Jimmy Zelinskie
b4efa7e45b
util.failover: init
2017-02-03 19:20:13 -05:00
Joseph Schorr
c9bb132339
Increase cloudwatch send timeout to reduce how often we hit the API
2017-02-01 13:09:00 -05:00
Joseph Schorr
b407f88a26
Remove unnecessary CloudWatch metrics
...
They are spamming the API and costing us a lot of money
2017-02-01 13:08:21 -05:00
josephschorr
01ec22b362
Merge pull request #2300 from coreos-inc/openid-connect
...
OpenID Connect support and OAuth login refactoring
2017-01-31 18:14:44 -05:00
Joseph Schorr
f5dbc350f8
Fix missed tests and revert conftest change (breaks docker build)
2017-01-30 17:28:25 -05:00
Joseph Schorr
d63cca025a
DNS name check got reversed; breaks wildcards
2017-01-29 11:51:37 -05:00
Joseph Schorr
d9003d1375
Make sure the parent dir of a file path exists before writing the file
...
Fixes when the `extra_ca_certs` directory doesn't exist when using the new custom certs tool
2017-01-26 15:15:40 -05:00
Joseph Schorr
7c1bb886db
Security scanner ordered tuplize bug fix
...
If only the old list is present, we still need to tuplize the entries.
Fixes https://sentry.io/coreos/backend-production/issues/207196561/
2017-01-24 13:16:44 -05:00
Joseph Schorr
19f7acf575
Lay foundation for truly dynamic external logins
...
Moves all the external login services into a set of classes that share as much code as possible. These services are then registered on both the client and server, allowing us in the followup change to dynamically register new handlers
2017-01-20 15:21:08 -05:00
Joseph Schorr
4755d08677
Refactor and rename the standard OAuth services
2017-01-19 15:23:15 -05:00
Joseph Schorr
bee2551dc2
Temporarily remove Dex login support
...
This will be added back in later in this PR as part of proper generic OIDC support
2017-01-19 14:51:12 -05:00
Joseph Schorr
7c7a07fb5a
Allow namespaces to be between 2 and 255 characters in length
...
[Delivers #137924329 ]
2017-01-19 13:10:26 -05:00
Joseph Schorr
462f47924e
More detailed namespace validation
...
Fixes namespace validation to use the proper regex for checking length, as well as showing the proper messaging if the entered namespace is invalid
[Delivers #137830461 ]
2017-01-17 17:31:59 -05:00
josephschorr
aafcb592a6
Merge pull request #2257 from coreos-inc/clair-gc-take2
...
feat(gc): Garbage collection for security scanning
2017-01-17 14:49:36 -05:00
josephschorr
eb2cafacd4
Merge pull request #2249 from coreos-inc/notifier-fixes
...
Security notification pagination fix
2017-01-17 11:33:25 -05:00
josephschorr
ac8cddc5a9
Merge pull request #2274 from coreos-inc/custom-cert-management
...
Custom SSL certificates config panel
2017-01-13 16:24:47 -05:00
josephschorr
6539fa3b20
Merge pull request #2259 from coreos-inc/delete-abuse-tool
...
Add tool for handling abusing users
2017-01-13 16:22:15 -05:00
Joseph Schorr
1cbacbbb63
Add tool for handling abusing users
2017-01-13 14:42:03 -05:00
Joseph Schorr
7e0fbeb625
Custom SSL certificates config panel
...
Adds a new panel to the superuser config tool, for managing custom SSL certificates in the config bundle
[Delivers #135586525 ]
2017-01-13 14:34:35 -05:00
Joseph Schorr
3a24871422
Add SSL certificate utility and tests
2017-01-10 17:06:13 -05:00
Joseph Schorr
f1c9965edf
Add more volume file operations and cleanup k8s provider code
2017-01-10 17:06:13 -05:00
Joseph Schorr
29d6abddb5
Linter fixes
2017-01-10 17:06:13 -05:00
EvB
a7122db250
fix(cloudwatch): randomize sleep interval
2017-01-05 11:41:12 -05:00
Jake Moshenko
6c84b9330b
Merge pull request #2251 from jakedt/fixaci
...
Fix port mapping for ACI conversion from newer Docker manifests.
2016-12-27 14:13:03 -05:00
Joseph Schorr
d609e6a1c4
Security scanner garbage collection support
...
