Skip to content

Add support for the nested repositories container registry access token

David Fernandez requested to merge 353555-nested-repositories-container-registry-token into master

Context

For object storage visibility, we want to provide the size of all image repositories within a project.

Image repositories are stored in the container registry "within" the project full path.

Example, let's say that we have the my/awesome/project. Users can store image repositories such as my/awesome/project/foo, my/awesome/project/bar and my/awesome/project/foo/bar.

In short, the project full path will always be the prefix of image repository paths. (There some limitations in place so that we can't go super deep with the image repository path from the project full path).

To expose, the image repositories size for a project, the container registry created a custom api that takes a path and can return the size of all repositories "below" that path. It's the self_with_descendants option. Reading that documentation, we can see:

An auth token with pull permissions for name <path>/* is required for the latter.

The Container Registry API authentication works with JWT tokens. For this endpoint, we will need two access structures in the token.

{
  "access": [
    {
      "actions": [
        "pull"
      ],
      "name": "gitlab-org/build/cng",
      "type": "repository"
    },
    {
      "actions": [
        "pull"
      ],
      "name": "gitlab-org/build/cng/*",
      "type": "repository"
    }
  ],
  // ...
}

That's issue #353555 (closed).

JWT tokens for the container registry is handled by the authentication service: Auth::ContainerRegistryAuthenticationService.

This MR updates that service so that we can produce such tokens.

Please note that for now, no code will need such codes but #347351 (closed) will need that token.

In other words, the plan is:

  1. support the new token and generate it from the authentication service. 👈 We're here
  2. update the existing APIs so that the image repositories deduplicated size is exposed.
    • This is where the new token will be needed.

🤔 What does this MR do and why?

  • Add .pull_nested_repositories_access_token class method to Auth::ContainerRegistryAuthenticationService.
  • update the related specs.

🖼 Screenshots or screen recordings

n / a

How to set up and validate locally

  1. Have a GDK read with container registry support.
  2. In a rails console, try to get a JWT token for nested repositories: 
    Auth::ContainerRegistryAuthenticationService.pull_nested_repositories_access_token('my/awesome/project')
  3. This will given you an (encoded) JWT token. To decode it, you can simply use https://jwt.io/.
  4. Check that for the access array, you have 2 elements: one with my/awesome/project and one with my/awesome/project/*.

🚥 MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by David Fernandez

Merge request reports