc9ad3750337e783ba1029da")
tags(first: 100, referrers: true) {
nodes {
digest
name
referrers {
artifactType
digest
}
}
}
}
}
But locally, we will just verify that the GraphQL query is sending the referrers
variable for the query rather than checking the response.
- On your local machine, you must set up Docker and a local GitLab runner using the docker executor.
- Stop your local GDK.
- Edit your
config/gitlab.yml
file. Find the top-levelregistry:
key and changeenabled: false
toenabled: true
:
registry:
enabled: true
- Start your local GDK. Verify that the last line of output says
A container registry is available at 127.0.0.1:5000.
- Clone this project locally: https://gitlab.com/bwill/container-signing/
- Check if the
Settings
->Deploy
->Container Registry
nav item is shown. If not, try restarting your GDK. This happens because the image is still starting up and is not ready by the time GDK has started. The registry stays running between GDK restarts. - Run a pipeline against the master branch.
- Go to
Settings
->Deploy
->Container Registry
. There should be one registry shown. Click on it. - A list of tags should be shown. Open
DevTools
and on the Network tab, verify that thegetContainerRepositoryTags
request is sendingreferrers: false
:
- Enable the
:show_container_registry_tag_signatures
feature flag. - Refresh the tags list page. Verify that the
getContainerRepositoryTags
request is sendingreferrers: true
this time.
Related to #442848