Commit e5c3db9c authored by João Pereira's avatar João Pereira Committed by Doug Stull

Allow gradual rollout for the container registry Google CDN feature

Adds a feature flag and logic to allow a "percentage of time"
gradual rollout for the new Container Registry Google Cloud CDN
feature as described in
https://gitlab.com/gitlab-org/gitlab/-/issues/349417.
parent c11f8b46
...@@ -124,7 +124,8 @@ module Auth ...@@ -124,7 +124,8 @@ module Auth
type: type, type: type,
name: path.to_s, name: path.to_s,
actions: authorized_actions, actions: authorized_actions,
migration_eligible: self.class.migration_eligible(project: requested_project) migration_eligible: self.class.migration_eligible(project: requested_project),
cdn_redirect: cdn_redirect
}.compact }.compact
end end
...@@ -150,6 +151,13 @@ module Auth ...@@ -150,6 +151,13 @@ module Auth
false false
end end
# This is used to determine whether blob download requests using a given JWT token should be redirected to Google
# Cloud CDN or not. The intent is to enable a percentage of time rollout for this new feature on the Container
# Registry side. See https://gitlab.com/gitlab-org/gitlab/-/issues/349417 for more details.
def cdn_redirect
Feature.enabled?(:container_registry_cdn_redirect) || nil
end
## ##
# Because we do not have two way communication with registry yet, # Because we do not have two way communication with registry yet,
# we create a container repository image resource when push to the # we create a container repository image resource when push to the
......
---
name: container_registry_cdn_redirect
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77705
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/349717
milestone: '14.7'
type: development
group: group::package
default_enabled: false
...@@ -145,4 +145,28 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do ...@@ -145,4 +145,28 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like 'an unmodified token' it_behaves_like 'an unmodified token'
end end
end end
context 'CDN redirection' do
include_context 'container registry auth service context'
let_it_be(:current_user) { create(:user) }
let_it_be(:project) { create(:project) }
let_it_be(:current_params) { { scopes: ["repository:#{project.full_path}:pull"] } }
before do
project.add_developer(current_user)
end
it_behaves_like 'a valid token'
it { expect(payload['access']).to include(include('cdn_redirect' => true)) }
context 'when the feature flag is disabled' do
before do
stub_feature_flags(container_registry_cdn_redirect: false)
end
it_behaves_like 'a valid token'
it { expect(payload['access']).not_to include(have_key('cdn_redirect')) }
end
end
end end
...@@ -71,6 +71,7 @@ end ...@@ -71,6 +71,7 @@ end
RSpec.shared_examples 'an accessible' do RSpec.shared_examples 'an accessible' do
before do before do
stub_feature_flags(container_registry_migration_phase1: false) stub_feature_flags(container_registry_migration_phase1: false)
stub_feature_flags(container_registry_cdn_redirect: false)
end end
let(:access) do let(:access) do
...@@ -163,6 +164,7 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -163,6 +164,7 @@ RSpec.shared_examples 'a container registry auth service' do
before do before do
stub_feature_flags(container_registry_migration_phase1: false) stub_feature_flags(container_registry_migration_phase1: false)
stub_feature_flags(container_registry_cdn_redirect: false)
end end
describe '#full_access_token' do describe '#full_access_token' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment