square brackets and the respective parentheses for a markdown link were falsely typed in causing readability issues. This commit fixes the markdown syntax for the same
Signed-off-by: Shan Desai <shantanoo.desai@gmail.com>
`configureRedis` currently sets `RequireAndVerifyClientCert` and `ClientCAs`, however these are server side mTLS configurations, and do not apply for the client initiating the handshake.
Since we never actually set client side `RootCAs`, connecting to Redis with a self-signed CA results in:
```
"error": "tls: failed to verify certificate: x509: certificate signed by unknown authority",
```
Fixed by switching Redis TLS config to use `RootCAs` instead, and updating configuration accordingly.
Signed-off-by: ChandonPierre <cpierre@coreweave.com>
it can now return a client using default azure credentials
updated docs to include information on Azure Workload Identity
Signed-off-by: Lucas Melchior <lucasmelchior@flywheel.io>
fix anchor link in docs
Signed-off-by: Lucas Melchior <lucasmelchior@flywheel.io>
* Make copy poll max retry, a global driver max retry
* Get support for etags in Azure
* Fix storage driver tests
* Fix auth mess and update docs
* Refactor Azure client and enable Azure storage tests
We use Azurite for integration testing which requires TLS,
so we had to figure out how to skip TLS verification when running tests locally:
this required updating testsuites Driver and constructor due to TestRedirectURL
sending GET and HEAD requests to remote storage which in this case is Azurite.
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
Incorrect directories fixed. Added explanation for ensuring port 5000 is available or changing it. There will be a subsequent fix to the plist file.
Signed-off-by: andy-cooper <andrew.john.cooper@gmail.com>
Some S3 compatible object storage systems like R2 require that all
multipart chunks are the same size. This was mostly true before, except
the final chunk was larger than the requested chunk size which causes
uploads to fail.
In addition, the two byte slices have been replaced with a single
*bytes.Buffer and the surrounding code simplified significantly.
Fixes: #3873
Signed-off-by: Thomas Way <thomas@6f.io>
- Add Unit tests for `token.newAccessController`
+ Implemented swappable implementations for `token.getRootCerts` and
`getJwks` to unit test their behavior over the accessController
struct.
- Use RFC7638 [0] mechanics to compute the KeyID of the rootcertbundle
provided in the token auth config.
- Extends token authentication docs:
+ Extend `jwt.md` write up on JWT headers & JWT Validation
+ Updated old reference to a draft that's now RFC7515.
+ Extended the JWT validation steps with the JWT Header validation.
+ Reference `jwt.md` in `token.md`
[0]: https://datatracker.ietf.org/doc/html/rfc7638#autoid-13
Signed-off-by: Jose D. Gomez R <jose.gomez@suse.com>
This change allows users to run the registry as a pull-through cache
that can use a credential helper to authenticate against the upstream
registry.
Signed-off-by: Chun-Hung Hsiao <chhsiao@google.com>
This allows to rewrite 'URLFor' of the storage driver to use a specific
host/trim the base path.
It is different from the 'redirect' middleware, as it still calls the
storage driver URLFor.
For example, with Azure storage provider, this allows to transform the
SAS Azure Blob Storage URL into the URL compatible with Azure Front
Door.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Setting the HTML <base> element causes page-internal links to point to
the root of the website, rather than local anchors on the same page.
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Huge help from @milosgajdos who figured out how to do the entire
marshalling/unmarshalling for the configs
Signed-off-by: Anders Ingemann <aim@orbit.online>
This bumps go-jose to the latest available version: v4.0.3.
This slightly breaks the backwards compatibility with the existing
registry deployments but brings more security with it.
We now require the users to specify the list of token signing algorithms in
the configuration. We do strive to maintain the b/w compat by providing
a list of supported algorithms, though, this isn't something we
recommend due to security issues, see:
* https://github.com/go-jose/go-jose/issues/64
* https://github.com/go-jose/go-jose/pull/69
As part of this change we now return to the original flow of the token
signature validation:
1. X2C (tls) headers
2. JWKS
3. KeyID
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
Enable configuration options that can selectively disable validation
that dependencies exist within the registry before the image index
is uploaded.
This enables sparse indexes, where a registry holds a manifest index that
could be signed (so the digest must not change) but does not hold every
referenced image in the index. The use case for this is when a registry
mirror does not need to mirror all platforms, but does need to maintain
the digests of all manifests either because they are signed or because
they are pulled by digest.
The registry administrator can also select specific image architectures
that must exist in the registry, enabling a registry operator to select
only the platforms they care about and ensure all image indexes uploaded
to the registry are valid for those platforms.
Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Harbor is using the distribution for it's (harbor-registry) registry component.
The harbor GC will call into the registry to delete the manifest, which in turn
then does a lookup for all tags that reference the deleted manifest.
To find the tag references, the registry will iterate every tag in the repository
and read it's link file to check if it matches the deleted manifest (i.e. to see
if uses the same sha256 digest). So, the more tags in repository, the worse the
performance will be (as there will be more s3 API calls occurring for the tag
directory lookups and tag file reads).
Therefore, we can use concurrent lookup and untag to optimize performance as described in https://github.com/goharbor/harbor/issues/12948.
P.S. This optimization was originally contributed by @Antiarchitect, now I would like to take it over.
Thanks @Antiarchitect's efforts with PR https://github.com/distribution/distribution/pull/3890.
Signed-off-by: Liang Zheng <zhengliang0901@gmail.com>
