why is allowCustomCrateRegistries self-hosted only? #18872
Replies: 7 comments 18 replies
-
|
I believe this was just a code gap, and a PR would be welcome. If I remember correctly, private crate registries were implemented using git, and naturally we wanted to cache the clone instead of cloning once per package, and then we worried about accidentally leaking caches between users. Result: make it self hosted only initially. |
Beta Was this translation helpful? Give feedback.
-
|
Ok so a few notes so far. Artifactory (the private registry we're using) does support the sparse index protocol, so thats good. However, it supports it at a different URL space than the git index. e.g. if the git index is at I think I need to add registryAliases support for cargo to do that? And then we need to resolve by direct HTTP call rather than looking up on disk, but that should be about it. I'd also like to add documentation to guide others on this path. |
Beta Was this translation helpful? Give feedback.
-
|
The first step would be making sure Renovate can lookup the sparse index over HTTP, including populating the hostRules (but the hostRules should be the easy part). Can Renovate detect the custom registry during the cargo extract phrase, or would it need to be configured using The second step would be making sure Right now I'm not sure why there's a need for any sandbox concept, or are you worried about Cargo leaking the details somewhere outside the repo directory that's not cleaned up? |
Beta Was this translation helpful? Give feedback.
-
|
What is |
Beta Was this translation helpful? Give feedback.
-
|
So, I think I have something approximating a branch that should work, but it has a caveat I need to check on :) . Your servers will need to run nightly cargo with two feature flags - -Z registry-auth and -Z sparse-registry. I could:
What do you think? |
Beta Was this translation helpful? Give feedback.
-
|
These features are now stable in cargo. I've recently started experimenting with |
Beta Was this translation helpful? Give feedback.
-
|
Reviving this thread, since we have a use case for this. We are using a private cargo registry and it has necessitated us migrating off of Mend hosted renovate onto our own self hosted renovate. Now that we have sparse registries and registry auth in Cargo, are there any fundamental decision left to make here, or does this just need someone to put in the work? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
We have a private Cargo repository, conceptually the same as a private Maven repo: there is an encrypted token in a HostRule for the http://HOST/ that the registry is stored on.
Accessing the registry metadata could be done with either the sparse API or a shallow git clone : the credentials we have will do that correctly. As far as I can tell renovate itself isn't dependent on cargo - it parses and processes the data itself, so it should be possible to do that cheaply without having to muck around with the cargo [net] configuration etc - though if you do call out to cargo, environment variables control this and allow overriding things without state management.
If there is no fundamental reason, and it is just a code gap, then I'd be happy enough to put together a PR to enable this, since it would be super useful and avoid having a github action setup just to thunk across.
Beta Was this translation helpful? Give feedback.
All reactions