Merge branch 'container_registry_cdn_redirect' into 'master'

Allow gradual rollout for the container registry Google CDN feature See merge request gitlab-org/gitlab!77705

Merge branch 'container_registry_cdn_redirect' into 'master'
Allow gradual rollout for the container registry Google CDN feature See merge request gitlab-org/gitlab!77705
98a3a026 · Doug Stull · 99ab37d4 · e5c3db9c · 98a3a026 · 98a3a026
Commit 98a3a026 authored Jan 11, 2022 by Doug Stull
4 changed files
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -124,7 +124,8 @@ module Auth
        type: type,
        name: path.to_s,
        actions: authorized_actions,
-        migration_eligible: self.class.migration_eligible(project: requested_project)
+        migration_eligible: self.class.migration_eligible(project: requested_project),
+        cdn_redirect: cdn_redirect
      }.compact
    end

@@ -150,6 +151,13 @@ module Auth
      false
    end

+    # This is used to determine whether blob download requests using a given JWT token should be redirected to Google
+    # Cloud CDN or not. The intent is to enable a percentage of time rollout for this new feature on the Container
+    # Registry side. See https://gitlab.com/gitlab-org/gitlab/-/issues/349417 for more details.
+    def cdn_redirect
+      Feature.enabled?(:container_registry_cdn_redirect) || nil
+    end
+
    ##
    # Because we do not have two way communication with registry yet,
    # we create a container repository image resource when push to the

--- a/config/feature_flags/development/container_registry_cdn_redirect.yml
+++ b/config/feature_flags/development/container_registry_cdn_redirect.yml
+---
+name: container_registry_cdn_redirect
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77705
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/349717
+milestone: '14.7'
+type: development
+group: group::package
+default_enabled: false
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -145,4 +145,28 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
      it_behaves_like 'an unmodified token'
    end
  end
+
+  context 'CDN redirection' do
+    include_context 'container registry auth service context'
+
+    let_it_be(:current_user) { create(:user) }
+    let_it_be(:project) { create(:project) }
+    let_it_be(:current_params) { { scopes: ["repository:#{project.full_path}:pull"] } }
+
+    before do
+      project.add_developer(current_user)
+    end
+
+    it_behaves_like 'a valid token'
+    it { expect(payload['access']).to include(include('cdn_redirect' => true)) }
+
+    context 'when the feature flag is disabled' do
+      before do
+        stub_feature_flags(container_registry_cdn_redirect: false)
+      end
+
+      it_behaves_like 'a valid token'
+      it { expect(payload['access']).not_to include(have_key('cdn_redirect')) }
+    end
+  end
 end
--- a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
+++ b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
@@ -71,6 +71,7 @@ end
 RSpec.shared_examples 'an accessible' do
  before do
    stub_feature_flags(container_registry_migration_phase1: false)
+    stub_feature_flags(container_registry_cdn_redirect: false)
  end

  let(:access) do
@@ -163,6 +164,7 @@ RSpec.shared_examples 'a container registry auth service' do

  before do
    stub_feature_flags(container_registry_migration_phase1: false)
+    stub_feature_flags(container_registry_cdn_redirect: false)
  end

  describe '#full_access_token' do