►
Description
Related issue: https://gitlab.com/gitlab-org/gitlab/-/issues/327311
A
Okay,
so
hello,
everyone.
This
is
the
package
team.
We
are
going
to
do
an
investigation
around
an
issue
that
we
are
having
with
an
api
endpoint
at
a
group
level
to
list
container
repositories
under
gryphon
group.
A
Okay,
so
this
is
the
issue
that
we
have
it's
been
around
for
a
while
five
months
already-
and
this
is
the
api
endpoints
and
the
problem
is
that
whenever
someone
invokes
these
endpoints
and
sets
this
parameter
to
true
rails,
will
pull
the
list
of
tags
for
each
one
of
the
repositories
under
the
group
and
return
that
in
a
single
response.
So
if
a
group
has
10
repositories
rails
will
first
query
the
database
to
get
the
list
of
those
repositories.
A
So
that's
fast,
but
then,
if
tax
is
set
to
true
rails,
will
issue
one
request
per
repository
against
the
container
registry
to
get
the
tag
list
and
that's
the
problem,
because
it
takes
a
lot
if
there
are
a
lot
of
repositories.
A
So
I've
created
this
this
issue
a
while
ago,
but
there
are
still
some
open
questions
that
we
need
to
answer,
and
I
was
mainly
concerned
with
the
approach
to
invalidate
a
cache.
A
A
So
I
think
so.
I
I
looked
at
this
not
too
long
ago
for
the
registry
migration
work,
and
that
was
the
conclusion,
but
yeah
for
demonstration
purposes.
Let's
make
sure
that
it
is
the
case.
So
what
I
have
here
by
the
way
can
you
read
this?
Probably
it's
easier
this
way?
Okay!
So
what
I
have
here
on
the
top
side?
Basically,
I'm
I'm
putting
many
in
the
middle
proxy
between
the
docker
clients
and
the
gitlab
registry,
so
that
we
can
inspect
the
network
requests
that
go
from
from
my
machine
to
the
gitlab
content
registry.
A
A
Okay
and
I'm
back
so
I
just
pushed
an
image
to
the
registry.
Now,
let's
inspect
the
list
of
requests
that
happen
it
here,
so
the
first
one,
the
stop
one
always
happens.
It's
the
client
checking
that
the
registry
supports
the
v2
protocol,
so
there
is
a
request
without
any
authentication,
and
then
the
registry
will
complain
and
say
you
need
to
authenticate.
A
So
that
is
fine.
We
know
that
pushing
always
requests
a
token
if
we
try
to
pull
it
to
pull
that
image
once
again
same
thing
should
happen
so
same
thing.
A
A
So
you
always
always
require
it
always
request
a
token
before
any
of
the
operations.
Even
if
it's
the
exact
same
operation
multiple
times,
it
will
request
the
token
again
and
again
and
and
again,
oh
yeah,
so
that
should
be
fine,
so
yeah.
So
the
next
thing
is
trying
to
pull
an
image
from
a
public
repository.
A
We
always
get
a
token
from
the
from
the
rails
api
before
pulling
or
pushing
to
repository
regardless
if
it
is
public
or
not,
and
then
the
second
point
that
I
have
here
is
yeah
related
with
third
party
registries,
which
may
not
or
will
not
authenticate
with
the
gitlab
api,
and
that
means
that
we
can't
rely
on
it
for
this
feature,
which
means
that
this
feature
caching,
the
tag
lists
can
only
be
done
for
gitlab.com
and
for
a
self-managed
using
the
the
gitlab
container
registry.
A
I
think
that's
fine,
because
right
now
the
main
problem
that
we
have
is
with
gitlab.com.
We
could
ship
this
for
self-managed
as
well,
but
there
determining
the
version
of
the
registry
is
not
that
accurate.
We
do
have.
I
think
we
still
do
have
in
place
something
to
detect
that
version
and
vendor,
but
it
may
change
and
the
priority
is
really
gitlab.com,
so
that
should
be
fine,
regardless
yeah.
Let's,
I
think
we
should
put
this
behind
the
feature
flag
and
then
make
sure
that
it
only
works
first
for
gitlab.com
and
that's
it.
