`configureRedis` currently sets `RequireAndVerifyClientCert` and `ClientCAs`, however these are server side mTLS configurations, and do not apply for the client initiating the handshake.
Since we never actually set client side `RootCAs`, connecting to Redis with a self-signed CA results in:
```
"error": "tls: failed to verify certificate: x509: certificate signed by unknown authority",
```
Fixed by switching Redis TLS config to use `RootCAs` instead, and updating configuration accordingly.
Signed-off-by: ChandonPierre <cpierre@coreweave.com>
When building for 386, we got the following build error:
registry/storage/driver/s3-aws/s3.go:312:99: cannot use
maxChunkSize (untyped int constant 5368709120) as int value
in argument to getParameterAsInteger (overflows)
This is because the s3_64bit.go is used. Adjust the build tag matching
in s3_32bit.go and s3_64bit.go to fix this issue.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
**Explanation:**
1. **Temporary File Creation:** The content is first written to a temporary file (appending `.tmp` to the original path). This ensures that the original file remains intact until the write is complete.
2. **Write to Temporary File:** Using the existing `Writer` with truncation (`false`), the content is written to the temporary file. If the write fails, the temporary file is closed and deleted.
3. **Commit and Rename:** After successfully writing to the temporary file, it is committed. Then, the temporary file is atomically renamed to the target path using `Move`, which is handled by the filesystem's rename operation (atomic on most systems).
4. **Cleanup on Failure:** If any step fails, the temporary file is cleaned up to avoid leaving orphaned files.
Signed-off-by: Oded Porat <onporat@gmail.com>
To address the issue where a failed write operation results in an empty file, we can use a temporary file for non-append writes. This ensures that the original file is only replaced once the new content is fully written and committed.
**Key Changes:**
1. **Temporary File Handling:**
- For non-append writes, a temporary file is created in the same directory as the target file.
- All write operations are performed on the temporary file first.
2. **Atomic Commit:**
- The temporary file is only renamed to the target path during `Commit()`, ensuring atomic replacement.
- If `Commit()` fails, the temporary file is cleaned up.
3. **Error Handling:**
- `Cancel()` properly removes temporary files if the operation is aborted.
- `Close()` is made idempotent to handle multiple calls safely.
4. **Data Integrity:**
- Directory sync after rename ensures metadata persistence.
- Proper file flushing and syncing before rename operations.
Signed-off-by: Oded Porat <onporat@gmail.com>
it can now return a client using default azure credentials
updated docs to include information on Azure Workload Identity
Signed-off-by: Lucas Melchior <lucasmelchior@flywheel.io>
fix anchor link in docs
Signed-off-by: Lucas Melchior <lucasmelchior@flywheel.io>
Unfortunately YAML struck us hard in this one.
It interprets "off" as a truthy value so setting loglevel to off sets it
to false.
This commit makes sure we set the loglevel to off if the param is
marshalled into false and if it's not a string.
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
* Make copy poll max retry, a global driver max retry
* Get support for etags in Azure
* Fix storage driver tests
* Fix auth mess and update docs
* Refactor Azure client and enable Azure storage tests
We use Azurite for integration testing which requires TLS,
so we had to figure out how to skip TLS verification when running tests locally:
this required updating testsuites Driver and constructor due to TestRedirectURL
sending GET and HEAD requests to remote storage which in this case is Azurite.
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
Apparently you can upload 0-size content wihtout GCS reportin any errors
back to you.
This is something a lot of our users experienced and reported. See here
for at least one example:
github.com/distribution/distribution/issues/3018
This sets tbe MD5 sum on the uploaded content which should rectify
things according to the docs:
https://pkg.go.dev/cloud.google.com/go/storage#ObjectAttrs
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
When a JWT contains a JWK header without a certificate chain,
the original code only checked if the KeyID (kid) matches one of the trusted keys,
but doesn't verify that the actual key material matches.
As a result, if an attacker guesses the kid, they can inject an
untrusted key which would then be used to grant access to protected
data.
This fixes the issue such as only the trusted key is verified.
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
Some S3 compatible object storage systems like R2 require that all
multipart chunks are the same size. This was mostly true before, except
the final chunk was larger than the requested chunk size which causes
uploads to fail.
In addition, the two byte slices have been replaced with a single
*bytes.Buffer and the surrounding code simplified significantly.
Fixes: #3873
Signed-off-by: Thomas Way <thomas@6f.io>
when a directory is empty, the s3 api lists it with a trailing slash.
this causes the path to be appended twice to the walkInfo slice, causing
purge uploads path transformations to panic when the `_uploads` is
emtpy.
this adds a check for file paths ending on slash, and do not append
those as regular files to the walkInfo slice.
fixes#4358
Signed-off-by: Flavian Missi <fmissi@redhat.com>
- Add Unit tests for `token.newAccessController`
+ Implemented swappable implementations for `token.getRootCerts` and
`getJwks` to unit test their behavior over the accessController
struct.
- Use RFC7638 [0] mechanics to compute the KeyID of the rootcertbundle
provided in the token auth config.
- Extends token authentication docs:
+ Extend `jwt.md` write up on JWT headers & JWT Validation
+ Updated old reference to a draft that's now RFC7515.
+ Extended the JWT validation steps with the JWT Header validation.
+ Reference `jwt.md` in `token.md`
[0]: https://datatracker.ietf.org/doc/html/rfc7638#autoid-13
Signed-off-by: Jose D. Gomez R <jose.gomez@suse.com>
This test was using a hard-coded value for the size of the manifest,
which made it difficult to correlate the tested value with what it
was testing.
This patch updates populateRepo to return the actual size when
serialized, and updates manifestStoreTestEnv to include the
size to test for.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The latest golangci-lint spits out some govet issues.
This commit fixes them. We are also bumping the linter version.
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
This change allows users to run the registry as a pull-through cache
that can use a credential helper to authenticate against the upstream
registry.
Signed-off-by: Chun-Hung Hsiao <chhsiao@google.com>
