[Feat]: Ability to generate s3 presign link for blob

[vanhtuan0409]

Is your feature request related to a problem? Please describe.

No response

Describe the solution you'd like

I want to get a s3 pre-sign link for image layer. This way we can tweak the client to download directly from s3 without needing to proxy through Zot

Describe alternatives you've considered

No response

Additional context

No response

[rchincha]

@vanhtuan0409 is this a CDN use case? Also, what would zot actually need to do here?

[vanhtuan0409]

To be more detailed: we are using Zot as an OCI-compliant registry. During the pull operation, the client will actually call GetBlob from the standard OCI API. In turn, Zot will read remote storage (s3 in this scenario) and proxy the content back to the client. The traffic look like this client <--> zot <--> s3

We want to avoid the traffic passing through Zot as this can cause some heavy load. In an ideal condition, we can have a plugin for generating s3 pre-signed link for the client to download

[rchincha]

opencontainers/distribution-spec#299

The opinion in the community is that this should be solved purely via HTTP redirect.
So you would have to build machinery such as once a blob is uploaded to zot, copy it somewhere else and then 30x redirect to that new location. Can this be achieved without doing this in zot?

[vanhtuan0409]

Using the 307 redirect code could solve this issue. I need the client to pull directly from remote storage without causing stress on Zot server

Zot still needs to implement this by returning the 307 redirect code. Do you think that it is a good idea to implement this within the GetBlob handler? I could help making the contribution

[rchincha]

https://doc.traefik.io/traefik/middlewares/http/redirectregex/
You may also want to look at solutions such as this ^ positioned in front of zot.