Plugin repository pinning #28459
Plugin repository pinning #28459
Conversation
|
Design LGTM |
|
Distribution client change for class in resource Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Expose registry error translation for plugin distribution Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
5092196 to
a12b466
Compare
|
ping @anusha-ragunathan @vieux is this needed for 1.13? |
|
@thaJeztah this is intended for 1.13. Still getting hub changes propagated to get tests passing. |
|
Thanks! Adding to the milestone |
|
@dmcgowan CI fails are definitely related. |
|
@LK4D4 I understand that, unfortunately these tests are still relying on the hub which required an update in order to pass. Looks like that update has gone out and I will have the tests re-run. Since testing this change requires a token server I added tests in the distribution integration tests to verify, although it is not yet run by CI since it is not in a Docker release yet. Feel free to have a look at them here distribution/distribution#2085 🐔 🥚 |
|
CI is now passing, PTAL |
|
Ping @aaronlehmann @stevvooe |
|
LGTM |
| Actions: actions, | ||
| } | ||
|
|
||
| // Keep image repositories blank for scope compatibility |
There was a problem hiding this comment.
This doesn't seem quite right. The field should be ignored by old registries. Shouldn't it just be set?
There was a problem hiding this comment.
This is to keep the change isolated to plugins for now. By setting this value any token server would require being updated in order to handle plugins, while this change allows existing token servers to work without supporting the specification update. Older registries will handle additional fields in the JSON just fine but this gets sent to the token server first.
There was a problem hiding this comment.
Shouldn't we just start sending the field anyways? If we keep this isolated to plugins, won't that just continue to propagate that these are special-cased?
There was a problem hiding this comment.
This RepositoryScope is from the client auth package, this does not get serialized to JSON but to https://github.com/docker/distribution/blob/master/docs/spec/auth/scope.md#resource-scope-grammar. So it is not just
8000
a matter of ignoring the field, but parsing the scope according to the updated grammar. We cannot require authorization servers immediately support the expanded grammar. We probably need a method to inform the authorization servers and give them time to support it though for a future release.
There was a problem hiding this comment.
I see. Shouldn't we hide those details behind the token manager? How do we intend to resolve support for this when we add it to repositories?
There was a problem hiding this comment.
It is reasonable to hide those details, the reason I didn't in this case is because if we were to hide that then the scope type would end up having that check here https://github.com/docker/distribution/blob/master/registry/client/auth/session.go#L158. However I compared this change to update from GET to POST which we did hide behind the interface to enforce backwards compatibility.
|
Code looks good. I am worried about not setting the |
|
LGTM |
|
Ping @vieux for merge. |
|
LGTM |
Add support for repository type pinning through authorization scope. This change sets the class in the authorization scope based on class of the repository. The repository info is updated to support setting a class which can be used by the registry client initialization.
Submitted early for design review, still blocked by upstream change distribution/distribution#2067. May be tested using registry built with that PR and the token server in distribution contrib.