Registry catalog

Implements the upstream repository catalog API call:

    GET /v2/_catalog

Returned is a list of repository names as json:

    200 OK
    Content-Type: application/json
    { "repositories": [ <name>, ... ] }

Pagination is supported by mapping the last returned repository name to
the opaque continue token received from master API and using it on the
next invocation.

Signed-off-by: Michal Minář <[email protected]>

Author: Michal Minář

pkg/dockerregistry/server/app.go

@@ -8,6 +8,7 @@ import (
 	"github.com/docker/distribution/configuration"
 	"github.com/docker/distribution/context"
 	storagedriver "github.com/docker/distribution/registry/storage/driver"
+	kubecache "k8s.io/apimachinery/pkg/util/cache"
 
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/cache"
 	"github.com/openshift/image-registry/pkg/dockerregistry/server/client"
@@ -20,6 +21,7 @@ const (
 	// Default values
 	defaultDescriptorCacheSize         = 4096
 	defaultDigestToRepositoryCacheSize = 2048
+	defaultPaginationCacheSize         = 1024
 )
 
 // appMiddleware should be used only in tests.
@@ -55,16 +57,23 @@ type App struct {
 
 	// cache is a shared cache of digests and descriptors.
 	cache cache.DigestCache
+
+	// paginationCache maps repository names to opaque continue tokens received from master API for subsequent
+	// list imagestreams requests
+	paginationCache *kubecache.LRUExpireCache
 }
 
 func (app *App) Storage(driver storagedriver.StorageDriver, options map[string]interface{}) (storagedriver.StorageDriver, error) {
 	app.driver = driver
 	return driver, nil
 }
 
-func (app *App) Registry(registry distribution.Namespace, options map[string]interface{}) (distribution.Namespace, error) {
-	app.registry = registry
-	return registry, nil
+func (app *App) Registry(nm distribution.Namespace, options map[string]interface{}) (distribution.Namespace, error) {
+	app.registry = nm
+	return &registry{
+		registry:   nm,
+		enumerator: NewCachingRepositoryEnumerator(app.registryClient, app.paginationCache),
+	}, nil
 }
 
 func (app *App) BlobStatter() distribution.BlobStatter {
@@ -78,11 +87,12 @@ func (app *App) BlobStatter() distribution.BlobStatter {
 // The program will be terminated if an error happens.
 func NewApp(ctx context.Context, registryClient client.RegistryClient, dockerConfig *configuration.Configuration, extraConfig *registryconfig.Configuration, writeLimiter maxconnections.Limiter) http.Handler {
 	app := &App{
-		ctx:            ctx,
-		registryClient: registryClient,
-		config:         extraConfig,
-		writeLimiter:   writeLimiter,
-		quotaEnforcing: newQuotaEnforcingConfig(ctx, extraConfig.Quota),
+		ctx:             ctx,
+		registryClient:  registryClient,
+		config:          extraConfig,
+		writeLimiter:    writeLimiter,
+		quotaEnforcing:  newQuotaEnforcingConfig(ctx, extraConfig.Quota),
+		paginationCache: kubecache.NewLRUExpireCache(defaultPaginationCacheSize),
 	}
 
 	cacheTTL := time.Duration(0)

pkg/dockerregistry/server/auth.go

@@ -301,6 +301,20 @@ func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...reg
 			default:
 				return nil, ac.wrapErr(ctx, ErrUnsupportedAction)
 			}
+
+		case "registry":
+			switch access.Resource.Name {
+			case "catalog":
+				if access.Action != "*" {
+					return nil, ac.wrapErr(ctx, ErrUnsupportedAction)
+				}
+				if err := verifyCatalogAccess(ctx, osClient); err != nil {
+					return nil, ac.wrapErr(ctx, err)
+				}
+			default:
+				return nil, ac.wrapErr(ctx, ErrUnsupportedResource)
+			}
+
 		default:
 			return nil, ac.wrapErr(ctx, ErrUnsupportedResource)
 		}
@@ -440,6 +454,10 @@ func verifyPruneAccess(ctx context.Context, c client.SelfSubjectAccessReviewsNam
 	return verifyWithGlobalSAR(ctx, "images", "", "delete", c)
 }
 