Adds support for calling GC in the security scanner for any layers+storage removed by GC on the Quay side
2016-12-22 14:55:26 -05:00
Joseph Schorr
9413e25123
Change georeplication queuing to use new batch system
2016-12-21 17:44:30 -05:00
Jake Moshenko
d58a1ca35a
Fix port mapping for ACI conversion from newer Docker manifests.
2016-12-20 14:01:06 -05:00
Joseph Schorr
5b3212ea0e
Change security notification code to use the new stream diff reporters
...
This ensures that even if security scanner pagination sends Old and New layer IDs on different pages, they will properly be handled across the entire notification.
Fixes https://www.pivotaltracker.com/story/show/136133657
2016-12-20 12:50:19 -05:00
Joseph Schorr
ced0149520
Implement helper classes for tracking streaming diffs, both indexed and non-indexed
...
These classes will be used to handle the Layer ID paginated diffs from Clair.
2016-12-20 12:50:18 -05:00
Joseph Schorr
405eca074c
Security scanner flow changes and auto-retry
...
Changes the security scanner code to raise exceptions now for non-successful operations. One of the new exceptions raised is MissingParentLayerException, which, when raised, will cause the security worker to perform a full rescan of all parent images for the current layer, before trying once more to scan the current layer. This should allow the system to be "self-healing" in the case where the security scanner engine somehow loses or corrupts a parent layer.
2016-12-16 15:38:09 -05:00
josephschorr
9fa16679f8
Merge pull request #2238 from coreos-inc/fake-clair
...
Add a fake security scanner class for easier testing
2016-12-15 20:51:24 -05:00
Brad Ison
2730c26b2e
Merge pull request #2237 from coreos-inc/metrics-labels
...
Don't record size in chunk upload metrics
2016-12-15 14:20:34 -05:00
Brad Ison
df7366eace
Add chunk size metric
2016-12-15 13:20:16 -05:00
Joseph Schorr
15041ac5ed
Add a fake security scanner class for easier testing
...
The FakeSecurityScanner mocks out all calls that Quay is expected to make to the security scanner API, and returns faked data that can be adjusted by the calling test case
2016-12-14 17:11:45 -05:00
Brad Ison
8f59ac1251
Don't record size in chunk upload metrics
2016-12-14 12:16:02 -05:00
Joseph Schorr
6871eb95b1
Send notifications for previously unscannable layers in QSS
...
Following this change, if an image was previously indexed unsuccessfully, then we will send notifications once successfully indexed
2016-12-14 11:25:45 -05:00
Joseph Schorr
624b2a8385
Have security scanner analyze only send notifications for *new* layers
...
Following this change, anytime a layer is indexed by the security scanner, we only send notifications out if the layer previously had a security_indexed_engine value of `-1`, thus ensuring it has *never* been indexed previously. This will allow us to change to version of the security scanner upwards, and have all the images be re-indexed, without firing off notifications in a spammy manner.
2016-12-13 23:17:11 -05:00
Evan Cordell
5686c80af1
Revert "Add GC of layers in Clair"
...
This reverts 49872838ab
2016-12-13 18:40:58 -05:00
Evan Cordell
dd5f7cbe6c
Fix the ephemeral build metrics
2016-12-13 18:28:04 -05:00
Joseph Schorr
1e5b97318a
Fix loading of public keys for OIDC under Linux
...
Python's crypto lib under Linux has issues with loading PEM-encoded keys, so we just load it as a DER here and give PyJWT the key *instance* to use directly.
2016-12-09 14:26:56 -05:00
Joseph Schorr
dbdcb802b1
Add end-to-end OAuth login and attach tests
2016-12-08 18:35:42 -05:00
Joseph Schorr
49872838ab
Add GC of layers in Clair
...
Fixes https://www.pivotaltracker.com/story/show/135583207
2016-12-06 19:52:56 -05:00
Jake Moshenko
21e3001446
Add a bulk insert for queue and notifications.
...
Use it for Clair spawned notifications.
2016-12-06 14:00:16 -05:00
Charlton Austin
edd9dcd7f6
Adding in some metrics around clair sec scan.
2016-12-01 16:50:02 -05:00
Joseph Schorr
236655adb4
Fix config validator for storage and add a test suite
...
Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-30 11:58:41 -05:00
Joseph Schorr
1a61ef4e04
Report the user's name and company to Marketo
...
