Add authentication to registry configure rake task
What does this MR do?
Context
As part of #204839 (closed), in !31697 (merged) we added a new rake task (gitlab:container_registry:configure
) to detect the Container Registry vendor, version and supported features on self-managed instances.
This works by querying the version check route (/v2
) of the configured Container Registry API, parsing the response headers and saving the relevant information in application_settings
.
Problem
While testing the rake task in staging, we realised that we were not getting a successful response from the registry API (see #204839 (comment 347426922)). The problem is that during the rake task execution there is no user set and therefore the request sent to the registry API doesn't include a JWT token.
Solution
The registry version check route enforces authentication, but not authorization. So as long as a valid JWT token is passed (it doesn't need any action/repository scope access permissions) a successful response will be returned.
This MR generates an "empty" JWT token, with no access permissions, and passes it to the registry client to authenticate the request from the rake task.
Related to #204839 (closed).
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Closes #204839 (closed)