Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add registry support #1094

Merged
merged 49 commits into from
Apr 17, 2024
Merged

Add registry support #1094

merged 49 commits into from
Apr 17, 2024

Conversation

jesusbv
Copy link
Collaborator

@jesusbv jesusbv commented Feb 19, 2024

Description

Add registry support to RMT

Change Type

Please select the correct option.

  • Bug Fix (a non-breaking change which fixes an issue)
  • New Feature (a non-breaking change which adds new functionality)
  • Documentation Update (a change which only updates documentation)

Checklist

Please check off each item if the requirement is met.

  • I have verified that my code follows RMT's coding standards with rubocop.
  • I have reviewed my own code and believe that it's ready for an external review.
  • I have provided comments for any hard-to-understand code.
  • I have documented the MANUAL.md file with any changes to the user experience.
  • RMT's test coverage remains at 100%.
  • If my changes are non-trivial, I have added a changelog entry to notify users at package/obs/rmt-server.changes.

Other Notes

Please use this space to provide notes or thoughts to the team, such as tips on how to review/demo your changes.

@jesusbv
Add registry engine
373c9ec 
Add registry engine
Add login support:
  auth based on SCC credentials -> username + password
@jesusbv
Add access to pull images
2275f84 
Currently, allow any access
@jesusbv
Update README and gitignore
3677601 
Same patterns as other engines for gitignore
@jesusbv jesusbv self-assigned this Feb 19, 2024
rjschwei
rjschwei requested changes Feb 23, 2024
View reviewed changes
@jesusbv
Update README
6a9bda3
@jesusbv
Change registry service name
f82ed36
@jesusbv
Better structure
a0039ae 
- Add cert in config/application.rb
  Must match the cert of the registry
@jesusbv
Fixes
463d5e8 
- Fix AccessScope class
- Fix token key
bear454
bear454 reviewed Mar 15, 2024
View reviewed changes
jesusbv
jesusbv commented Mar 21, 2024
View reviewed changes
config/application.rb Outdated
File.read('/etc/rmt/ssl/rmt-server.key')
)
config.registry_public_key = config.registry_private_key.public_key
config.access_policies = '/etc/rmt/access_policies.yml'
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other option is to add the path to /etc/rmt.conf

@jesusbv
Check access policies
9ad9503 
Add a check for the requested path,
granting pull access if said path is allowed
or denying any access it otherwise
@jesusbv jesusbv force-pushed the add-registry-support branch from 0c95bee to 9ad9503 Compare March 21, 2024 15:31
rjschwei
rjschwei reviewed Mar 21, 2024
View reviewed changes
jesusbv added 3 commits March 22, 2024 13:24
@jesusbv
Add catalog access
7d1cebe 
- Add nginx redirect for /v2/_catalog
- Add catalog check
@jesusbv
Update method to use systems
77bbcce
@jesusbv
Add access policies
a7f067e 
- Check activated products with the access policy
- Add free products (free products were added recently to the yaml file)
- Add rake task to refresh cache for repositories from catalog
- Return full path from catalog
@bear454
Copy link
Member

bear454 commented Apr 12, 2024

The latter, split config, I think having the two configs separate is better, I updated the PR now to reflect that

Do you think one file is better ?

I think it's fine as long as it's been proven to work with both podman and docker.

@rjschwei
Copy link
Member

The latter, split config, I think having the two configs separate is better, I updated the PR now to reflect that
Do you think one file is better ?

I think it's fine as long as it's been proven to work with both podman and docker.

Separate config is preferable, that allows a 3rd party that doesn't want to run the registry to not install the config and then the paths are not available.

@bear454
Copy link
Member

bear454 commented Apr 12, 2024

The latter, split config, I think having the two configs separate is better, I updated the PR now to reflect that
Do you think one file is better ?

I think it's fine as long as it's been proven to work with both podman and docker.

I'm withdrawing my objection here - as docker is incapable of searching via an authenticated endpoint, and only uses the unauthenticated /v1/search method. So, search of our registry will only be capable via podman.

@bear454
Copy link
Member

bear454 commented Apr 12, 2024

The latter, split config, I think having the two configs separate is better, I updated the PR now to reflect that
Do you think one file is better ?

I think it's fine as long as it's been proven to work with both podman and docker.

Separate config is preferable, that allows a 3rd party that doesn't want to run the registry to not install the config and then the paths are not available.

Well, the problem is around search. Because we want to emulate the behavior of SCC, where the /v2/_catalog API endpoint is overriden, and served by rmt instead of distribution, there is an intimate linking. The two-config solution requires that the registry config introduce a 302 REDIRECT on that API endpoint, which also means the rmt FQDN needs to be specified in the config.

