Documentation ¶
Overview ¶
Package server wraps repository and blob store objects of docker/distribution upstream. Most significantly, the wrappers cause manifests to be stored in OpenShift's etcd store instead of registry's storage. Registry's middleware API is utilized to register the object factories.
Module with quotaRestrictedBlobStore defines a wrapper for upstream blob store that does an image quota and limits check before committing image layer to a registry. Master server contains admission check that will refuse the manifest if the image exceeds whatever quota or limit set. But the check occurs too late (after the layers are written). This addition allows us to refuse the layers and thus keep the storage clean.
*Note*: Here, we take into account just a single layer, not the image as a whole because the layers are uploaded before the manifest. This leads to a situation where several layers can be written until a big enough layer will be received that exceeds the limit.
Index ¶
Constants ¶
const ( // DockerRegistryURLEnvVar is a mandatory environment variable name specifying url of internal docker // registry. All references to pushed images will be prefixed with its value. DockerRegistryURLEnvVar = "DOCKER_REGISTRY_URL" // EnforceQuotaEnvVar is a boolean environment variable that allows to turn quota enforcement on or off. // By default, quota enforcement is off. It overrides openshift middleware configuration option. // Recognized values are "true" and "false". EnforceQuotaEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA" // ProjectCacheTTLEnvVar is an environment variable specifying an eviction timeout for project quota // objects. It takes a valid time duration string (e.g. "2m"). If empty, you get the default timeout. If // zero (e.g. "0m"), caching is disabled. ProjectCacheTTLEnvVar = "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_PROJECTCACHETTL" )
Variables ¶
var ( // Challenging errors ErrTokenRequired = errors.New("authorization header with basic token required") ErrTokenInvalid = errors.New("failed to decode basic token") ErrOpenShiftTokenRequired = errors.New("expected bearer token as password for basic token to registry") ErrOpenShiftAccessDenied = errors.New("access denied") // Non-challenging errors ErrNamespaceRequired = errors.New("repository namespace required") ErrUnsupportedAction = errors.New("unsupported action") ErrUnsupportedResource = errors.New("unsupported resource") )
Errors used and exported by this package.
var DefaultRegistryClient = NewRegistryClient(clientcmd.NewConfig().BindToFile())
DefaultRegistryClient is exposed for testing the registry with fake client.
Functions ¶
func BlobDispatcher ¶
BlobDispatcher takes the request context and builds the appropriate handler for handling blob requests.
Types ¶
type AccessController ¶
type AccessController struct {
// contains filtered or unexported fields
}
func (*AccessController) Authorized ¶
func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...registryauth.Access) (context.Context, error)
Authorized handles checking whether the given request is authorized for actions on resources allowed by openshift. Sources of access records:
origin/pkg/cmd/dockerregistry/dockerregistry.go#Execute docker/distribution/registry/handlers/app.go#appendAccessRecords
type RegistryClient ¶ added in v1.1.4
type RegistryClient struct {
// contains filtered or unexported fields
}
RegistryClient encapsulates getting access to the OpenShift API.
func NewRegistryClient ¶ added in v1.1.4
func NewRegistryClient(config *clientcmd.Config) *RegistryClient
NewRegistryClient creates a registry client.
func (*RegistryClient) Clients ¶ added in v1.1.4
Client returns the authenticated client to use with the server.
func (*RegistryClient) SafeClientConfig ¶ added in v1.1.4
func (r *RegistryClient) SafeClientConfig() restclient.Config
SafeClientConfig returns a client config without authentication info.