Skip to content

Add authentication to registry configure rake task

João Pereira requested to merge 204839-rake-task-auth into master

What does this MR do?

Context

As part of #204839 (closed), in !31697 (merged) we added a new rake task (gitlab:container_registry:configure) to detect the Container Registry vendor, version and supported features on self-managed instances.

This works by querying the version check route (/v2) of the configured Container Registry API, parsing the response headers and saving the relevant information in application_settings.

Problem

While testing the rake task in staging, we realised that we were not getting a successful response from the registry API (see #204839 (comment 347426922)). The problem is that during the rake task execution there is no user set and therefore the request sent to the registry API doesn't include a JWT token.

Solution

The registry version check route enforces authentication, but not authorization. So as long as a valid JWT token is passed (it doesn't need any action/repository scope access permissions) a successful response will be returned.

This MR generates an "empty" JWT token, with no access permissions, and passes it to the registry client to authenticate the request from the rake task.

Related to #204839 (closed).

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Closes #204839 (closed)

Edited by 🤖 GitLab Bot 🤖

Merge request reports