Skip to content

Notation signature verification re-authenticates to the registry on every request (ORAS auth client has no token cache) #2099

Description

@dipti-pai

When an OCIRepository uses .spec.verify.provider: notation, source-controller constructs an ORAS auth.Client without setting its Cache field. ORAS treats a nil Cache as "no caching", so the registry bearer token is re-fetched on every HTTP request issued during a single verification, rather than being reused across the requests of that verification.

This produces a large, avoidable volume of token-endpoint /oauth2/token requests against the registry, which is especially impactful at fleet scale and on registries that mint per-repository scoped tokens (e.g. Azure Container Registry).

repoClient := &oauth.Client{
    Client:     hc,
    Header:     http.Header{"User-Agent": {"flux"}},
    Credential: credentialProvider,
    // Cache is unset -> nil -> ORAS uses noCache{}
}

A single notation.Verify issues ~4–5 registry requests for one signature, each triggering its own 401 → /oauth2/token

Azure Container Registry diagnostics logs for a ~2h rollout across a fleet of 795 clusters, showed ~60k /oauth2/token calls in the peak hour from UserAgent flux -- Notation verify user-agent. This large volume of token-endpoint requests is unnecessary load on the registry's auth service and risks throttling.

Draft PR (#2098) with fix that initializes a cache while constructing ORAS auth.Client and associated tests showing the same token is used for all requests within a single verify

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/ociOCI related issues and pull requestsbugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions