Commit Graph

54 Commits

Author SHA1 Message Date
Milos Gajdos
afd2bf0b23 fix(proxy): clamp oversized n query param instead of returning 400 (#4856) 2026-04-20 07:47:14 -07:00
Milos Gajdos
c6f552e5db fix(proxy): clamp oversized n query param instead of returning 400
PR #4353 made MaxTags (default 1000) a hard ceiling on the `n` query
parameter — anything larger and the handler returns 400
PAGINATION_NUMBER_INVALID before the request ever reaches storage or
the proxy tag service. That broke clients like Renovate which use
n=10000 against pull-through caches. #4846 fixed a related 500 in
proxy mode but not this 400, so users reported the regression still
persisted.

The OCI distribution-spec describes pagination differently: a server
MAY return fewer than `n` results "when the total number of tags
attached to the repository is less than <int> or a Link header is
provided" — otherwise it MUST include `<int>` results. In other
words, the right answer for "client asked for more than we'll serve"
is `maxtags` results plus a Link header, not a rejection.
PAGINATION_NUMBER_INVALID isn't among the 14 error codes the spec
defines, either.

Drop the oversized-n rejection and clamp to MaxTags instead; the
existing Link-header path already handles continuation correctly.
Malformed (non-integer) and negative `n` values keep returning 400,
since the spec defines `n` as a non-negative integer and those
requests are genuinely invalid.

Verified end-to-end against registry-1.docker.io in proxy mode:
n=10000 now returns the tag list (or a clamped page with Link)
instead of 400. Also restores pre-3.1.0 behavior for Renovate-style
clients without needing proxy-specific logic.

Spec reference:
https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-tags

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2026-04-18 16:53:53 -07:00
John de Graaff
3cf4463982 Update docker-compose structure in deploying.md
adding "services:" top-level key in docker-compose file example.

Signed-off-by: John de Graaff <john@de-graaff.net>
2026-04-17 15:15:52 +02:00
Milos Gajdos
2f2ce9fb6c Opt: refactor tag list pagination support (#4353) 2026-04-04 13:49:23 -07:00
njucjc
6a02a0e81d Opt: refactor tag list pagination support
Signed-off-by: njucjc <njucjc@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-04 22:04:37 +02:00
Omar Trigui
e74754839e Update Redis TLS configuration docs
Updated TLS configuration parameters to indicate that 'certificate' and 'key' are optional for mTLS. Added notes and examples for server-side TLS and mutual TLS.

Signed-off-by: Omar Trigui <omar.trigui.tn@gmail.com>
2026-01-24 00:31:02 +01:00
Milos Gajdos
ac541ed446 BUG: Fix notification filtering to work with actions when mediatypes is empty (#4730) 2026-01-20 06:24:43 -08:00
Raghav Mahajan
33dab3939e Expose useFIPSEndpoint for S3
Signed-off-by: Raghav Mahajan <rmahajan@palantir.com>
2026-01-07 21:01:26 +05:30
João Pereira
1796e65db9 Incorrect warning hint (#4708) 2025-12-13 08:52:46 +00:00
Dave Pedu
c7da31eb4a "should" -> "must" regarding redis eviction policy
Signed-off-by: Dave Pedu <dave@davepedu.com>
2025-11-20 16:14:46 -05:00
Adrian Callejas
ce3fa7fc36 Fix notification filtering to work with actions when mediatypes is empty
The newIgnoredSink function had a bug where it would return the
unfiltered sink when the mediatypes list was empty, even if
ignoreActions was populated. This made it impossible to filter
events by action alone.

This fix changes the early return condition to check both parameters:
- Only returns unfiltered sink when BOTH are empty
- Allows filtering by actions alone
- Allows filtering by mediatypes alone
- Maintains existing OR logic when both are specified

Added test cases specifically for the edge case of empty mediatypes
with populated actions list.

Updated documentation to clarify how the filtering works and that
the two parameters work independently.

Fixes: #4729

Signed-off-by: Adrian Callejas <acallejaszu@gmail.com>
2025-10-28 15:58:19 +01:00
nkaaf
b1c0fc5530 Incorrect warning hint
* Fix incorrect (old) warning hint

Signed-off-by: nkaaf <nkaaf@protonmail.com>
2025-10-04 00:42:14 +02:00
Milos Gajdos
979a07472e fix(registry/handlers/app): redis CAs (#4668) 2025-09-03 07:06:09 -07:00
Milos Gajdos
0966daece7 docs: Add OpenTelemetry links to quickstart docs (#4270) (#4640) 2025-08-11 14:25:47 +01:00
Shan Desai
b39441b1e6 Fix markdown syntax for OTEL traces link in docs
square brackets and the respective parentheses for a markdown link were falsely typed in causing readability issues.  This commit fixes the markdown syntax for the same

Signed-off-by: Shan Desai <shantanoo.desai@gmail.com>
2025-07-22 12:28:31 +02:00
Pat Riehecky
68cd681bad docs: Add note about OTEL_TRACES_EXPORTER
Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
2025-07-09 10:42:32 -05:00
ChandonPierre
02b1f6e3af fix(registry/handlers/app): redis CAs
`configureRedis` currently sets `RequireAndVerifyClientCert` and `ClientCAs`, however these are server side mTLS configurations, and do not apply for the client initiating the handshake.

