New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gitlab + S3: Percent encoding 307 URL causes 403 Forbidden #1590
Comments
Thanks for the detailed analysis. Looks like you really got to the root of the issue. I've looked into our codebase and figured out what's happening. Basically, URL url3 = new URL("http://example.com?query=string%2Fpart");
System.out.println(url3);
System.out.println(new GenericUrl(url3));
System.out.println(new GenericUrl(url3).toURL().toString()); prints
Jib uses the Google HTTP Client library, and as this comment says, I don't see a way to not use Then, a question remains if this decoding is the bug of /**
* A string of characters that do not need to be encoded when used in URI query strings, as
* specified in RFC 3986. Note that some of these characters do need to be escaped when used in
* other parts of the URI.
*/
public static final String SAFEQUERYSTRINGCHARS_URLENCODER = "-_.!~*'()@:$,;/?:"; So, it seems the best and fast solution is to fix whatever behind |
Apparently this is a thing: https://github.com/ceph/ceph/pull/23652/files Our gitlab team is currently working to implement this fix and I'll update here once we have some results |
Aaaaaand we got it! After implementing this fix we are able to successfully and successively push to Gitlab S3-backed container registries :) 🚀 🚀 🚀 |
@alkoclick great to hear it worked! Thanks for the update. 👍 |
Description of the issue:
So, this is an issue that's been troubling me for quite some time now and has been an open ticket to our Gitlab team for a few days.
The CERN Gitlab registry is connected to S3 buckets on the backend. I have been replacing the deprecated Docker-Maven plugin in the CERN c2mon project and I noticed that a lot of my image pushes failed, but some of them got through. This only happened for jib pushes and only happened for Gitlab registries. Eventually I realized that only my first push to a specific tag got through, while the rest failed.
The problem, in bullet points:
Works as expected
Fails
Expected behavior:
mvn jib:build results in the image being pushed to the remote gitlab registry
Steps to reproduce:
Neither minimal not precise, I know
Environment:
jib-maven-plugin
Configuration:The subprojects override the image.base and image.name
Log output:
(Truncated, a lot)
Additional Information:
It all comes down to this:
JiB executes:
while the location returned from the 307 is
It's the percent encoding or rather, decoding, that's causing this. I am not an expert, but my understanding is that S3 expects the exact same URL that GitLab redirected us to, and the percent decoding is messing the authorization up. When I manually curl to the percent encoded address I can get my requests through.
Wow, that was a long read! Keep up the awesome work!
The text was updated successfully, but these errors were encountered: