Move ownership/auth checks from scattered frontend handlers into
schematic.Factory.Get, which now accepts an OwnershipChecker. This
eliminates duplicated checkOwnership methods across http and spdx
frontends and ensures anonymous callers cannot probe schematic
existence when auth is enabled.
Also guard PXE credential embedding behind AuthProvider != nil so
credentials are never propagated when auth is disabled.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Add enterprise-only checksum endpoint: appending .sha256 or .sha512
to any /image/ path returns a single-line checksum file instead of
the asset. Algorithm is selected from the suffix; the Checksummer
interface takes the suffix so no circular import is needed.
Wizard UI shows (sha256) and (sha512) links per download button;
non-enterprise builds show a localized (checksums) tooltip.
Integration tests cover both algorithms (GET, HEAD, validate,
reproducibility, error cases).
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Fixes#408
Now we have proper cache capacity, LRU, and also negative cache TTL to
help with case when multiple instance might disagree on whether cache
contains not found or not.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Better test matrix for `EnhanceFromSchematic`.
Less duplicates and covers all versions, easier to add newer Talos versions, this caught a very small bug where `extraKernelArgs` were populated when overlays were used.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Add support for serving talosctl-all image which will contain all
talosctls built for all platform/architecture combinations, so we can
offer a download URL for them in Image Factory.
Fixes#260
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
This is not a fix, but a bit of a workaround for issues in the upstream
library.
Use a refresh on interval strategy to ensure that both remote pushers
and pullers are refreshed.
Fixes#231Fixes#235
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
It returns 404 only when trying to pull a layer, but not when we get the
manifest.
Refactor all cases when we try to handle registry errors to use a common
function.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#14
This adds "standard" HTTP metrics for the frontend, and also three kinds
of custom metrics:
* schematic get/create
* system extension popularity score
* asset build metrics: cached/not cached, bytes, requests, in dimension
of asset kind
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Pass auth to the registry frontend so that it correctly authenticates to
the registry on uploads/checks.
Refactor the code in the registry frontend to use digest instead of tag
when redirecting request for additional security.
In the schematic registry storage, push a manifest on top of raw blob to
make sure it doesn't get garbage collected as orphaned. We never use the
manifest though.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Themes the nomenclature to align with Talos Linux
Signed-off-by: Andrew Rynhard <andrew@rynhard.io>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
