feat: support empty repo for image registry

Author: Levi080513

Makefile

@@ -266,6 +266,13 @@ docker-test-core: ## Redeploy local neutree-core for testing
 	docker cp bin/neutree-core neutree-core:/neutree-core
 	docker restart neutree-core
 
+.PHONY: docker-test-db-scripts
+docker-test-db-scripts: ## Overwrite db scripts for testing, and restart related services
+	docker cp db copy-db-scripts:/
+	docker restart copy-db-scripts
+	docker restart migration
+	docker restart post-migration-hook
+
 VENDIR := $(TOOLS_BIN_DIR)/vendir
 
 vendir: $(VENDIR) # Download vendir if not yet.

controllers/image_registry_controller.go

@@ -2,7 +2,6 @@ package controllers
 
 import (
 	"fmt"
-	"net/url"
 	"strconv"
 
 	"github.com/google/go-containerregistry/pkg/authn"
@@ -11,6 +10,7 @@ import (
 
 	v1 "github.com/neutree-ai/neutree/api/v1"
 	"github.com/neutree-ai/neutree/internal/registry"
+	"github.com/neutree-ai/neutree/internal/util"
 	"github.com/neutree-ai/neutree/pkg/storage"
 )
 
@@ -113,20 +113,37 @@ func (c *ImageRegistryController) connectImageRegistry(imageRegistry *v1.ImageRe
 		Password:      imageRegistry.Spec.AuthConfig.Password,
 		Auth:          imageRegistry.Spec.AuthConfig.Auth,
 		IdentityToken: imageRegistry.Spec.AuthConfig.IdentityToken,
-		RegistryToken: imageRegistry.Spec.AuthConfig.IdentityToken,
+		RegistryToken: imageRegistry.Spec.AuthConfig.RegistryToken,
 	}
 
-	registryURL, err := url.Parse(imageRegistry.Spec.URL)
+	imagePrefix, err := util.GetImagePrefix(imageRegistry)
 	if err != nil {
-		return errors.Wrap(err, "failed to parse image registry url "+imageRegistry.Spec.URL)
+		return errors.Wrapf(err, "failed to get image prefix for image registry %s",
+			imageRegistry.Metadata.WorkspaceName())
 	}
 
-	imageRepo := fmt.Sprintf("%s/%s/neutree-serve", registryURL.Host, imageRegistry.Spec.Repository)
+	// For docker.io, we cannot check pull permissions by fetching a non-existent image because Docker Hub supports image-level permission control.
+	// Instead, we use a known public image under the neutree namespace.
+	testImage := fmt.Sprintf("%s/neutree/neutree-serve", imagePrefix)
+
+	// If no credentials or tokens are provided, use anonymous auth which avoids providing empty
+	// Authorization headers that could lead some registries to reject a request as "unauthorized".
+	var authenticator authn.Authenticator
+	if authConfig.Username == "" && authConfig.Password == "" && authConfig.IdentityToken == "" && authConfig.RegistryToken == "" {
+		authenticator = authn.Anonymous
+	} else {
+		authenticator = authn.FromConfig(authConfig)
+	}
 
-	_, err = c.imageService.ListImageTags(imageRepo, authn.FromConfig(authConfig))
+	hasPermission, err := c.imageService.CheckPullPermission(testImage, authenticator)
 	if err != nil {
-		return errors.Wrapf(err, "failed to authenticate with image registry %s/%s at URL %s, repository %s",
-			imageRegistry.Metadata.Workspace, imageRegistry.Metadata.Name, imageRegistry.Spec.URL, imageRepo)
+		return errors.Wrapf(err, "failed to connect %s at URL %s",
+			imageRegistry.Metadata.WorkspaceName(), imageRegistry.Spec.URL)
+	}
+
+	if !hasPermission {
+		return errors.Errorf("no pull permission for image registry %s at URL %s",
+			imageRegistry.Metadata.WorkspaceName(), imageRegistry.Spec.URL)
 	}
 