+func verifyCatalogAccess(ctx context.Context, c client.SelfSubjectAccessReviewsNamespacer) error {
+	return verifyWithGlobalSAR(ctx, "imagestreams", "", "list", c)
+}
+
 func verifyMetricsAccess(ctx context.Context, metrics configuration.Metrics, token string, c client.SelfSubjectAccessReviewsNamespacer) error {
 	if !metrics.Enabled {
 		return ErrOpenShiftAccessDenied

pkg/dockerregistry/server/catalog.go

@@ -0,0 +1,163 @@
+package server
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"time"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/cache"
+
+	"github.com/docker/distribution/context"
+
+	imageapiv1 "github.com/openshift/api/image/v1"
+	"github.com/openshift/image-registry/pkg/dockerregistry/server/client"
+)
+
+const paginationEntryTTL = time.Minute
+
+// RepositoryEnumerator allows to enumerate repositories known to the registry.
+type RepositoryEnumerator interface {
+	// EnumerateRepositories fills the given repos slice with image stream names. The slice's length
+	// determines the maximum number of repositories returned. The repositories are lexicographically sorted.
+	// The last argument allows for pagination. It is the offset in the catalog. Returned is a number of
+	// repositories filled. If there are no more repositories to return, io.EOF is returned.
+	EnumerateRepositories(ctx context.Context, repos []string, last string) (n int, err error)
+}
+
+// cachingRepositoryEnumerator is an enumerator that supports chunking by caching associations between
+// repository names and opaque continuation tokens.
+type cachingRepositoryEnumerator struct {
+	client client.RegistryClient
+	// a cache of opaque continue tokens for repository enumeration
+	cache *cache.LRUExpireCache
+}
+
+var _ RepositoryEnumerator = &cachingRepositoryEnumerator{}
+
+// NewCachingRepositoryEnumerator returns a new caching repository enumerator.
+func NewCachingRepositoryEnumerator(client client.RegistryClient, cache *cache.LRUExpireCache) RepositoryEnumerator {
+	return &cachingRepositoryEnumerator{
+		client: client,
+		cache:  cache,
+	}
+}
+
+type isHandlerFunc func(is *imageapiv1.ImageStream) error
+
+var errNoSpaceInSlice = errors.New("no space in slice")
+var errEnumerationFinished = errors.New("enumeration finished")
+
+func (re *cachingRepositoryEnumerator) EnumerateRepositories(
+	ctx context.Context,
+	repos []string,
+	last string,
+) (n int, err error) {
+	if len(repos) == 0 {
+		// Client explicitly requested 0 results. Returning nil for error seems more appropriate but this is
+		// more in line with upstream does. Returning nil actually makes the upstream code panic.
+		// TODO: patch upstream?  /_catalog?n=0  results in 500
+		return 0, errNoSpaceInSlice
+	}
+
+	err = re.enumerateImageStreams(ctx, int64(len(repos)), last, func(is *imageapiv1.ImageStream) error {
+		name := fmt.Sprintf("%s/%s", is.Namespace, is.Name)
+		repos[n] = name
+		n++
+
+		if n >= len(repos) {
+			return errEnumerationFinished
+		}
+
+		return nil
+	})
+
+	switch err {
+	case errEnumerationFinished:
+		err = nil
+	case nil:
+		err = io.EOF
+	}
+
+	return
+}
+
+func (r *cachingRepositoryEnumerator) enumerateImageStreams(
+	ctx context.Context,
+	limit int64,
+	last string,
+	handler isHandlerFunc,
+) error {
+	var (
+		start  string
+		warned bool
+	)
+
+	client, ok := userClientFrom(ctx)
+	if !ok {
+		context.GetLogger(ctx).Warnf("user token not set, falling back to registry client")
+		osClient, err := r.client.Client()
+		if err != nil {
+			return err
+		}
+		client = osClient
+	}
+
+	if len(last) > 0 {
+		if c, ok := r.cache.Get(last); !ok {
+			context.GetLogger(ctx).Warnf("failed to find opaque continue token for last repository=%q -> requesting the full image stream list instead of %d items", last, limit)
+			warned = true
+			limit = 0
+		} else {
+			start = c.(string)
+		}
+	}
+
+	iss, err := client.ImageStreams("").List(metav1.ListOptions{
+		Limit:    limit,
+		Continue: start,
+	})
+	if apierrors.IsResourceExpired(err) {
+		context.GetLogger(ctx).Warnf("continuation token expired (%v) -> requesting the full image stream list", err)
+		iss, err = client.ImageStreams("").List(metav1.ListOptions{})
+		warned = true
+	}
+
+	if err != nil {
+		return err
+	}
+
+	warnBrokenPagination := func(msg string) {
+		if !warned {
+			context.GetLogger(ctx).Warnf("pagination not working: %s; the master API does not support chunking", msg)
+			warned = true
+		}
+	}
+
+	if limit > 0 && limit < int64(len(iss.Items)) {
+		warnBrokenPagination(fmt.Sprintf("received %d image streams instead of requested maximum %d", len(iss.Items), limit))
+	}
+	if len(iss.Items) > 0 && len(iss.ListMeta.Continue) > 0 {
+		last := iss.Items[len(iss.Items)-1]
+		r.cache.Add(fmt.Sprintf("%s/%s", last.Namespace, last.Name), iss.ListMeta.Continue, paginationEntryTTL)
+	}
+
+	for _, is := range iss.Items {
+		name := fmt.Sprintf("%s/%s", is.Namespace, is.Name)
+		if len(last) > 0 && name <= last {
+			if !warned {
+				warnBrokenPagination(fmt.Sprintf("received unexpected repository name %q -"+
+					" lexicographically preceding the requested %q", name, last))
+			}
+			continue
+		}
+		err := handler(&is)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

