issues working with the OpenShift internal image registry

[tmds]

OpenShift container platform comes with an internal image registry.

I tried using the sdk container tooling with it and ran in two authentication related issues:

The registry doesn't include service on the WWW-Authenticate header. andAuthHandshakeMessageHandler handles this as a required parameter.
Maybe we can relax this, and treat is similar to scope?

When the blob uploads are performed, the registry doesn't like receiving a blob without an authentication header. It forcibly closes the TCP connection. In this case the AuthHandshakeMessageHandler won't make another attempt to add an authentication header.
Probably by the time we're uploading blobs we can add the authentication headers on the first request?
That will also save a round-trip to the server.

cc @baronfel

[baronfel]

I think the first problem (missing service) is included in dotnet/sdk#32371 as part of another issue reported on this repo, and the second problem (missing auth header) is part of dotnet/sdk#33500 - want to take a look at those and see if that assessment matches what you see?

[tmds]

I think the first problem (missing service) is included in dotnet/sdk#32371 as part of another issue reported on this repo,

The internal registry doesn't include the service on the Bearer. This will fix it: https://github.com/dotnet/sdk/pull/32371/files#r1241825861

[tmds]

the second problem (missing auth header) is part of dotnet/sdk#33500

👍 Yes, this fixes the issue with the upload by using the the cached header.

[baronfel]

dotnet/sdk#32371 is almost certainly not going to make 7.0.400, but we should retarget it and try to get it into 8.0.100. The auth header part of this issue has been merged now.

[tmds]

dotnet/sdk#32371 is almost certainly not going to make 7.0.400, but we should retarget it and try to get it into 8.0.100. The auth header part of this issue has been merged now.

I've included a suggestion that will fix the issue with the OpenShift internal registry: https://github.com/dotnet/sdk/pull/32371/files#r1241825861.

If it would be of help, I can port the PR to 8.0.

[baronfel]

That would be lovely @tmds. The real blocker is I am having a hard time getting the test working in CI - the test is supposed to configure and run a local registry that is configured to trigger the problem (a non-URI realm) and then verify that we can still communicate with the local registry, but the CI runner isn't correctly standing up the local registry.

[tmds]

I'll look into this next week.

[baronfel]

@tmds had a chance to validate this in the live version of the container tooling? I expect it to work great, just looking to close out old issues.

[tmds]

I ran the tooling successfully against the internal registry.

[baronfel]

Love to see it 💯