mirror of
https://github.com/distribution/distribution.git
synced 2025-09-07 01:41:02 +00:00
Enable configuration of index dependency validation
Enable configuration options that can selectively disable validation that dependencies exist within the registry before the image index is uploaded. This enables sparse indexes, where a registry holds a manifest index that could be signed (so the digest must not change) but does not hold every referenced image in the index. The use case for this is when a registry mirror does not need to mirror all platforms, but does need to maintain the digests of all manifests either because they are signed or because they are pulled by digest. The registry administrator can also select specific image architectures that must exist in the registry, enabling a registry operator to select only the platforms they care about and ensure all image indexes uploaded to the registry are valid for those platforms. Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
This commit is contained in:
James Hewitt
@@ -288,6 +288,11 @@ validation:
|
||||
- ^https?://([^/]+\.)*example\.com/
|
||||
deny:
|
||||
- ^https?://www\.example\.com/
|
||||
indexes:
|
||||
platforms: List
|
||||
platformlist:
|
||||
- architecture: amd64
|
||||
os: linux
|
||||
```
|
||||
|
||||
In some instances a configuration option is **optional** but it contains child
|
||||
@@ -1160,14 +1165,14 @@ username (such as `batman`) and the password for that username.
|
||||
|
||||
```yaml
|
||||
validation:
|
||||
manifests:
|
||||
urls:
|
||||
allow:
|
||||
- ^https?://([^/]+\.)*example\.com/
|
||||
deny:
|
||||
- ^https?://www\.example\.com/
|
||||
disabled: false
|
||||
```
|
||||
|
||||
Use these settings to configure what validation the registry performs on content.
|
||||
|
||||
Validation is performed when content is uploaded to the registry. Changing these
|
||||
settings will not validate content that has already been accepting into the registry.
|
||||
|
||||
### `disabled`
|
||||
|
||||
The `disabled` flag disables the other options in the `validation`
|
||||
@@ -1180,6 +1185,16 @@ Use the `manifests` subsection to configure validation of manifests. If
|
||||
|
||||
#### `urls`
|
||||
|
||||
```yaml
|
||||
validation:
|
||||
manifests:
|
||||
urls:
|
||||
allow:
|
||||
- ^https?://([^/]+\.)*example\.com/
|
||||
deny:
|
||||
- ^https?://www\.example\.com/
|
||||
```
|
||||
|
||||
The `allow` and `deny` options are each a list of
|
||||
[regular expressions](https://pkg.go.dev/regexp/syntax) that restrict the URLs in
|
||||
pushed manifests.
|
||||
@@ -1193,6 +1208,54 @@ one of the `allow` regular expressions **and** one of the following holds:
|
||||
2. `deny` is set but no URLs within the manifest match any of the `deny` regular
|
||||
expressions.
|
||||
|
||||
#### `indexes`
|
||||
|
||||
By default the registry will validate that all platform images exist when an image
|
||||
index is uploaded to the registry. Disabling this validatation is experimental
|
||||
because other tooling that uses the registry may expect the image index to be complete.
|
||||
|
||||
validation:
|
||||
manifests:
|
||||
indexes:
|
||||
platforms: [all|none|list]
|
||||
platformlist:
|
||||
- os: linux
|
||||
architecture: amd64
|
||||
|
||||
Use these settings to configure what validation the registry performs on image
|
||||
index manifests uploaded to the registry.
|
||||
|
||||
##### `platforms`
|
||||
|
||||
Set `platformexist` to `all` (the default) to validate all platform images exist.
|
||||
The registry will validate that the images referenced by the index exist in the
|
||||
registry before accepting the image index.
|
||||
|
||||
Set `platforms` to `none` to disable all validation that images exist when an
|
||||
image index manifest is uploaded. This allows image lists to be uploaded to the
|
||||
registry without their associated images. This setting is experimental because
|
||||
other tooling that uses the registry may expect the image index to be complete.
|
||||
|
||||
Set `platforms` to `list` to selectively validate the existence of platforms
|
||||
within image index manifests. This setting is experimental because other tooling
|
||||
that uses the registry may expect the image index to be complete.
|
||||
|
||||
##### `platformlist`
|
||||
|
||||
When `platforms` is set to `list`, set `platformlist` to an array of
|
||||
platforms to validate. If a platform is included in this the array and in the images
|
||||
contained within an index, the registry will validate that the platform specific image
|
||||
exists in the registry before accepting the index. The registry will not validate the
|
||||
existence of platform specific images in the index that do not appear in the
|
||||
`platformlist` array.
|
||||
|
||||
This parameter does not validate that the configured platforms are included in every
|
||||
index. If an image index does not include one of the platform specific images configured
|
||||
in the `platformlist` array, it may still be accepted by the registry.
|
||||
|
||||
Each platform is a map with two keys, `os` and `architecture`, as defined in the
|
||||
[OCI Image Index specification](https://github.com/opencontainers/image-spec/blob/main/image-index.md#image-index-property-descriptions).
|
||||
|
||||
## Example: Development configuration
|
||||
|
||||
You can use this simple example for local development:
|
||||
|
||||
Reference in New Issue
Block a user