pkg/dockerregistry/server/catalog_test.go

@@ -0,0 +1,151 @@
+package server
+
+import (
+	"io"
+	"testing"
+	"time"
+
+	"github.com/docker/distribution/context"
+
+	registryclient "github.com/openshift/image-registry/pkg/dockerregistry/server/client"
+	"github.com/openshift/image-registry/pkg/testutil"
+)
+
+func TestCatalog(t *testing.T) {
+	const blobRepoCacheTTL = time.Millisecond * 500
+
+	type isMeta struct{ namespace, name string }
+
+	for _, tc := range []struct {
+		name          string
+		isObjectMeta  []isMeta
+		buffer        []string
+		last          string
+		expectedRepos []string
+		expectedError error
+	}{
+		{
+			name:          "no image streams",
+			buffer:        make([]string, 2),
+			expectedError: io.EOF,
+		},
+
+		{
+			name:          "one image stream",
+			isObjectMeta:  []isMeta{{"nm", "foo"}},
+			buffer:        make([]string, 2),
+			expectedRepos: []string{"nm/foo"},
+			expectedError: io.EOF,
+		},
+
+		{
+			name:          "2 image streams in the same namespace",
+			isObjectMeta:  []isMeta{{"nm", "foo"}, {"nm", "bar"}},
+			buffer:        make([]string, 2),
+			expectedRepos: []string{"nm/bar", "nm/foo"},
+			expectedError: nil,
+		},
+
+		{
+			name:          "3 image streams in different namespaces",
+			isObjectMeta:  []isMeta{{"fst", "is"}, {"snd", "is"}, {"trd", "name"}},
+			buffer:        make([]string, 4),
+			expectedRepos: []string{"fst/is", "snd/is", "trd/name"},
+			expectedError: io.EOF,
+		},
+
+		{
+			name: "repositories get sorted",
+			isObjectMeta: []isMeta{
+				{"nm", "ab"}, {"nmc", "aa"}, {"ab", "cd"}, {"ss", "is"}, {"ab", "aa"}, {"a", "nn"},
+			},
+			buffer:        make([]string, 7),
+			expectedRepos: []string{"a/nn", "ab/aa", "ab/cd", "nm/ab", "nmc/aa", "ss/is"},
+			expectedError: io.EOF,
+		},
+
+		{
+			name:          "short buffer",
+			isObjectMeta:  []isMeta{{"nm", "foo"}, {"nm", "bar"}},
+			buffer:        make([]string, 1),
+			expectedRepos: []string{"nm/bar"},
+			expectedError: nil,
+		},
+
+		{
+			name:          "skip the first",
+			isObjectMeta:  []isMeta{{"nm", "foo"}, {"nm", "bar"}},
+			buffer:        make([]string, 2),
+			last:          "nm/bar",
+			expectedRepos: []string{"nm/foo"},
+			expectedError: io.EOF,
+		},
+
+		{
+			name:          "skip the last",
+			isObjectMeta:  []isMeta{{"nm", "foo"}, {"nm", "bar"}},
+			buffer:        make([]string, 2),
+			last:          "nm/foo",
+			expectedRepos: []string{},
+			expectedError: io.EOF,
+		},
+
+		{
+			name:          "bigger buffer capacity does not matter",
+			isObjectMeta:  []isMeta{{"nm", "foo"}, {"nm", "bar"}},
+			buffer:        make([]string, 1, 2),
+			expectedRepos: []string{"nm/bar"},
+			expectedError: nil,
+		},
+
+		{
+			name:          "pick a repository in the middle",
+			isObjectMeta:  []isMeta{{"bar", "is"}, {"baz", "is"}, {"foo", "is"}},