 	return nil

controllers/image_registry_controller_test.go

@@ -90,7 +90,7 @@ func TestImageRegistryController_Sync_PendingOrNoStatus(t *testing.T) {
 					Username: "test",
 					Password: "test",
 				},
-				Repository: "neutree",
+				Repository: "",
 				URL:        "http://test",
 			},
 		}
@@ -109,7 +109,7 @@ func TestImageRegistryController_Sync_PendingOrNoStatus(t *testing.T) {
 					Username: "test",
 					Password: "test",
 				},
-				Repository: "neutree",
+				Repository: "",
 				URL:        "http://test",
 			},
 		}
@@ -122,17 +122,17 @@ func TestImageRegistryController_Sync_PendingOrNoStatus(t *testing.T) {
 		wantErr   bool
 	}{
 		{
-			name:  "Pending/NoStatus -> Connected (image service list tags success)",
+			name:  "Pending/NoStatus -> Connected (check pull permission success)",
 			input: testImageRegistry(),
 			mockSetup: func(input *v1.ImageRegistry, s *storagemocks.MockStorage, imageSvc *registrymocks.MockImageService) {
-				imageSvc.On("ListImageTags", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
+				imageSvc.On("CheckPullPermission", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
 					image := args.Get(0).(string)
 					assert.Equal(t, "test/neutree/neutree-serve", image)
 					arg := args.Get(1).(authn.Authenticator)
 					authConfig, _ := arg.Authorization()
 					assert.Equal(t, input.Spec.AuthConfig.Username, authConfig.Username)
 					assert.Equal(t, input.Spec.AuthConfig.Password, authConfig.Password)
-				}).Return(nil, nil)
+				}).Return(true, nil)
 				s.On("UpdateImageRegistry", "1", mock.Anything).Run(func(args mock.Arguments) {
 					arg := args.Get(1).(*v1.ImageRegistry)
 					assert.Equal(t, v1.ImageRegistryPhaseCONNECTED, arg.Status.Phase)
@@ -141,17 +141,17 @@ func TestImageRegistryController_Sync_PendingOrNoStatus(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name:  "Pending/NoStatus -> Failed (image service list tags failed)",
+			name:  "Pending/NoStatus -> Failed (check pull permission failed)",
 			input: testImageRegistry(),
 			mockSetup: func(input *v1.ImageRegistry, s *storagemocks.MockStorage, imageSvc *registrymocks.MockImageService) {
-				imageSvc.On("ListImageTags", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
+				imageSvc.On("CheckPullPermission", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
 					image := args.Get(0).(string)
 					assert.Equal(t, "test/neutree/neutree-serve", image)
 					arg := args.Get(1).(authn.Authenticator)
 					authConfig, _ := arg.Authorization()
 					assert.Equal(t, input.Spec.AuthConfig.Username, authConfig.Username)
 					assert.Equal(t, input.Spec.AuthConfig.Password, authConfig.Password)
-				}).Return(nil, assert.AnError)
+				}).Return(false, assert.AnError)
 				s.On("UpdateImageRegistry", "1", mock.Anything).Run(func(args mock.Arguments) {
 					arg := args.Get(1).(*v1.ImageRegistry)
 					assert.Equal(t, v1.ImageRegistryPhaseFAILED, arg.Status.Phase)
@@ -204,7 +204,7 @@ func TestImageRegistryController_Sync_Conneted(t *testing.T) {
 					Password: "test",
 				},
 				URL:        "http://test",
-				Repository: "neutree",
+				Repository: "",
 			},
 			Status: &v1.ImageRegistryStatus{Phase: v1.ImageRegistryPhaseCONNECTED},
 		}
@@ -223,7 +223,7 @@ func TestImageRegistryController_Sync_Conneted(t *testing.T) {
 					Password: "test",
 				},
 				URL:        "http://test",
-				Repository: "neutree",
+				Repository: "",
 			},
 			Status: &v1.ImageRegistryStatus{Phase: v1.ImageRegistryPhaseCONNECTED},
 		}
@@ -236,32 +236,32 @@ func TestImageRegistryController_Sync_Conneted(t *testing.T) {
 		wantErr   bool
 	}{
 		{
-			name:  "Connected -> Connected (image service list tags success)",
+			name:  "Connected -> Connected (check pull permission success)",
 			input: testImageRegistry(),
 			mockSetup: func(input *v1.ImageRegistry, s *storagemocks.MockStorage, imageSvc *registrymocks.MockImageService) {
-				imageSvc.On("ListImageTags", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
+				imageSvc.On("CheckPullPermission", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
 					image := args.Get(0).(string)
 					assert.Equal(t, "test/neutree/neutree-serve", image)
 					arg := args.Get(1).(authn.Authenticator)
 					authConfig, _ := arg.Authorization()
