Drive container registry migration phase 1 with Rails FFs

Adds a series of FFs to control and gradually increase the number of new container repositories that will use the upcoming container registry metadata database for GitLab.com. These feature flags will then be used to modify the JWT tokens served by Rails to clients whenever they want to interact with the registry. The registry will then read the information within those tokens and decide if a new repository should use the database or not.

Drive container registry migration phase 1 with Rails FFs
Adds a series of FFs to control and gradually increase the number of new container repositories that will use the upcoming container registry metadata database for GitLab.com. These feature flags will then be used to modify the JWT tokens served by Rails to clients whenever they want to interact with the registry. The registry will then read the information within those tokens and decide if a new repository should use the database or not.
29cf01b5 · João Pereira · David Fernandez · 9cb8f213 · 29cf01b5 · 29cf01b5
Commit 29cf01b5 authored Jul 14, 2021 by João Pereira Committed by David Fernandez Jul 14, 2021
6 changed files
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -115,7 +115,25 @@ module Auth
      #
      ensure_container_repository!(path, authorized_actions)

-      { type: type, name: path.to_s, actions: authorized_actions }
+      {
+        type: type,
+        name: path.to_s,
+        actions: authorized_actions,
+        migration_eligible: migration_eligible(requested_project, authorized_actions)
+      }.compact
+    end
+
+    def migration_eligible(project, actions)
+      return unless actions.include?('push')
+      return unless Feature.enabled?(:container_registry_migration_phase1)
+
+      # The migration process will start by allowing only specific test and gitlab-org projects using the
+      # `container_registry_migration_phase1_allow` FF. We'll then move on to a percentage rollout using this same FF.
+      # To remove the risk of impacting enterprise customers that rely heavily on the registry during the percentage
+      # rollout, we'll add their top-level group/namespace to the `container_registry_migration_phase1_deny` FF. Later,
+      # we'll remove them manually from this deny list, and their new repositories will become eligible.
+      Feature.disabled?(:container_registry_migration_phase1_deny, project.root_ancestor) &&
+        Feature.enabled?(:container_registry_migration_phase1_allow, project)
    end

    ##

--- a/config/feature_flags/development/container_registry_migration_phase1.yml
+++ b/config/feature_flags/development/container_registry_migration_phase1.yml
+---
+name: container_registry_migration_phase1
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63907
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/335703
+milestone: '14.1'
+type: development
+group: group::package
+default_enabled: false
--- a/config/feature_flags/development/container_registry_migration_phase1_allow.yml
+++ b/config/feature_flags/development/container_registry_migration_phase1_allow.yml
+---
+name: container_registry_migration_phase1_allow
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63907
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/335705
+milestone: '14.1'
+type: development
+group: group::package
+default_enabled: false
--- a/config/feature_flags/development/container_registry_migration_phase1_deny.yml
+++ b/config/feature_flags/development/container_registry_migration_phase1_deny.yml
+---
+name: container_registry_migration_phase1_deny
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63907
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/335706
+milestone: '14.1'
+type: development
+group: group::package
+default_enabled: false
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -6,4 +6,96 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
  include AdminModeHelper

  it_behaves_like 'a container registry auth service'
+
+  context 'when in migration mode' do
+    include_context 'container registry auth service context'
+
+    let_it_be(:current_user) { create(:user) }
+    let_it_be(:project) { create(:project) }
+
+    before do
+      project.add_developer(current_user)
+    end
+
+    shared_examples 'an unmodified token' do
+      it_behaves_like 'a valid token'
+      it { expect(payload['access']).not_to include(have_key('migration_eligible')) }
+    end
+
+    shared_examples 'a modified token with migration eligibility' do |eligible|
+      it_behaves_like 'a valid token'
+      it { expect(payload['access']).to include(include('migration_eligible' => eligible)) }
+    end
+
+    shared_examples 'a modified token' do
+      context 'with a non eligible root ancestor and project' do
+        before do
+          stub_feature_flags(container_registry_migration_phase1_deny: project.root_ancestor)
+          stub_feature_flags(container_registry_migration_phase1_allow: false)
+        end
+
+        it_behaves_like 'a modified token with migration eligibility', false
+      end
+
+      context 'with a non eligible root ancestor and eligible project' do
+        before do
+          stub_feature_flags(container_registry_migration_phase1_deny: false)
+          stub_feature_flags(container_registry_migration_phase1_deny: project.root_ancestor)
+          stub_feature_flags(container_registry_migration_phase1_allow: project)
+        end
+
+        it_behaves_like 'a modified token with migration eligibility', false
+      end
+
+      context 'with an eligible root ancestor and non eligible project' do
+        before do
+          stub_feature_flags(container_registry_migration_phase1_deny: false)
+          stub_feature_flags(container_registry_migration_phase1_allow: false)
+        end
+
+        it_behaves_like 'a modified token with migration eligibility', false
+      end
+
+      context 'with an eligible root ancestor and project' do
+        before do
+          stub_feature_flags(container_registry_migration_phase1_deny: false)
+          stub_feature_flags(container_registry_migration_phase1_allow: project)
+        end
+
+        it_behaves_like 'a modified token with migration eligibility', true
+      end
+    end
+
+    context 'with pull action' do
+      let(:current_params) do
+        { scopes: ["repository:#{project.full_path}:pull"] }
+      end
+
+      it_behaves_like 'an unmodified token'
+    end
+
+    context 'with push action' do
+      let(:current_params) do
+        { scopes: ["repository:#{project.full_path}:push"] }
+      end
+
+      it_behaves_like 'a modified token'
+    end
+
+    context 'with multiple actions including push' do
+      let(:current_params) do
+        { scopes: ["repository:#{project.full_path}:pull,push,delete"] }
+      end
+
+      it_behaves_like 'a modified token'
+    end
+
+    context 'with multiple actions excluding push' do
+      let(:current_params) do
+        { scopes: ["repository:#{project.full_path}:pull,delete"] }
+      end
+
+      it_behaves_like 'an unmodified token'
+    end
+  end
 end
--- a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
+++ b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
@@ -157,6 +157,10 @@ end
 RSpec.shared_examples 'a container registry auth service' do
  include_context 'container registry auth service context'

+  before do
+    stub_feature_flags(container_registry_migration_phase1: false)
+  end
+
  describe '#full_access_token' do
    let_it_be(:project) { create(:project) }