+			buffer:        make([]string, 1),
+			last:          "bar/is",
+			expectedRepos: []string{"baz/is"},
+			expectedError: nil,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := context.Background()
+			ctx = testutil.WithTestLogger(ctx, t)
+			ctx = withAuthPerformed(ctx)
+
+			fos, imageClient := testutil.NewFakeOpenShiftWithClient(ctx)
+			for _, is := range tc.isObjectMeta {
+				testutil.AddImageStream(t, fos, is.namespace, is.name, nil)
+			}
+
+			reg, err := newTestRegistry(
+				ctx,
+				registryclient.NewFakeRegistryAPIClient(nil, imageClient),
+				nil,
+				blobRepoCacheTTL,
+				false,
+				false)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			numFilled, err := reg.Repositories(ctx, tc.buffer, tc.last)
+			if a, e := err, tc.expectedError; a != e {
+				t.Errorf("got unexpected error: %q != %q", a, e)
+			}
+
+			if a, e := numFilled, len(tc.expectedRepos); a != e {
+				t.Errorf("got unexpected number of repos: %d != %d", numFilled, e)
+			}
+
+			for i := 0; i < numFilled || i < len(tc.expectedRepos); i++ {
+				if i < numFilled && i >= len(tc.expectedRepos) {
+					t.Errorf("got unexpected repository at position #%d: %q", i, tc.buffer[i])
+				} else if i < len(tc.expectedRepos) && i >= numFilled {
+					t.Errorf("expected repository %q not returned", tc.expectedRepos[i])
+				} else if a, e := tc.buffer[i], tc.expectedRepos[i]; a != e {
+					t.Errorf("got unexpected repository at position #%d: %q != %q", i, a, e)
+				}
+			}
+		})
+	}
+}

pkg/dockerregistry/server/registry.go

@@ -0,0 +1,42 @@
+package server
+
+import (
+	"errors"
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/context"
+	"github.com/docker/distribution/reference"
+)
+
+// registry wraps upstream registry object and overrides some of its methods
+// TODO: collect metrics for reimplemented methods
+type registry struct {
+	registry   distribution.Namespace
+	enumerator RepositoryEnumerator
+}
+
+var _ distribution.Namespace = &registry{}
+
+func (r *registry) Scope() distribution.Scope {
+	return r.registry.Scope()
+}
+
+func (r *registry) Repository(ctx context.Context, name reference.Named) (distribution.Repository, error) {
+	return r.registry.Repository(ctx, name)
+}
+
+// Repositories lists repository names made out of image streams fetched from master API.
+func (r *registry) Repositories(ctx context.Context, repos []string, last string) (n int, err error) {
+	n, err = r.enumerator.EnumerateRepositories(ctx, repos, last)
+	if err == errNoSpaceInSlice {
+		return n, errors.New("client requested zero entries")
+	}
+	return
+}
+
+func (r *registry) Blobs() distribution.BlobEnumerator {
+	return r.registry.Blobs()
+}
+
+func (r *registry) BlobStatter() distribution.BlobStatter {
+	return r.registry.BlobStatter()
+}

pkg/dockerregistry/server/registry_test.go

@@ -3,6 +3,8 @@ package server
 import (
 	"time"
 
