77149aa85c
BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com> |
||
|---|---|---|
| .. | ||
| config | ||
| lint | ||
| monitoring | ||
| scrub | ||
| search | ||
| sync | ||
| _zot.md | ||
| extension_image_trust.go | ||
| extension_image_trust_disabled.go | ||
| extension_image_trust_disabled_test.go | ||
| extension_image_trust_test.go | ||
| extension_metrics.go | ||
| extension_metrics_disabled.go | ||
| extension_mgmt.go | ||
| extension_mgmt_disabled.go | ||
| extension_scrub.go | ||
| extension_scrub_disabled.go | ||
| extension_search.go | ||
| extension_search_disabled.go | ||
| extension_search_test.go | ||
| extension_sync.go | ||
| extension_sync_disabled.go | ||
| extension_ui.go | ||
| extension_ui_disabled.go | ||
| extension_ui_test.go | ||
| extension_userprefs.go | ||
| extension_userprefs_disable.go | ||
| extension_userprefs_test.go | ||
| extensions_lint.go | ||
| extensions_lint_disabled.go | ||
| extensions_test.go | ||
| get_extensions.go | ||
| get_extensions_disabled_test.go | ||
| README.md | ||
| README_imagetrust.md | ||
| README_mgmt.md | ||
| README_userprefs.md | ||
Adding new extensions
As new requirements come and build time extensions need to be added, there are a few things that you have to make sure are present before commiting :
- files that should be included in the binary only with a specific extension must contain the following syntax at the beginning of the file :
//go:build sync will be added automatically by the linter, so only the second line is mandatory .
NOTE: the third line in the example should be blank, otherwise the build tag would be just another comment.
//go:build sync
// +build sync
package extensions
...................
-
when adding a new tag, specify the new order in which multiple tags should be used (bottom of this page)
-
for each and every new file that contains functions (functionalities) specific to an extension, one should create a corresponding file that must contain the exact same functions, but no functionalities included. This file must begin with an "anti-tag" (e.g. // +build !sync) which will include this file in binaries that don't include this extension ( in this example, the file won't be used in binaries that include sync extension ). See extension-sync-disabled.go for an example.
-
each extension is responsible with implementing authorization for newly added HTTP endpoints. zot will provide the necessary data, including user permissions, to the extension, but actual enforcement of these permissions is the responsibility of each extension. Each extension http.Handler has access to a context previously populated by BaseAuthzHandler with relevant user info. That info has the following structure:
type AccessControlContext struct { // read method action ReadGlobPatterns map[string]bool // detectManifestCollision behaviour action DmcGlobPatterns map[string]bool IsAdmin bool Username string Groups []string }This data can then be accessed from the request context so that every extension can apply its own authorization logic, if needed .
-
when a new extension comes out, the developer should also write some blackbox tests, where a binary that contains the new extension should be tested in a real usage scenario. See test/blackbox folder for multiple extensions examples.
-
newly added blackbox tests should have targets in Makefile. You should also add them as Github Workflows, in .github/workflows/ecosystem-tools.yaml
-
with every new extension, you should modify the EXTENSIONS variable in Makefile by adding the new extension. The EXTENSIONS variable represents all extensions and is used in Make targets that require them all (e.g make test).
-
the available extensions that can be used at the moment are: sync, scrub, metrics, search . NOTE: When multiple extensions are used, they should be listed in the above presented order.