 					assert.Equal(t, input.Spec.AuthConfig.Username, authConfig.Username)
 					assert.Equal(t, input.Spec.AuthConfig.Password, authConfig.Password)
-				}).Return(nil, nil)
+				}).Return(true, nil)
 			},
 			wantErr: false,
 		},
 		{
-			name:  "Connected -> Failed (image service list tags failed)",
+			name:  "Connected -> Failed (check pull permission failed)",
 			input: testImageRegistry(),
 			mockSetup: func(input *v1.ImageRegistry, s *storagemocks.MockStorage, imageSvc *registrymocks.MockImageService) {
-				imageSvc.On("ListImageTags", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
+				imageSvc.On("CheckPullPermission", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
 					image := args.Get(0).(string)
 					assert.Equal(t, "test/neutree/neutree-serve", image)
 					arg := args.Get(1).(authn.Authenticator)
 					authConfig, _ := arg.Authorization()
 					assert.Equal(t, input.Spec.AuthConfig.Username, authConfig.Username)
 					assert.Equal(t, input.Spec.AuthConfig.Password, authConfig.Password)
-				}).Return(nil, assert.AnError)
+				}).Return(false, assert.AnError)
 				s.On("UpdateImageRegistry", "1", mock.Anything).Run(func(args mock.Arguments) {
 					arg := args.Get(1).(*v1.ImageRegistry)
 					assert.Equal(t, v1.ImageRegistryPhaseFAILED, arg.Status.Phase)
@@ -315,7 +315,7 @@ func TestImageRegistryController_Sync_Failed(t *testing.T) {
 					Username: "test",
 					Password: "test",
 				},
-				Repository: "neutree",
+				Repository: "",
 				URL:        "http://test",
 			},
 			Status: &v1.ImageRegistryStatus{Phase: v1.ImageRegistryPhaseFAILED},
@@ -334,7 +334,7 @@ func TestImageRegistryController_Sync_Failed(t *testing.T) {
 					Username: "test",
 					Password: "test",
 				},
-				Repository: "neutree",
+				Repository: "",
 				URL:        "http://test",
 			},
 			Status: &v1.ImageRegistryStatus{Phase: v1.ImageRegistryPhaseFAILED},
@@ -348,17 +348,17 @@ func TestImageRegistryController_Sync_Failed(t *testing.T) {
 		wantErr   bool
 	}{
 		{
-			name:  "Failed -> Connected (image service list tags success)",
+			name:  "Failed -> Connected (check pull permission success)",
 			input: testImageRegistry(),
 			mockSetup: func(input *v1.ImageRegistry, s *storagemocks.MockStorage, imageSvc *registrymocks.MockImageService) {
-				imageSvc.On("ListImageTags", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
+				imageSvc.On("CheckPullPermission", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
 					image := args.Get(0).(string)
 					assert.Equal(t, "test/neutree/neutree-serve", image)
 					arg := args.Get(1).(authn.Authenticator)
 					authConfig, _ := arg.Authorization()
 					assert.Equal(t, input.Spec.AuthConfig.Username, authConfig.Username)
 					assert.Equal(t, input.Spec.AuthConfig.Password, authConfig.Password)
-				}).Return(nil, nil)
+				}).Return(true, nil)
 				s.On("UpdateImageRegistry", "1", mock.Anything).Run(func(args mock.Arguments) {
 					arg := args.Get(1).(*v1.ImageRegistry)
 					assert.Equal(t, v1.ImageRegistryPhaseCONNECTED, arg.Status.Phase)
@@ -367,17 +367,17 @@ func TestImageRegistryController_Sync_Failed(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name:  "Failed -> Failed (image service list tags failed)",
+			name:  "Failed -> Failed (check pull permission failed)",
 			input: testImageRegistry(),
 			mockSetup: func(input *v1.ImageRegistry, s *storagemocks.MockStorage, imageSvc *registrymocks.MockImageService) {
-				imageSvc.On("ListImageTags", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
+				imageSvc.On("CheckPullPermission", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
 					image := args.Get(0).(string)
 					assert.Equal(t, "test/neutree/neutree-serve", image)
 					arg := args.Get(1).(authn.Authenticator)
 					authConfig, _ := arg.Authorization()
 					assert.Equal(t, input.Spec.AuthConfig.Username, authConfig.Username)
 					assert.Equal(t, input.Spec.AuthConfig.Password, authConfig.Password)
-				}).Return(nil, assert.AnError)
+				}).Return(false, assert.AnError)
 				// Defer block updates status to FAILED when connection fails
 				s.On("UpdateImageRegistry", "1", mock.Anything).Run(func(args mock.Arguments) {
 					arg := args.Get(1).(*v1.ImageRegistry)

