[RFE] Make the Authorization request scope for all (or main) repository and not specific repository

[syahrul-aiman]

Version

$ oc-mirror version
WARNING: This version information is deprecated and will be replaced with the output from --short. Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"", Minor:"", GitVersion:"4.16.0-202410242205.p0.g819f011.assembly.stream.el9-819f011", GitCommit:"819f0115e4be3f55ed7d4edae1c38035811771ae", GitTreeState:"clean", BuildDate:"2024-10-25T08:17:39Z", GoVersion:"go1.21.13 (Red Hat 1.21.13-3.module+el8.10.0+22345+acdd8d0e) X:strictfipsruntime", Compiler:"gc", Platform:"linux/amd64"}

What happened?

oc mirror keep on requesting for authorization token for the same registry but different repository

Attach the relevant portions of your .oc-mirror.log.

$ cat .oc-mirror.log | grep curl | grep 'registry.redhat.io/auth' | wc -l
curl -v -XGET  -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Authorization: Basic <masked>" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aoadp%2Foadp-velero-restic-restore-helper-rhel8%3Apull&service=docker-registry'
curl -v -XGET  -H "Authorization: Basic <masked>" -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aoadp%2Foadp-velero-plugin-rhel8%3Apull&service=docker-registry'
curl -v -XGET  -H "Authorization: Basic <masked>" -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aopenshift4%2Fose-csi-external-attacher-rhel8%3Apull&service=docker-registry'
curl -v -XGET  -H "Authorization: Basic <masked>" -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aodf4%2Fodf-csi-addons-sidecar-rhel9%3Apull&service=docker-registry'
curl -v -XGET  -H "Authorization: Basic <masked>" -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aopenshift4%2Fose-csi-external-snapshotter-rhel9%3Apull&service=docker-registry'
curl -v -XGET  -H "Authorization: Basic <masked>" -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aoadp%2Foadp-mustgather-rhel8%3Apull&service=docker-registry'
curl -v -XGET  -H "Authorization: Basic <masked>" -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aamq-streams%2Fkafka-38-rhel9%3Apull&service=docker-registry'
curl -v -XGET  -H "Authorization: Basic <masked>" -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aopenshift4%2Fose-csi-external-snapshotter-rhel8%3Apull&service=docker-registry'
curl -v -XGET  -H "Authorization: Basic <masked>" -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aoadp%2Foadp-velero-rhel9%3Apull&service=docker-registry'
curl -v -XGET  -H "Authorization: Basic <masked>" -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aoadp%2Foadp-velero-plugin-for-aws-rhel9%3Apull&service=docker-registry'
curl -v -XGET  -H "User-Agent: oc-mirror/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Authorization: Basic <masked>" 'https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=%7CXXXXXXXXXXXX&scope=repository%3Aamq-streams%2Fstrimzi-rhel9-operator%3Apull&service=docker-registry'

What did you expect to happen?

Make the Authorization request scope for all (or main) repository and not specific repository, so that the token can be reused. For example, instead of these scopes:

• repository:amq-streams/strimzi-rhel9-operator:pull
• repository:amq-streams/kafka-38-rhel9:pull

Combine them to this scope:

• repository:amq-streams/*:pull

How to reproduce it (as minimally and precisely as possible)?

$ oc mirror --config yaml/imageset-config.yaml docker://127.0.0.1:80/mirror --dest-skip-tls --ignore-history --dest-use-http -v 9

Anything else we need to know?

N/A

References

N/A