+	kubecache "k8s.io/apimachinery/pkg/util/cache"
+
 	"github.com/docker/distribution"
 	dockercfg "github.com/docker/distribution/configuration"
 	"github.com/docker/distribution/context"
@@ -68,6 +70,7 @@ func newTestRegistry(
 		quotaEnforcing: &quotaEnforcingConfig{
 			enforcementEnabled: false,
 		},
+		paginationCache: kubecache.NewLRUExpireCache(128),
 	}
 
 	if storageDriver == nil {

pkg/testutil/fakeopenshift.go

@@ -2,6 +2,7 @@ package testutil
 
 import (
 	"fmt"
+	"sort"
 	"sync"
 
 	"github.com/docker/distribution/context"
@@ -141,6 +142,27 @@ func (fos *FakeOpenShift) GetImageStream(namespace, repo string) (*imageapiv1.Im
 	return &is, nil
 }
 
+func (fos *FakeOpenShift) ListImageStreams(namespace string) (*imageapiv1.ImageStreamList, error) {
+	fos.mu.Lock()
+	defer fos.mu.Unlock()
+
+	iss := imageapiv1.ImageStreamList{
+		ListMeta: metav1.ListMeta{},
+		Items:    []imageapiv1.ImageStream{},
+	}
+
+	for _, is := range fos.imageStreams {
+		if len(namespace) != 0 && namespace != is.Namespace {
+			continue
+		}
+		iss.Items = append(iss.Items, is)
+	}
+
+	sort.Sort(byRepositoryName(iss.Items))
+
+	return &iss, nil
+}
+
 func (fos *FakeOpenShift) CreateImageStreamMapping(namespace string, ism *imageapiv1.ImageStreamMapping) (*imageapiv1.ImageStreamMapping, error) {
 	is, err := fos.GetImageStream(namespace, ism.Name)
 	if err != nil {
@@ -353,20 +375,31 @@ func (fos *FakeOpenShift) imageStreamsHandler(action clientgotesting.Action) (bo
 		fmt.Sprintf("(*FakeOpenShift).imageStreamsHandler: %s %s/%s",
 			action.GetVerb(), action.GetNamespace(), fos.getName(action)),
 		func() (bool, runtime.Object, error) {
+			if action.GetSubresource() != "" {
+				return fos.todo(action)
+			}
+
 			switch action := action.(type) {
 			case clientgotesting.CreateActionImpl:
 				is, err := fos.CreateImageStream(
 					action.GetNamespace(),
 					action.Object.(*imageapiv1.ImageStream),
 				)
 				return true, is, err
+
 			case clientgotesting.GetActionImpl:
 				is, err := fos.GetImageStream(
 					action.GetNamespace(),
 					action.GetName(),
 				)
 				return true, is, err
+
+			case clientgotesting.ListActionImpl:
+				fos.logger.Infof("(*FakeOpenShift).imageStreamsHandler: list kind=%s", action.Kind)
+				iss, err := fos.ListImageStreams(action.GetNamespace())
+				return true, iss, err
 			}
+
 			return fos.todo(action)
 		},
 	)
@@ -415,3 +448,15 @@ func (fos *FakeOpenShift) AddReactorsTo(c *imagefakeclient.FakeImageV1) {
 	c.AddReactor("*", "imagestreammappings", fos.imageStreamMappingsHandler)
 	c.AddReactor("*", "imagestreamimages", fos.imageStreamImagesHandler)
 }
+
+type byRepositoryName []imageapiv1.ImageStream
+
+func (brn byRepositoryName) Len() int      { return len(brn) }
+func (brn byRepositoryName) Swap(i, j int) { brn[i], brn[j] = brn[j], brn[i] }
+func (brn byRepositoryName) Less(i, j int) bool {
+	a, b := brn[i], brn[j]
+	if a.Namespace < b.Namespace {
+		return true
+	}
+	return a.Namespace == b.Namespace && a.Name < b.Name
+}