Also fixes the API to report the other changes (username and email) as well
2016-11-14 17:34:50 -05:00
josephschorr
74e54bdbbb
Merge pull request #1872 from coreos-inc/qe-torrent
...
Add QE setup tool support for BitTorrent downloads
2016-11-11 13:56:22 -05:00
Jake Moshenko
b5834a8a66
Collapse all migrations prior to 2.0.0 into one.
2016-11-10 17:31:00 -05:00
Joseph Schorr
74c3346562
Add a warning bar when the license will become invalid in a week
2016-11-08 14:24:55 -05:00
Joseph Schorr
4b926ae189
Add new metrics as requested by some customers
...
Note that the `status` field on the pull and push metrics will eventually be set to False for failed pulls and pushes in a followup PR
2016-11-03 15:28:40 -04:00
Joseph Schorr
681f975df5
Add QE setup tool support for BitTorrent downloads
...
Fixes #1871
2016-11-02 17:32:12 -04:00
josephschorr
840ea4e768
Merge pull request #2047 from coreos-inc/external-auth-email-optional
...
Make email addresses optional in external auth if email feature is turned off
2016-10-31 14:16:33 -04:00
Joseph Schorr
3a473cad2a
Enable permanent sessions
...
Fixes #1955
2016-10-31 13:52:09 -04:00
Joseph Schorr
d7f56350a4
Make email addresses optional in external auth if email feature is turned off
...
Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
2016-10-31 13:50:24 -04:00
josephschorr
934cdecbd6
Merge pull request #1905 from coreos-inc/external-auth-search
...
Add support for entity search against external auth users not yet linked
2016-10-27 16:06:42 -04:00
Joseph Schorr
b3d1d7227c
Add support to Keystone Auth for external user linking
...
Also adds Keystone V3 support
2016-10-27 15:42:03 -04:00
Joseph Schorr
fbb524e34e
Add support to ExternalJWT Auth for external user linking
2016-10-27 15:42:03 -04:00
Jake Moshenko
45bacbabaa
s/Regions/Deployments
2016-10-24 16:04:04 -04:00
josephschorr
67dde6e154
Merge pull request #1852 from coreos-inc/underscore_orgs
...
Better handling of namespace validation to fix a number of issues
2016-10-20 13:36:32 -04:00
Joseph Schorr
3a68740ff7
Better handling of namespace validation to fix a number of issues
...
- Fixes a bug which allows for underscores at the beginning of namespaces: Fixes #1849
- Allows dots and dashes for newer Docker clients: Fixes #1188
- Has the UI display better messaging associated with namespace entry
2016-10-20 13:32:22 -04:00
Joseph Schorr
213cc856e4
Fix UI for real license handling
...
Following this change, the user gets detailed errors and entitlement information
2016-10-19 17:49:15 -04:00
Joseph Schorr
2eabf1a291
Fix tests and test provider for real license format
2016-10-18 23:44:08 -04:00
Jake Moshenko
9f1c12e413
Refactor our license code to be entitlement centric.
2016-10-18 22:33:28 -04:00
Jake Moshenko
d90398e9ff
Change the monthly license grace period to 11 months.
2016-10-18 18:46:40 -04:00
Joseph Schorr
67f828279d
Switch the license validator to use config_provider and have a test license
...
Fixes the broken tests currently which try (and fail) to read the license file
2016-10-18 11:44:13 -04:00
Joseph Schorr
ee96693252
Add superuser config section for updating license
2016-10-17 21:44:25 -04:00
Jimmy Zelinskie
5fee4d6d19
*: misc formatting cleanup
2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
a42eb09a3e
util.license: make bp-modification a method
2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
6eb26d7998
configproviders: pass filemode when opening volume
2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
0c5400b7d1
enforce license across registry blueprints
2016-10-17 21:43:45 -04:00
Joseph Schorr
8fe29c5b89
Add license upload step to the setup flow
...
Fixes #853
2016-10-17 21:43:15 -04:00
Joseph Schorr
5211c407ff
Add license checking to Quay
...
Based off of mjibson's changes
Fixes #499
2016-10-17 21:43:15 -04:00
josephschorr
78f87d96bc
Merge pull request #1986 from coreos-inc/external-tls
...
Add option to properly handle external TLS
2016-10-15 16:05:28 -04:00
Jake Moshenko
f04b018805
Write our users to Marketo as leads.
