Skip to content

Introduce disable_accept_encoding flag in s3 cache. #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dkostyrev merged 1 commit into from
Apr 1, 2026
Merged

Introduce disable_accept_encoding flag in s3 cache. #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 64 additions & 40 deletions cache/remotecache/s3/s3.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
"github.com/aws/aws-sdk-go-v2/feature/s3/manager"
"github.com/aws/aws-sdk-go-v2/service/s3"
s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
"github.com/aws/smithy-go/middleware"
"github.com/containerd/containerd/v2/core/content"
"github.com/containerd/containerd/v2/pkg/labels"
"github.com/moby/buildkit/cache/remotecache"
Expand All @@ -34,36 +35,38 @@ import (
)

const (
attrBucket = "bucket"
attrRegion = "region"
attrPrefix = "prefix"
attrManifestsPrefix = "manifests_prefix"
attrBlobsPrefix = "blobs_prefix"
attrName = "name"
attrTouchRefresh = "touch_refresh"
attrEndpointURL = "endpoint_url"
attrAccessKeyID = "access_key_id"
attrSecretAccessKey = "secret_access_key"
attrSessionToken = "session_token"
attrUsePathStyle = "use_path_style"
attrUploadParallelism = "upload_parallelism"
maxCopyObjectSize = 5 * 1024 * 1024 * 1024
attrBucket = "bucket"
attrRegion = "region"
attrPrefix = "prefix"
attrManifestsPrefix = "manifests_prefix"
attrBlobsPrefix = "blobs_prefix"
attrName = "name"
attrTouchRefresh = "touch_refresh"
attrEndpointURL = "endpoint_url"
attrAccessKeyID = "access_key_id"
attrSecretAccessKey = "secret_access_key"
attrSessionToken = "session_token"
attrUsePathStyle = "use_path_style"
attrUploadParallelism = "upload_parallelism"
attrDisableAcceptEncoding = "disable_accept_encoding"
maxCopyObjectSize = 5 * 1024 * 1024 * 1024
)

type Config struct {
Bucket string
Region string
Prefix string
ManifestsPrefix string
BlobsPrefix string
Names []string
TouchRefresh time.Duration
EndpointURL string
AccessKeyID string
SecretAccessKey string
SessionToken string
UsePathStyle bool
UploadParallelism int
Bucket string
Region string
Prefix string
ManifestsPrefix string
BlobsPrefix string
Names []string
TouchRefresh time.Duration
EndpointURL string
AccessKeyID string
SecretAccessKey string
SessionToken string
UsePathStyle bool
UploadParallelism int
DisableAcceptEncoding bool
}

func getConfig(attrs map[string]string) (Config, error) {
Expand Down Expand Up @@ -141,20 +144,30 @@ func getConfig(attrs map[string]string) (Config, error) {
uploadParallelism = uploadParallelismInt
}

disableAcceptEncoding := false
disableAcceptEncodingStr, ok := attrs[attrDisableAcceptEncoding]
if ok {
disableAcceptEncodingUser, err := strconv.ParseBool(disableAcceptEncodingStr)
if err == nil {
disableAcceptEncoding = disableAcceptEncodingUser
}
}

return Config{
Bucket: bucket,
Region: region,
Prefix: prefix,
ManifestsPrefix: manifestsPrefix,
BlobsPrefix: blobsPrefix,
Names: names,
TouchRefresh: touchRefresh,
EndpointURL: endpointURL,
AccessKeyID: accessKeyID,
SecretAccessKey: secretAccessKey,
SessionToken: sessionToken,
UsePathStyle: usePathStyle,
UploadParallelism: uploadParallelism,
Bucket: bucket,
Region: region,
Prefix: prefix,
ManifestsPrefix: manifestsPrefix,
BlobsPrefix: blobsPrefix,
Names: names,
TouchRefresh: touchRefresh,
EndpointURL: endpointURL,
AccessKeyID: accessKeyID,
SecretAccessKey: secretAccessKey,
SessionToken: sessionToken,
UsePathStyle: usePathStyle,
UploadParallelism: uploadParallelism,
DisableAcceptEncoding: disableAcceptEncoding,
}, nil
}

Expand Down Expand Up @@ -419,6 +432,17 @@ func newS3Client(ctx context.Context, config Config) (*s3Client, error) {
options.UsePathStyle = config.UsePathStyle
options.BaseEndpoint = aws.String(config.EndpointURL)
}
if config.DisableAcceptEncoding {
// GCS's GFE appends "gzip(gfe)" to the Accept-Encoding header after the
// AWS SDK has signed it as "identity", causing SignatureDoesNotMatch (403).
// Removing the DisableAcceptEncodingGzip middleware prevents the header
// from being added to the request and included in the signature at all.
// See: https://github.com/moby/buildkit/issues/3749
options.APIOptions = append(options.APIOptions, func(stack *middleware.Stack) error {
stack.Finalize.Remove("DisableAcceptEncodingGzip")
return nil
})
}
})

return &s3Client{
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ require (
github.com/aws/aws-sdk-go-v2/credentials v1.19.12
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.10
github.com/aws/aws-sdk-go-v2/service/s3 v1.89.1
github.com/aws/smithy-go v1.24.2
github.com/cespare/xxhash/v2 v2.3.0
github.com/containerd/accelerated-container-image v1.3.0
github.com/containerd/console v1.0.5
Expand Down Expand Up @@ -135,7 +136,6 @@ require (
github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 // indirect
github.com/aws/smithy-go v1.24.2 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
Expand Down
Loading