Allow POST to jwt/auth during maintenance mode

Scott Murrayrequested to merge
sm/allow-post-to-jwt-auth-in-maintenance-mode into master

What does this MR do and why?

Allow POST requests through to jwt/auth so that they return a 404 instead of a redirect during maintenance mode to allow container image pulls

Part of #490594 (closed)

For additional context, see this commit which adds the POST option to the jwt/auth route

Docker clients such as containerd often attempt to authenticate with OAuth2 via POST /jwt/auth (https://docs.docker.com/registry/spec/auth/oauth/#getting-a-token) before attempting to send a GET /jwt/auth request.

To avoid generating routing error noise in the logs, handle this route by returning 404 directly. This avoids additional database or Redis calls.

From the specification documentation on: https://distribution.github.io/distribution/spec/auth/oauth/

Note: Not all token servers implement oauth2. If the request to the endpoint returns 404 using the HTTP POST method, refer to Token Documentation for using the HTTP GET method supported by all token servers.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. In your local Gitlab instance, enable maintenance mode (Admin > Settings > Maintenance mode)
  2. Execute a basic POST request from your terminal with curl -X POST -i http://127.0.0.1:3000/jwt/auth
  3. The above should return a 404 Not found (the same behaviour as when maintenance mode is off)
Edited by Gabriel Mazetto

Merge request reports