When an OCIRepository uses .spec.verify.provider: notation, source-controller constructs an ORAS auth.Client without setting its Cache field. ORAS treats a nil Cache as "no caching", so the registry bearer token is re-fetched on every HTTP request issued during a single verification, rather than being reused across the requests of that verification.
This produces a large, avoidable volume of token-endpoint /oauth2/token requests against the registry, which is especially impactful at fleet scale and on registries that mint per-repository scoped tokens (e.g. Azure Container Registry).
repoClient := &oauth.Client{
Client: hc,
Header: http.Header{"User-Agent": {"flux"}},
Credential: credentialProvider,
// Cache is unset -> nil -> ORAS uses noCache{}
}
A single notation.Verify issues ~4–5 registry requests for one signature, each triggering its own 401 → /oauth2/token
Azure Container Registry diagnostics logs for a ~2h rollout across a fleet of 795 clusters, showed ~60k /oauth2/token calls in the peak hour from UserAgent flux -- Notation verify user-agent. This large volume of token-endpoint requests is unnecessary load on the registry's auth service and risks throttling.
Draft PR (#2098) with fix that initializes a cache while constructing ORAS auth.Client and associated tests showing the same token is used for all requests within a single verify
When an OCIRepository uses
.spec.verify.provider: notation, source-controller constructs an ORASauth.Clientwithout setting itsCachefield. ORAS treats a nilCacheas "no caching", so the registry bearer token is re-fetched on every HTTP request issued during a single verification, rather than being reused across the requests of that verification.This produces a large, avoidable volume of token-endpoint
/oauth2/tokenrequests against the registry, which is especially impactful at fleet scale and on registries that mint per-repository scoped tokens (e.g. Azure Container Registry).A single notation.Verify issues ~4–5 registry requests for one signature, each triggering its own 401 →
/oauth2/tokenrepo.Resolve— resolve the artifact manifestrepo.ListSignatures— Referrers API, +1 if it falls back to the tag schemarepo.FetchSignatureBlob— fetch the signature manifest (1) and signature blobAzure Container Registry diagnostics logs for a ~2h rollout across a fleet of 795 clusters, showed ~60k
/oauth2/tokencalls in the peak hour from UserAgentflux-- Notation verify user-agent. This large volume of token-endpoint requests is unnecessary load on the registry's auth service and risks throttling.Draft PR (#2098) with fix that initializes a cache while constructing ORAS
auth.Clientand associated tests showing the same token is used for all requests within a singleverify