Update Dependency Proxy container_image regex to allow 4 levels
What does this MR do and why?
As we prepare to extend the functionality of the Dependency Proxy to support additional external registries, we want to be sure we are able to support all image/tag names.
Currently, when pulling through the Dependency Proxy, the tag name can only have a single /, for example my/image:latest. This works with no problems because right now the Dependency Proxy only pulls images from DockerHub, which only allows one / in the format namespace/repository-name.
I this MR, we update to allow for 4 levels of /s.
Why 4 you might ask?
- The OCI spec includes a regex for repository names, which allows for an unbounded number of
/characters. We have chosen not to match the regex exactly because in the case we run into problems with an unbounded regex, reverting to a smaller number would be a breaking change. So we would rather start with a number and leave room to expand as needed. - The GitLab container registry is a prime candidate for use with the Dependency Proxy, and it allows for 3 levels deep.
So we've decided to start with one level more than we allow on our container registry.
Screenshots or screen recordings
Unfortunately, since the Dependency Proxy does not yet support any additional registries beyond DockerHub, there are no images available with more than one level, so this is not explicitly testable. However, we can test that the Dependency Proxy continues to work as expected:
→ docker pull gdk.test:3001/gitlab-org/dependency_proxy/containers/nginx:latest
latest: Pulling from gitlab-org/dependency_proxy/containers/nginx
5eb5b503b376: Pull complete
1ae07ab881bd: Pull complete
78091884b7be: Pull complete
091c283c6a66: Pull complete
55de5851019b: Pull complete
b559bad762be: Pull complete
Digest: sha256:bb129a712c2431ecce4af8dde831e980373b26368233ef0f3b2bae9e9ec515ee
Status: Downloaded newer image for gdk.test:3001/gitlab-org/dependency_proxy/containers/nginx:latest
gdk.test:3001/gitlab-org/dependency_proxy/containers/nginx:latestHow to set up and validate locally
Please read the section above about how we can not explicitly test multiple levels deep yet. This explains how to test that the Dependency Proxy is still working for existing single level deep images.
Enable the Dependency Proxy for your GDK instance and follow these docs to get up and running.
Note, if you are not using Docker Desktop, the main thing you need to be able to do is push and pull images from an insecure registry. I've been using https://github.com/abiosoft/colima to run the Docker daemon to do this. Please feel free to ping me if you need any help getting set up.
Once set up, you can pull an image:
docker login gdk.test:3001 # enter your local username/password or use a PAT
# Assuming `gitlab-org` group exists in your local environment
gdk.test:3001/gitlab-org/dependency_proxy/containers/nginx:latestMR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #345920 (closed)