With one config file, the v2/_catalog API endpoint is overridden not to a 302 REDIRECT but directly served by the defined rmt application, as part of the reverse proxy configuration. The client doesn't see a redirect (that's not defined in the registry API) and get served the direct results on the original request. But yes, both rmt and registry vhosts have to be defined in the same file for that to work.

@rjschwei
Copy link
Member

The latter, split config, I think having the two configs separate is better, I updated the PR now to reflect that
Do you think one file is better ?

I think it's fine as long as it's been proven to work with both podman and docker.

Separate config is preferable, that allows a 3rd party that doesn't want to run the registry to not install the config and then the paths are not available.

Well, the problem is around search. Because we want to emulate the behavior of SCC, where the /v2/_catalog API endpoint is overriden, and served by rmt instead of distribution, there is an intimate linking. The two-config solution requires that the registry config introduce a 302 REDIRECT on that API endpoint, which also means the rmt FQDN needs to be specified in the config.

With one config file, the v2/_catalog API endpoint is overridden not to a 302 REDIRECT but directly served by the defined rmt application, as part of the reverse proxy configuration. The client doesn't see a redirect (that's not defined in the registry API) and get served the direct results on the original request. But yes, both rmt and registry vhosts have to be defined in the same file for that to work.

OK, thanks for the the details, then we are stuck with one config. But thta also means we should have 1 config, i.e. the existing config file should change rather than adding a new one.

@jesusbv
One single file for nginx conf of RMT server and registry
e616e17 
- Redirect to RMT server on NGINX conf
- Update config routes on RMT for Registry engine
@jesusbv jesusbv force-pushed the add-registry-support branch from 3c9d52c to e616e17 Compare April 15, 2024 19:11
felixsch
felixsch reviewed Apr 16, 2024
View reviewed changes
@jesusbv jesusbv force-pushed the add-registry-support branch from 5b18dca to 73721aa Compare April 16, 2024 13:07
@jesusbv jesusbv force-pushed the add-registry-support branch from 8b67f2b to 7c96808 Compare April 16, 2024 13:54
@rjschwei
Copy link
Member

What's missing, I think, is the cache handling. We had agreed that clients that access the registry have a longer TTL than access to the repositories. Anyway, that change should come in a separate PR. This PR is big enough as it is and we have not made the desired timely progress in getting it merged.

@bear454
Copy link
Member

bear454 commented Apr 17, 2024

What's missing, I think, is the cache handling. We had agreed that clients that access the registry have a longer TTL than access to the repositories. Anyway, that change should come in a separate PR. This PR is big enough as it is and we have not made the desired timely progress in getting it merged.

Yes, agreed, this needs to be in a separate PR.

bear454
bear454 approved these changes Apr 17, 2024
View reviewed changes
Copy link
Member

@bear454 bear454 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are still some magic strings in the code, but we can work on moving them out in subsequent PRs. That this is working, has a reliable config, and test coverage is good enough. Let's get rolling.

bear454
bear454 reviewed Apr 17, 2024
View reviewed changes
engines/registry/app/models/access_token.rb
hash['iss'] = 'RMT' # "matching issuer in registry auth token config"
hash['sub'] = @account
hash['aud'] = @service
hash['exp'] = Time.now.getlocal.to_i + (5 * 60) # expires at
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per the spec, this needs to default to 8 hours, and be configurable server side. We'll add that in a subsequent PR.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cwh42 sounds like we should implement the 8h default in SCC, too then?

@jesusbv
Copy link
Collaborator Author

jesusbv commented Apr 17, 2024

What's missing, I think, is the cache handling. We had agreed that clients that access the registry have a longer TTL than access to the repositories. Anyway, that change should come in a separate PR. This PR is big enough as it is and we have not made the desired timely progress in getting it merged.

Yes, agreed, this needs to be in a separate PR.

Agree, yes, cache is not on this PR, and it should go on a different PR

@jesusbv jesusbv merged commit cd4559e into master Apr 17, 2024
3 checks passed
@jesusbv jesusbv deleted the add-registry-support branch April 17, 2024 14:52
@ngetahun ngetahun mentioned this pull request Apr 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bear454 bear454 bear454 approved these changes

@felixsch felixsch felixsch left review comments

@rjschwei rjschwei rjschwei approved these changes

@digitaltom digitaltom Awaiting requested review from digitaltom

@cwh42 cwh42 Awaiting requested review from cwh42

Assignees

@jesusbv jesusbv

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jesusbv @bear454 @rjschwei @cwh42 @digitaltom @felixsch