Since we never actually set client side `RootCAs`, connecting to Redis with a self-signed CA results in:

```
"error": "tls: failed to verify certificate: x509: certificate signed by unknown authority",
```
Fixed by switching Redis TLS config to use `RootCAs` instead, and updating configuration accordingly.

Signed-off-by: ChandonPierre <cpierre@coreweave.com>
2025-07-05 15:25:17 -04:00
Dane Wagner
e629f88670 docs: Add OpenTelemetry links to quickstart docs (#4270)
Signed-off-by: Dane Wagner <dane.wagner@gmail.com>
2025-05-23 12:02:47 -05:00
Anže Luzar
c460aa63e1 fix: Annotate code block from validation.indexes docs
Signed-off-by: Anže Luzar <aluzarwork@gmail.com>
2025-04-28 13:23:56 +02:00
Youfu Zhang
4aab88fede fix: implement JWK thumbprint for Ed25519 public keys
Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
2025-04-23 13:30:18 +08:00
Milos Gajdos
dbca4995c8 docs: Update to refer to new image tag v3 (#4373) 2025-04-03 12:04:00 -07:00
Milos Gajdos
2ffa1171c2 Azure driver fix
* Make copy poll max retry, a global driver max retry
* Get support for etags in Azure
* Fix storage driver tests
* Fix auth mess and update docs
* Refactor Azure client and enable Azure storage tests

We use Azurite for integration testing which requires TLS,
so we had to figure out how to skip TLS verification when running tests locally:
this required updating testsuites Driver and constructor due to TestRedirectURL
sending GET and HEAD requests to remote storage which in this case is Azurite.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2025-03-14 10:03:09 -07:00
Rafael Fonseca
2a491b35dd docs/garbage-collection: document --delete-untagged and --quiet options
Signed-off-by: Rafael Fonseca <r4f4rfs@gmail.com>
2025-02-03 17:36:20 +01:00
vitshev
916bdeae94 feat(configuration): support mtls auth mod
Signed-off-by: vitshev <vitshev@tracto.ai>
2024-12-16 20:43:20 +01:00
Victor Barbu
1d104a9399 [docs] Explain how to configure a list through env variables
Signed-off-by: Victor Barbu <git.zqk3n@vicb.cc>
2024-12-03 19:08:23 +02:00
Milos Gajdos
f7236ab041 feat: support custom exec-based credential helper in proxy mode (#4438) 2024-11-05 11:48:33 +00:00
Benjamin Schanzel
7b3e6d50e9 docs: Update to refer to new image tag v3
This updates references to the registry image tag from `:2` to `:3`.

Fixes #4356

Signed-off-by: Benjamin Schanzel <benjamin.schanzel@bmw.de>
2024-10-21 09:55:17 +02:00
João Pereira
0bfa293eea docs: removed description of ELB as an example of an not sophisticated Load Balancer (#4476) 2024-10-03 13:20:44 +01:00
tomoya-kawaguchi
fdb5abb940 docs: removed description of ELB as an example of an not sophisticated Load Balancer
Signed-off-by: tomoya-kawaguchi <yamo7yamoto@gmail.com>
2024-10-03 09:00:15 +09:00
Jose D. Gomez R
b53946ded3 fix: Add the token's rootcert public key to the list of known keys
- Add Unit tests for `token.newAccessController`
  + Implemented swappable implementations for `token.getRootCerts` and
    `getJwks` to unit test their behavior over the accessController
    struct.

- Use RFC7638 [0] mechanics to compute the KeyID of the rootcertbundle
  provided in the token auth config.

- Extends token authentication docs:
  + Extend `jwt.md` write up on JWT headers & JWT Validation
  + Updated old reference to a draft that's now RFC7515.
  + Extended the JWT validation steps with the JWT Header validation.
  + Reference `jwt.md` in `token.md`

[0]: https://datatracker.ietf.org/doc/html/rfc7638#autoid-13

Signed-off-by: Jose D. Gomez R <jose.gomez@suse.com>
2024-10-02 11:58:41 +02:00
Tibor
e41848cc97 chang docker-compose to docker compose
Signed-off-by: Tibor <tiborcasteleijn@gmail.com>
2024-09-07 11:46:28 +02:00
Chun-Hung Hsiao
eed9400d26 feat: support custom exec-based credential helper in proxy mode
This change allows users to run the registry as a pull-through cache
that can use a credential helper to authenticate against the upstream
registry.