2016-10-14 16:29:11 -04:00
Jake Moshenko
013e27f7d5
Clean up mixpanel analytics a bit.
2016-10-13 15:03:04 -04:00
Joseph Schorr
5a8200f17a
Add option to properly handle external TLS
...
Fixes #1984
2016-10-13 14:49:29 -04:00
Joseph Schorr
6ea51afa66
Add a configurable prometheus namespace for all metrics
...
Fixes #1918
2016-10-05 10:33:35 +03:00
josephschorr
684ace3b5a
Merge pull request #1761 from coreos-inc/nginx-direct-download
...
Add feature flag to force all direct download URLs to be proxied
2016-09-29 22:46:57 +02:00
Evan Cordell
832ee89923
Add duration metric collector decorator ( #1885 )
...
Track time-to-start for builders
Track time-to-build for builders
Track ec2 builder fallbacks
Track build time
2016-09-29 15:44:06 -04:00
Joseph Schorr
6ae3faf7fc
Add explicit config parameter to the JWT auth methods
2016-09-29 11:15:20 +02:00
Joseph Schorr
dd2e086a20
Add feature flag to force all direct download URLs to be proxied
...
Fixes #1667
2016-09-29 11:13:41 +02:00
Jimmy Zelinskie
fc7301be0d
*: fix legacy imports
...
This change reorganizes imports and renames the legacy flask extensions.
2016-09-28 20:17:14 -04:00
Jimmy Zelinskie
ae16d24fd1
license: validate via key instance rather than PEM
2016-09-28 15:44:28 -04:00
josephschorr
e1771abe58
Merge pull request #739 from coreos-inc/license
...
Add license checking to Quay
2016-09-27 16:52:08 +02:00
Joseph Schorr
476576bb70
Add license checking to Quay
...
Based off of mjibson's changes
Fixes #499
2016-09-27 10:31:34 +02:00
Joseph Schorr
3c8b87e086
Fix verbs in manifestlist
...
All registry_tests now pass
2016-09-26 14:49:58 -04:00
Jimmy Zelinskie
59529569dc
reorder imports
2016-09-26 14:48:05 -04:00
josephschorr
ad4efba802
Merge pull request #1830 from coreos-inc/superuser-dashboard
...
Add prometheus stats to enable better dashboarding
2016-09-26 17:19:22 +02:00
Joseph Schorr
25ed99f9ef
Add feature flag to turn off requirement for team invitations
...
Fixes #1804
2016-09-20 16:45:00 -04:00
Joseph Schorr
c7beea2032
Fix handling of custom LDAP cert
...
This change moves the LDAP cert installation into a common script and reorganizes the startup scripts for creating and installing these certs
Fixes #1846
2016-09-19 17:55:08 -04:00
Joseph Schorr
1571b2867a
Add executor name to the build metric
2016-09-16 16:26:04 -04:00
Joseph Schorr
30af8aef1a
Add a worker for reporting global stats to Prometheus
...
Fixes #1789
2016-09-12 16:19:19 -04:00
Joseph Schorr
818ea38dac
Add repo-specific reporting of repository builds
2016-09-09 15:36:54 -04:00
Joseph Schorr
c8a1b8abab
Add prom stats for repository push, pull and verb actions
2016-09-09 15:13:58 -04:00
Jake Moshenko
1d8b72235a
Add a helper method to Image to parse ancestor string.
2016-09-07 10:48:58 -04:00
josephschorr
480d890442
Merge pull request #1771 from coreos-inc/kubernetes-save-error
...
Make sure the Quay Enterprise Kubernetes namespace exists
2016-08-30 12:59:00 -04:00
Joseph Schorr
3f9c82462f
Make sure the Quay Enterprise Kubernetes namespace exists
...
Prevents config from failing to save. Also clarifies any other errors that do occur.
Fixes #1449
2016-08-30 12:58:39 -04:00
Joseph Schorr
aa7c87d765
Fix locking via RedLock
...
Fixes #1777
2016-08-29 16:06:26 -04:00
Joseph Schorr
608ffd9663
Basic labels support
...
Adds basic labels support to the registry code (V2), and the API. Note that this does not yet add any UI related support.
2016-08-26 15:24:26 -04:00
Joseph Schorr
193040a473
Fix tag links
...
Fixes #1741
2016-08-17 15:06:10 -04:00