PR #4353 made MaxTags (default 1000) a hard ceiling on the `n` query
parameter — anything larger and the handler returns 400
PAGINATION_NUMBER_INVALID before the request ever reaches storage or
the proxy tag service. That broke clients like Renovate which use
n=10000 against pull-through caches. #4846 fixed a related 500 in
proxy mode but not this 400, so users reported the regression still
persisted.
The OCI distribution-spec describes pagination differently: a server
MAY return fewer than `n` results "when the total number of tags
attached to the repository is less than <int> or a Link header is
provided" — otherwise it MUST include `<int>` results. In other
words, the right answer for "client asked for more than we'll serve"
is `maxtags` results plus a Link header, not a rejection.
PAGINATION_NUMBER_INVALID isn't among the 14 error codes the spec
defines, either.
Drop the oversized-n rejection and clamp to MaxTags instead; the
existing Link-header path already handles continuation correctly.
Malformed (non-integer) and negative `n` values keep returning 400,
since the spec defines `n` as a non-negative integer and those
requests are genuinely invalid.
Verified end-to-end against registry-1.docker.io in proxy mode:
n=10000 now returns the tag list (or a clamped page with Link)
instead of 400. Also restores pre-3.1.0 behavior for Renovate-style
clients without needing proxy-specific logic.
Spec reference:
https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-tags
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
Updated TLS configuration parameters to indicate that 'certificate' and 'key' are optional for mTLS. Added notes and examples for server-side TLS and mutual TLS.
Signed-off-by: Omar Trigui <omar.trigui.tn@gmail.com>
The newIgnoredSink function had a bug where it would return the
unfiltered sink when the mediatypes list was empty, even if
ignoreActions was populated. This made it impossible to filter
events by action alone.
This fix changes the early return condition to check both parameters:
- Only returns unfiltered sink when BOTH are empty
- Allows filtering by actions alone
- Allows filtering by mediatypes alone
- Maintains existing OR logic when both are specified
Added test cases specifically for the edge case of empty mediatypes
with populated actions list.
Updated documentation to clarify how the filtering works and that
the two parameters work independently.
Fixes: #4729
Signed-off-by: Adrian Callejas <acallejaszu@gmail.com>
square brackets and the respective parentheses for a markdown link were falsely typed in causing readability issues. This commit fixes the markdown syntax for the same
Signed-off-by: Shan Desai <shantanoo.desai@gmail.com>
`configureRedis` currently sets `RequireAndVerifyClientCert` and `ClientCAs`, however these are server side mTLS configurations, and do not apply for the client initiating the handshake.
Since we never actually set client side `RootCAs`, connecting to Redis with a self-signed CA results in:
```
"error": "tls: failed to verify certificate: x509: certificate signed by unknown authority",
```
Fixed by switching Redis TLS config to use `RootCAs` instead, and updating configuration accordingly.
Signed-off-by: ChandonPierre <cpierre@coreweave.com>
Summary:
We see from the code and code comment in proxyblobstore.go that:
"If the blob has been serving in other requests. Will return the blob from the
remote store directly". That means concurrent pulls will pull from remote
multiple times.
Signed-off-by: Sam Jia <yiyunj@twitter.com>
it can now return a client using default azure credentials
updated docs to include information on Azure Workload Identity
Signed-off-by: Lucas Melchior <lucasmelchior@flywheel.io>
fix anchor link in docs
Signed-off-by: Lucas Melchior <lucasmelchior@flywheel.io>
* Make copy poll max retry, a global driver max retry
* Get support for etags in Azure
* Fix storage driver tests
* Fix auth mess and update docs
* Refactor Azure client and enable Azure storage tests
We use Azurite for integration testing which requires TLS,
so we had to figure out how to skip TLS verification when running tests locally:
this required updating testsuites Driver and constructor due to TestRedirectURL
sending GET and HEAD requests to remote storage which in this case is Azurite.
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
Incorrect directories fixed. Added explanation for ensuring port 5000 is available or changing it. There will be a subsequent fix to the plist file.
Signed-off-by: andy-cooper <andrew.john.cooper@gmail.com>
Some S3 compatible object storage systems like R2 require that all
multipart chunks are the same size. This was mostly true before, except
the final chunk was larger than the requested chunk size which causes
uploads to fail.
In addition, the two byte slices have been replaced with a single
*bytes.Buffer and the surrounding code simplified significantly.
Fixes: #3873
Signed-off-by: Thomas Way <thomas@6f.io>
- Add Unit tests for `token.newAccessController`
+ Implemented swappable implementations for `token.getRootCerts` and
`getJwks` to unit test their behavior over the accessController
struct.
- Use RFC7638 [0] mechanics to compute the KeyID of the rootcertbundle
provided in the token auth config.
- Extends token authentication docs:
+ Extend `jwt.md` write up on JWT headers & JWT Validation
+ Updated old reference to a draft that's now RFC7515.
+ Extended the JWT validation steps with the JWT Header validation.
+ Reference `jwt.md` in `token.md`
[0]: https://datatracker.ietf.org/doc/html/rfc7638#autoid-13
Signed-off-by: Jose D. Gomez R <jose.gomez@suse.com>