the env variable name was wrong and we were showing the full env
variable and not the cipher where the validation fails.
this also replaces string.Split with strings.SplitSeq.
docker distribution expects REGISTRY_HTTP_TLS_CIPHERSUITES as a json
array (e.g., '["a", "b"]'), while openshift image registry expects
comma-separated values (e.g., 'a,b'). setting this variable in the
openshift format causes the registry to crash during config parsing.
this change replaces REGISTRY_HTTP_TLS_CIPHERSUITES with
OPENSHIFT_REGISTRY_HTTP_TLS_CIPHERSUITES to use the comma-separated
format. Since the registry cannot start with the old variable set
incorrectly, there is no backward compatibility concern.
to help customers detect and solve errors, we specifically report
metrics on a few filesystem specific errors.
we have seen customers configure the registry with a read-only
filesystem without noticing until it's too late. more specifically, when
using the registry only as a pull-through cache, a read-only filesystem
will be imperceptible to clients unless the upstream registry
experiences an outage, then it'll be too late to fix the cache.
the file too large (EFBIG) and device out of space (ENOSPC) errors were
added just in case. there have not been (so far) reports of customers
silently running into this errors on their PVCs.
With AUTH-509 the ability for the unauthenticated group to do
selfsubjectacessreviews (ssar) has been removed. In case that the ssar
fails, we attempt a subjectaccessreview for system:anonymous or the
system:unauthenticated group.
distribution/distribution#3683 made the router global.
this broke all our pullthrough tests.
since TestBlobDescriptorServiceIsApplied was the only one using the
router it was easier to remove that from our code than to introduce the
router host call to every failing test.
distribution/distribution#3683 made the router global.
this broke all our pullthrough tests.
since TestBlobDescriptorServiceIsApplied was the only one using the
router it was easier to remove that from our code than to introduce the
router host call to every failing test.
to support manifest lists and oci image indexes, push by digest support
is required.
when a client pushes a manifest list, they will first push each
sub-manifest and its blobs, then finally push the manifest list.
a connection between an image and an image stream is represented via
image stream tags. an image which represents a sub-manifest of a
manifest list is however not directly connected to an image stream, and
it doesn't have an image stream tag.
because of this lack of image stream tag for images representing
sub-manifests of a manifest list, the registry needs to perform a
different action when faced with a push by digest. instead of creating
an image stream mapping between the image stream and the image, it will
simply create an image object for the sub-manifest.
