Tags: project-zot/zot
Tags
fix(security): remove InsecureSkipVerify from metrics client (TLS-1) (#… …3982) * fix(security): remove InsecureSkipVerify from metrics client (TLS-1) Replace the unconditional InsecureSkipVerify: true TLS config in newHTTPMetricsClient with the system cert pool (+ TLS 1.2 minimum). Add an optional CACert field to MetricsConfig and to the exporter ServerConfig so operators running zot with a self-signed or private CA can point the exporter at the correct CA file instead of disabling certificate verification entirely. Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> * feat(metrics): add HTTPS configuration for metrics exporter Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> * fix(security): enhance CA certificate handling in metrics client and add tests Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> * fix(security): improve CA certificate error handling in metrics client and update tests Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> * fix(tests): correct package name in minimal_client_test.go and simplify error declaration Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> * fix(tests): update package name in minimal_client_test.go for consistency Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> --------- Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
Introduce support for OIDC workload identity federation (#3711) * feat(oidc): introduce support for OIDC workload identity federation Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): add e2e test for bearer OIDC and a kind cluster Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): make OIDC workload identity federation its own feature Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): move errors to the errors package Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): fix race in cel package Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): compile cel expressions Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> --------- Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
chore: fix dependabot alerts (#3660) * chore: fix dependabot alerts Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> * fix: linter error Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com> --------- Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
fix(sync): properly handle CommitAll errors in syncImage and skip fai… …led temp sync dirs (#3567) - Return CommitAll errors instead of ignoring them - Skip ErrRepoNotFound from temp sync dirs to allow other tags to sync - Each tag uses separate temp directory, so failures are isolated Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
fix: make config read/write thread safe (#3432) * fix: make config read/write thread safe and fix some other similar issues 1. The config config has a lock, and safe methods to update and read the attributes 2. The config has methods to retrieve copies of specific attributes, such as the extyensions config, the auth config, and the authz config. These are needed, as the config object may mutate in the middle of an auth/authz requests, and we avoid partial configuration being applied for that request. 3. Fix an issue with the monitoring server not stopping when the controller is shut down. 4. Fix an issue with the HTPasswdWatcher not stopping when the background tasks are supposed to finish. 5. Fix some tests using hardcoded ports. Moved some of the methods which were on the main config to the auth, access control and extension configs Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
PreviousNext