Signed-off-by: Chun-Hung Hsiao <chhsiao@google.com>
2024-08-16 19:42:51 -07:00
Milos Gajdos
d3cc664fa2 Update docs: JWKS credentials and AZ identity
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-07-06 10:13:29 +01:00
Milos Gajdos
306f4ff71e Replace custom Redis config struct with go-redis UniversalOptions (adds sentinel & cluster support) (#4306) 2024-07-04 16:00:37 +01:00
Milos Gajdos
6d5911900a Update Redis configuration docs with TLS options
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-07-04 15:44:41 +01:00
Anders Ingemann
b63cbb3318 Replace custom Redis config struct with go-redis UniversalOptions
Huge help from @milosgajdos who figured out how to do the entire
marshalling/unmarshalling for the configs

Signed-off-by: Anders Ingemann <aim@orbit.online>
2024-06-14 10:31:09 +02:00
Milos Gajdos
e1ec19ae60 New path for distribution config (#4365) 2024-06-11 12:19:40 +01:00
Milos Gajdos
675d7e27f5 feature: Bump go-jose and require signing algorithms in auth (#4349) 2024-05-30 20:54:20 +01:00
Milos Gajdos
52d68216c0 feature: Bump go-jose and require signing algorithms in auth
This bumps go-jose to the latest available version: v4.0.3.
This slightly breaks the backwards compatibility with the existing
registry deployments but brings more security with it.

We now require the users to specify the list of token signing algorithms in
the configuration. We do strive to maintain the b/w compat by providing
a list of supported algorithms, though, this isn't something we
recommend due to security issues, see:
* https://github.com/go-jose/go-jose/issues/64
* https://github.com/go-jose/go-jose/pull/69

As part of this change we now return to the original flow of the token
signature validation:
1. X2C (tls) headers
2. JWKS
3. KeyID

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-05-30 20:44:35 +01:00
Milos Gajdos
975613d4a0 New path for distribution config
The original path was referencing a docker directory which no longer
makes much sense.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-05-29 22:05:22 +01:00
James Hewitt
c40c4b289a Enable configuration of index dependency validation
Enable configuration options that can selectively disable validation
that dependencies exist within the registry before the image index
is uploaded.

This enables sparse indexes, where a registry holds a manifest index that
could be signed (so the digest must not change) but does not hold every
referenced image in the index. The use case for this is when a registry
mirror does not need to mirror all platforms, but does need to maintain
the digests of all manifests either because they are signed or because
they are pulled by digest.

The registry administrator can also select specific image architectures
that must exist in the registry, enabling a registry operator to select
only the platforms they care about and ensure all image indexes uploaded
to the registry are valid for those platforms.

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
2024-05-28 09:56:14 +01:00
Milos Gajdos
c49220d492 Fix #2902: ‘autoRedirect’ hardcode ‘https’ scheme (#2903) 2024-05-04 15:32:25 +01:00
Liang Zheng
a2afe23f38 add concurrency limits for tag lookup and untag
Harbor is using the distribution for it's (harbor-registry) registry component.
The harbor GC will call into the registry to delete the manifest, which in turn
then does a lookup for all tags that reference the deleted manifest.
To find the tag references, the registry will iterate every tag in the repository
and read it's link file to check if it matches the deleted manifest (i.e. to see
if uses the same sha256 digest). So, the more tags in repository, the worse the
performance will be (as there will be more s3 API calls occurring for the tag
directory lookups and tag file reads).

Therefore, we can use concurrent lookup and untag to optimize performance as described in https://github.com/goharbor/harbor/issues/12948.

P.S. This optimization was originally contributed by @Antiarchitect, now I would like to take it over.
Thanks @Antiarchitect's efforts with PR https://github.com/distribution/distribution/pull/3890.

Signed-off-by: Liang Zheng <zhengliang0901@gmail.com>
2024-04-26 22:32:21 +08:00
icefed
63eb22d74b Fix: ‘autoRedirect’ hardcode ‘https’ scheme
Signed-off-by: icefed <zlwangel@gmail.com>
2024-03-05 20:50:09 +08:00
Chad Faragher
1c3d44eccd Update notifications.md
_setup_ is a noun , _set up_ is the verb.

Signed-off-by: Chad Faragher <wyckster@hotmail.com>
2024-02-28 13:32:59 -05:00
erezrokah
11f50c034e feat: Add HTTP2 for unencrypted HTTP
Signed-off-by: erezrokah <erezrokah@users.noreply.github.com>
2024-01-17 20:59:02 +00:00
David Karlsson
5e75227fb2 docs: fix broken links and improve link resolution
Update the formatting of links and add a Markdown render hook for
handling relative internal links. Cross-references between markdown
files are now resolved the same way in both GitHub and Hugo.

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
2024-01-14 21:33:55 +01:00
Milos Gajdos
daf3d00a32 Add prometheus proxy related metrics (#4047) 2023-10-26 16:11:10 +01:00
David Karlsson
57a6fa46b2 docs: fix broken image references
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
2023-10-26 13:03:53 +02:00
Dimitar Kostadinov
9861a46d99 Add prometheus proxy related metrics
Signed-off-by: Dimitar Kostadinov <dimitar.kostadinov@sap.com>
2023-10-23 19:59:22 +03:00