feat(cas-backend): add configurable max blob size per backend (#2453)

Signed-off-by: Miguel Martinez <[email protected]>

Author: migmartri

CLAUDE.md

@@ -255,4 +255,13 @@ Code reviews are required for all submissions via GitHub pull requests.
 - make sure golang code is always formatted and golang-ci-lint is run
 - I do not want you to be in the co-author signoff
 - when the schema is changed, run make generate, do not create a migration explicitly
-- do not add generated by claude code in PR
+- If you are writing go code, adhere to best practices such as the ones in effective-go, or others. This could include, error handling patterns, interface design, package organization, concurrency patterns, etc.
+- do not change previous migrations, they are immutable
+- if you add any new dependency to a constructor, remember to run wire ./...
+- when adding new inedexes, make sure to update the generated sql migraiton files and make them CREATE INDEX CONCURRENTLY and set -- atlas:txmode none at the top
+- after updating protos, make sure to run `buf format -w`
+- Please avoid sycophantic commentary like ‘You’re absolutely correct!’ or ‘Brilliant idea!’
+- For each file you modify, update the license header. If it says 2024, change it to 2024-2025. If there's no license header, create one with the current year.
+- if you add any new dependency to a constructor, remember to run wire ./...
+- when creating PR message, keep it high-level, what functionality was added, don't add info about testing, no icons, no info about how the message was generated.
+- app/controlplane/api/gen/frontend/google/protobuf/descriptor.ts is a special case that we don't want to upgrade, so if it upgrades, put it back to main

app/cli/cmd/casbackend.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -18,13 +18,16 @@ package cmd
 import (
 	"fmt"
 
+	"code.cloudfoundry.org/bytefmt"
 	"github.com/chainloop-dev/chainloop/app/cli/pkg/action"
 	"github.com/spf13/cobra"
 )
 
 var (
 	isDefaultCASBackendUpdateOption   *bool
 	descriptionCASBackendUpdateOption *string
+	maxBytesCASBackendOption          string
+	parsedMaxBytes                    *int64
 )
 
 func newCASBackendCmd() *cobra.Command {
@@ -46,6 +49,7 @@ func newCASBackendAddCmd() *cobra.Command {
 	cmd.PersistentFlags().Bool("default", false, "set the backend as default in your organization")
 	cmd.PersistentFlags().String("description", "", "descriptive information for this registration")
 	cmd.PersistentFlags().String("name", "", "CAS backend name")
+	cmd.PersistentFlags().StringVar(&maxBytesCASBackendOption, "max-bytes", "", "Maximum size for each blob stored in this backend (e.g., 100MB, 1GB)")
 	err := cmd.MarkPersistentFlagRequired("name")
 	cobra.CheckErr(err)
 
@@ -56,12 +60,13 @@ func newCASBackendAddCmd() *cobra.Command {
 func newCASBackendUpdateCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "update",
-		Short: "Update a CAS backend description, credentials or default status",
+		Short: "Update a CAS backend description, credentials, default status, or max bytes",
 	}
 
 	cmd.PersistentFlags().Bool("default", false, "set the backend as default in your organization")
 	cmd.PersistentFlags().String("description", "", "descriptive information for this registration")
 	cmd.PersistentFlags().String("name", "", "CAS backend name")
+	cmd.PersistentFlags().StringVar(&maxBytesCASBackendOption, "max-bytes", "", "Maximum size for each blob stored in this backend (e.g., 100MB, 1GB). Note: not supported for inline backends.")
 
 	cmd.AddCommand(newCASBackendUpdateOCICmd(), newCASBackendUpdateInlineCmd(), newCASBackendUpdateAzureBlobCmd(), newCASBackendUpdateAWSS3Cmd())
 	return cmd
@@ -125,6 +130,24 @@ func confirmationPrompt(msg string) bool {
 	return gotChallenge == "y" || gotChallenge == "Y"
 }
 
+// parseMaxBytesOption validates and parses the --max-bytes flag value.
+// It stores the parsed result in parsedMaxBytes for child commands to use.
+func parseMaxBytesOption() error {
+	parsedMaxBytes = nil
+	if maxBytesCASBackendOption == "" {
+		return nil
+	}
+
+	bytes, err := bytefmt.ToBytes(maxBytesCASBackendOption)
+	if err != nil {
+		return fmt.Errorf("invalid max-bytes format: %w", err)
+	}
+
+	bytesInt := int64(bytes)
+	parsedMaxBytes = &bytesInt
+	return nil
+}
+
 // captureUpdateFlags reads the --default and --description flags only when explicitly set and
 // stores their values in the package-level pointer options. This avoids treating their zero
 // values as an intention to update.

app/cli/cmd/casbackend_add_azureblob.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -30,6 +30,9 @@ func newCASBackendAddAzureBlobStorageCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "azure-blob",
 		Short: "Register a Azure Blob Storage CAS Backend",
+		PreRunE: func(_ *cobra.Command, _ []string) error {
+			return parseMaxBytesOption()
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			// If we are setting the default, we list existing CAS backends
 			// and ask the user to confirm the rewrite
@@ -61,7 +64,8 @@ func newCASBackendAddAzureBlobStorageCmd() *cobra.Command {
 					"clientID":     clientID,
 					"clientSecret": clientSecret,
 				},
-				Default: isDefault,
+				Default:  isDefault,
+				MaxBytes: parsedMaxBytes,
 			}
 
 			res, err := action.NewCASBackendAdd(ActionOpts).Run(opts)
@@ -92,5 +96,6 @@ func newCASBackendAddAzureBlobStorageCmd() *cobra.Command {
 	cobra.CheckErr(err)
 