A
I
think
we
already
have
something
like
that
or
head
for
cleanup
policies
right.
We
do
a
check
if
we
are
in
gitlab.com
or
not
yeah,
we
do
yeah,
so
it
would
be
something
similar,
a
future
flag
or
checking
if
it
is
gitlab.com
and
then
checking
if
the
future
flight
is
enabling
and
the
next
one
radius
or
database
yeah.
I
yeah.
I
think
this
is
not
a
question.
Ready
should
be
the
place
to
go.
I
I
guess
some.
A
There
might
be
some
concerns
about
size
because
for
some
repositories
there
are
like
thousands
and
thousands
of
tags,
and
those
tech
can
be
large
in
name
like
if
they
are
a
commit.
A
They
are
like
40
shards
links.
If
you
have
5
000
tags,
that's
a
lot
of
text,
but
still,
I
think,
that's
not
a
problem,
although
we
can
validate
with
with
the
radius
expert,
but
I
think
we
should.
We
should
be
fine.
A
A
And
then
making
sure
that
we
can
first
fill
that
cache
and
then
empty
the
cache
whenever
a
token
is
requested.
So
basically,
if,
if
someone
tries
to
write
stuff
or
delete
stuff
from
a
repository
once
we
generate
a
token,
we
need
to
reset
the
tag
list,
cache
and
assume
that
the
repository
is
going
to
change,
and
so
in
the
next
query,
to
that
endpoint
we
need
to
retrieve
the
type
list.
Once
again,
I
think.
A
A
Yeah
so
once
or
before
we
end
over
the
token,
in
the
authentication
service,
we
have
to
reset
the
cashier
if
authorized
actions
includes
push
or
delete,
so
that
should
be
easy
to
do
and
because
it's
ready
there
is
no
problem
of
requiring
a
right
database
connection
here,
which
would
be
problematic.
A
A
Yeah,
so
it's
this
one,
it
gets
the
the
repositories
list
and
then
it
does
the
pagination
using
that
entity
yeah,
and
this
is
the
the
parameter
that
may
be
true,
and
if
it
is
true,
it's
going
to
expose
text-
and
I
guess
text
comes
from
the.
B
A
So
if
we,
if
we
did
the
caching
gear,
that
would
mean
that
it
would
apply
to
every
single
functionality
that
retrieves
the
tag
list
from
the
container
registry,
and
I
think
that's
a
bad
idea,
because
a
problem
with
it
could
impact
everything
like
ui,
normal
api
requests,
even
clean
up
policies
as
well.
So,
ideally,
we
would
do
it
as
close
to
the
to
the
group
level
endpoints
as
possible.
B
A
Yeah,
okay,
I
think
that
works
so
basically
the
first
well,
whenever
it
is
called
before
going
to
the
registry,
we
check
if
the
the
entry
exists
in
radius.
If
it
is,
we
read
from
there,
if
not
we'll,
let
it
go
to
to
the
registry
and
then
fill
the
cache
but
yeah,
basically
that
check
for
every
single
request
check.
If
the
repository
cache
entry
is
filled,
if
not
feel
it
from
there
and
yeah.
A
I
think
it's
a
it's
better
to
do
it
just
for
the
api,
and
even
we
can
probably
even
go
further
and
wrap
this
with
with
a
project
level
feature
flag
so
that
we
can
enable
it
just
for
there
are
only
I
think
two
or
for
projects
which
are
causing
performance
problems
in
production
and
they
all
belong
to
the
same
to
the
same
top
level
namespace.
A
So
we
can
even
do
that
at
the
api
level
and
make
it
even
more
specific
by
only
targeting
that
that
namespace
or
those
four
projects
where
this
is
currently
a
problem,
and
if
it
works
great,
then
we
can
extend
it
like
with
a
percentage-based
rollout
to
two
others.