db/migrations/030_support_empty_repo.down.sql

@@ -0,0 +1,21 @@
+------------------------------------
+-- Image Registry Repo Validation
+------------------------------------
+CREATE OR REPLACE FUNCTION api.validate_image_registry_repo()
+RETURNS TRIGGER AS $$
+BEGIN
+    IF (NEW.spec).repository IS NULL OR trim((NEW.spec).repository) = '' THEN
+        RAISE sqlstate 'PGRST'
+            USING message = '{"code": "10013","message": "spec.repository is required","hint": "Provide Image Registry Repo"}',
+            detail = '{"status": 400, "headers": {"X-Powered-By": "Neutree"}}';
+    END IF;
+
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+DROP TRIGGER IF EXISTS validate_image_registry_repo_on_image_registry ON api.image_registries;
+CREATE TRIGGER validate_image_registry_repo_on_image_registry
+    BEFORE INSERT OR UPDATE ON api.image_registries
+    FOR EACH ROW
+    EXECUTE FUNCTION api.validate_image_registry_repo();

db/migrations/030_support_empty_repo.up.sql

@@ -0,0 +1,2 @@
+DROP TRIGGER IF EXISTS validate_image_registry_repo_on_image_registry on api.image_registries;
+DROP FUNCTION IF EXISTS api.validate_image_registry_repo();

internal/accelerator/plugin/amd_gpu.go

@@ -165,7 +165,7 @@ func (p *AMDGPUAcceleratorPlugin) GetSupportEngines(ctx context.Context) (*v1.Ge
 					ValuesSchema: llamaCppDefaultEngineSchema,
 					Images: map[string]*v1.EngineImage{
 						"cpu": {
-							ImageName: "llama-cpp",
+							ImageName: "neutree/llama-cpp-python", // no official llama-cpp-python image, so use neutree image
 							Tag:       "v0.3.6",
 						},
 					},
@@ -198,8 +198,8 @@ func (p *AMDGPUAcceleratorPlugin) GetSupportEngines(ctx context.Context) (*v1.Ge
 					ValuesSchema: vllmDefaultEngineSchema,
 					Images: map[string]*v1.EngineImage{
 						"amd_gpu": {
-							ImageName: "vllm",
-							Tag:       "v0.8.5-rocm",
+							ImageName: "rocm/vllm", // use official vllm image with amd gpu support
+							Tag:       "rocm6.3.1_vllm_0.8.5_20250521",
 						},
 					},
 					DeployTemplate: map[string]map[string]string{

internal/accelerator/plugin/gpu.go

@@ -145,7 +145,7 @@ func (p *GPUAcceleratorPlugin) GetSupportEngines(ctx context.Context) (*v1.GetSu
 					ValuesSchema: llamaCppDefaultEngineSchema,
 					Images: map[string]*v1.EngineImage{
 						"cpu": {
-							ImageName: "llama-cpp",
+							ImageName: "neutree/llama-cpp-python", // no official llama-cpp-python image, so use neutree image
 							Tag:       "v0.3.6",
 						},
 					},
@@ -178,7 +178,7 @@ func (p *GPUAcceleratorPlugin) GetSupportEngines(ctx context.Context) (*v1.GetSu
 					ValuesSchema: vllmDefaultEngineSchema,
 					Images: map[string]*v1.EngineImage{
 						"nvidia_gpu": {
-							ImageName: "vllm",
+							ImageName: "vllm/vllm-openai", // use official vllm image with nvidia gpu support
 							Tag:       "v0.8.5",
 						},
 					},

internal/cluster/component/metrics/manifests.go

@@ -192,7 +192,7 @@ spec:
       serviceAccountName: vmagent-service-account
       containers:
       - name: vmagent
-        image: {{ .ImagePrefix }}/vmagent:{{ .Version }}
+        image: {{ .ImagePrefix }}/victoriametrics/vmagent:{{ .Version }}
         args:
         - --promscrape.config=/etc/prometheus/prometheus.yml
         - --promscrape.configCheckInterval=10s

internal/cluster/component/metrics/metrics_resource_test.go

@@ -40,7 +40,7 @@ func TestBuildVMAgentDeployment(t *testing.T) {
 			assert.Equal(t, "vmagent", deployment.GetName(), "Deployment name mismatch")
 			assert.Equal(t, "vmagent", deployment.GetLabels()["app"], "Deployment app label mismatch")
 			assert.Equal(t, int32(1), *deployment.Spec.Replicas, "Deployment replicas mismatch")
-			assert.Equal(t, "test-image-prefix/vmagent:v1.115.0", deployment.Spec.Template.Spec.Containers[0].Image, "Deployment image mismatch")
+			assert.Equal(t, "test-image-prefix/victoriametrics/vmagent:v1.115.0", deployment.Spec.Template.Spec.Containers[0].Image, "Deployment image mismatch")
 			assert.Equal(t, "test-image-pull-secret", deployment.Spec.Template.Spec.ImagePullSecrets[0].Name, "Deployment image pull secret mismatch")
 			return
 		}

internal/cluster/component/router/manifests.go

@@ -81,7 +81,7 @@ spec:
       serviceAccountName: router-service-account
       containers:
       - name: router
-        image: {{ .ImagePrefix }}/router:{{ .Version }}
+        image: {{ .ImagePrefix }}/neutree/router:{{ .Version }}
         env:
         - name: LMCACHE_LOG_LEVEL
           value: DEBUG