 	cmd.Flags().StringVar(&container, "container", "chainloop", "Storage Container Name")
+
 	return cmd
 }

app/cli/cmd/casbackend_add_oci.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -27,6 +27,9 @@ func newCASBackendAddOCICmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "oci",
 		Short: "Register a OCI CAS Backend",
+		PreRunE: func(_ *cobra.Command, _ []string) error {
+			return parseMaxBytesOption()
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			// If we are setting the default, we list existing CAS backends
 			// and ask the user to confirm the rewrite
@@ -56,7 +59,8 @@ func newCASBackendAddOCICmd() *cobra.Command {
 					"username": username,
 					"password": password,
 				},
-				Default: isDefault,
+				Default:  isDefault,
+				MaxBytes: parsedMaxBytes,
 			}
 
 			res, err := action.NewCASBackendAdd(ActionOpts).Run(opts)
@@ -81,5 +85,6 @@ func newCASBackendAddOCICmd() *cobra.Command {
 	cmd.Flags().StringVarP(&password, "password", "p", "", "registry password")
 	err = cmd.MarkFlagRequired("password")
 	cobra.CheckErr(err)
+
 	return cmd
 }

app/cli/cmd/casbackend_add_s3.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -30,6 +30,9 @@ func newCASBackendAddAWSS3Cmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "aws-s3",
 		Short: "Register a AWS S3 storage bucket",
+		PreRunE: func(_ *cobra.Command, _ []string) error {
+			return parseMaxBytesOption()
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			isDefault, err := cmd.Flags().GetBool("default")
 			cobra.CheckErr(err)
@@ -65,7 +68,8 @@ func newCASBackendAddAWSS3Cmd() *cobra.Command {
 					"secretAccessKey": secretAccessKey,
 					"region":          region,
 				},
-				Default: isDefault,
+				Default:  isDefault,
+				MaxBytes: parsedMaxBytes,
 			}
 
 			res, err := action.NewCASBackendAdd(ActionOpts).Run(opts)

app/cli/cmd/casbackend_update_azureblob.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -26,7 +26,10 @@ func newCASBackendUpdateAzureBlobCmd() *cobra.Command {
 	var backendName, tenantID, clientID, clientSecret string
 	cmd := &cobra.Command{
 		Use:   "azure-blob",
-		Short: "Update a AzureBlob CAS Backend description, credentials or default status",
+		Short: "Update a AzureBlob CAS Backend description, credentials, default status, or max bytes",
+		PreRunE: func(_ *cobra.Command, _ []string) error {
+			return parseMaxBytesOption()
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			// capture flags only when explicitly set
 			if err := captureUpdateFlags(cmd); err != nil {
@@ -49,7 +52,8 @@ func newCASBackendUpdateAzureBlobCmd() *cobra.Command {
 					"clientID":     clientID,
 					"clientSecret": clientSecret,
 				},
-				Default: isDefaultCASBackendUpdateOption,
+				Default:  isDefaultCASBackendUpdateOption,
+				MaxBytes: parsedMaxBytes,
 			}
 
 			// this means that we are not updating credentials

app/cli/cmd/casbackend_update_oci.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -26,7 +26,10 @@ func newCASBackendUpdateOCICmd() *cobra.Command {
 	var backendName, username, password string
 	cmd := &cobra.Command{
 		Use:   "oci",
-		Short: "Update a OCI CAS Backend description, credentials or default status",
+		Short: "Update a OCI CAS Backend description, credentials, default status, or max bytes",
+		PreRunE: func(_ *cobra.Command, _ []string) error {
+			return parseMaxBytesOption()
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			// capture flags only when explicitly set
 			if err := captureUpdateFlags(cmd); err != nil {
@@ -48,7 +51,8 @@ func newCASBackendUpdateOCICmd() *cobra.Command {
 					"username": username,
 					"password": password,
 				},
-				Default: isDefaultCASBackendUpdateOption,
+				Default:  isDefaultCASBackendUpdateOption,
+				MaxBytes: parsedMaxBytes,
 			}
 
 			if username == "" && password == "" {
@@ -73,5 +77,6 @@ func newCASBackendUpdateOCICmd() *cobra.Command {
 	cmd.Flags().StringVarP(&username, "username", "u", "", "registry username")
 
 	cmd.Flags().StringVarP(&password, "password", "p", "", "registry password")
+
 	return cmd
 }

app/cli/cmd/casbackend_update_s3.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -26,7 +26,10 @@ func newCASBackendUpdateAWSS3Cmd() *cobra.Command {
 	var backendName, accessKeyID, secretAccessKey, region string
 	cmd := &cobra.Command{
 		Use:   "aws-s3",
-		Short: "Update a AWS S3 CAS Backend description, credentials or default status",
+		Short: "Update a AWS S3 CAS Backend description, credentials, default status, or max bytes",
+		PreRunE: func(_ *cobra.Command, _ []string) error {
+			return parseMaxBytesOption()
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			// capture flags only when explicitly set
 			if err := captureUpdateFlags(cmd); err != nil {
@@ -49,7 +52,8 @@ func newCASBackendUpdateAWSS3Cmd() *cobra.Command {
 					"secretAccessKey": secretAccessKey,
 					"region":          region,
 				},
-				Default: isDefaultCASBackendUpdateOption,
+				Default:  isDefaultCASBackendUpdateOption,
+				MaxBytes: parsedMaxBytes,
 			}
 
 			// this means that we are not updating credentials