A
But,
for
example,
here
you
could
still
get
it
right,
so
this
one
must
be
instances
of
container
repository
right,
yeah
and
from
in
fro
and
from
there
you
you
could
check
it's
not
listed
here
but
yeah,
but
I
I
remember
you
can
check
the
the
top
level
namespace
or
you
can
even
dot
project,
and
it
will
give
you
the
project,
so
we
could
perhaps
use
that
and
and
before
and
before
serving
because
the
thing
is,
if
we
yeah
for
project,
maybe
it's
not
a
good
idea,
but
we
could
likely
do
it
for
group
right
because
the
api
is
group
is
at
a
group
level,
so
it
will
always
be
the
same
group
for
every
container
repository.
A
A
And
we
would
limit
that
to
that
specific
top
level
group
that
is
causing
problems
right
now
on
gitlab.com
and
if
it
works,
we
could
do
a
percentage-based
rollout
for
everyone
else.
A
Just
for
the
api
and
then
if
it's
or
if
it
works
great,
we
can
extend
it
beyond
the
api
but
yeah
in
validating
cash
and
all
of
that
it's
it's
always
tricky.
So
it's
easy
to
to
get
into
trouble,
so
the
the
the
smallest
we
start,
the
better.
I
think.
B
A
I
think
the
probably
the
the
main
question
is
where,
where
where
we
need
to
intercept
that
these
requests
to
fill
the
cache
or
read
from
the
cache
but
yeah,
probably
here
at
the
api
level
and
then
what's
the
best
data
structure
to
save
these
and
radius,
taking
into
account
that
the
list
of
values
can
can
grow
large,
I
think,
on
average,
from
the
analysis
that
we
did
to
the
inventory.
A
A
Based
on
that,
like
assume
that
all
variable
tags
will
be
as
large
as
possible
on
the
name
like
40
shards,
for
the
git
commission
and
and
assume
that
rupees
will
have
like
5
000
text
or
something
and
then
pick
a
structure
that
will
fit
that.
C
B
We
will
expire
them
manually,
so
if
we
don't
need
that
we
can
use
the
whales
multi
write
command,
that
we
write
to
two
radius
in
a
single
way.
This
command,
and
actually
the
nice
thing
with
that-
is
that
it
will
take
the
value
serialize
it
and
then
you
you
can
there
is
an
option
to
compress
the
value,
because
the
the
serialization
output
is
a
string
and
then
you
can.
You
have
an
option
to
compress
that
that
string,
yeah.
C
A
Yeah
yeah,
I
think,
that's
okay
and
we
will
have
a
limited
setup
for
repositories
cached
at
least
for
now.
So
we
can
always
change
the
the
structure
if
it
starts
to
cause
problems,
but
I
think
that
yeah,
I
think
that
that
should
be
fine.
A
I
I
think
that
well
for
gitlab.com-
maybe
that's
not
a
good
idea
if
this
goes
to
self-managed
yeah,
maybe,
but
given
that
we
will
start
small
and
just
enable
this
for
a
couple
of
namespaces.
A
If
there
is
a
problem,
we
can
expire
it
manually,
our
support
can
expire
manually
or
we
can
even
disable
the
feature
flag.
So
I
guess
we
should
be
fine
without
it
for
a
first
iteration
yeah.
It
was
more.
A
Yeah
yeah
I
mean
if
it
turns
out
to
work
great
yeah,
then
we
would
like
to
think
about
how
to
make
it
scale
like
applied
to
everything,
but
I,
in
the
end,
I
don't
think
we
will
want
to
apply
to
to
everything
like
when
you
are
on
the
ui.
A
A
So
I
can
think
I
can
I
can
yeah,
I
can
think
of
any
problem
yeah.
The
the
main
question
for
me
was
whether
we
would
be
able
to
intercept
that
at
a
higher
level
because
doing
it
at
the
lower
level.
We
would
be
too
impactful
and
risky,
but
yeah
other
than
that.
I
think
we,
I
think
we're
good.
A
B
B
You
can
just
compress
that
output
for
the.
A
A
And
then
probably
request
some
feedback
from
radius
exports,
maybe
andrew
or
bob
yeah,
and
they
should
they
should
be
able
to
help
us
find
the
optimal
solution,
but
again
yeah,
just
because
we
are
starting
with
just
a
couple
of
groups.