-
Feature
-
Resolution: Unresolved
-
Blocker
-
None
-
None
-
None
-
False
-
-
False
-
Not Selected
Overview
Enable OCI Referrers API pass-through in the registry-proxy service that fronts registry.redhat.io and registry.access.redhat.com.
The backend quay.io already supports the OCI 1.1 Referrers API, but the registry-proxy currently lacks a handler for the /v2/:name/referrers/:digest endpoint, causing referrer queries to fail when accessing images through the Red Hat container registries.
Business Value
This is essential for supply chain security use cases including:
- Model signing verification (OpenSSF Model Signing)
- SLSA provenance attestations
- SBOM distribution
- Tamper-proof artifact integrity verification
Problem
The registry-proxy does not handle the OCI referrers endpoint. When clients query /v2/:name/referrers/:digest through registry.redhat.io, the request fails because the proxy has no handler for this path pattern.
The referrers API works correctly on quay.io directly, but the registry-proxy layer does not pass these requests through.
Solution
Add a referrers endpoint handler to the registry-proxy that:
- Recognizes the /v2/:name/referrers/:digest URL pattern
- Applies existing middleware (auth, authorization, terms filtering)
- Proxies requests to the quay.io backend
- Passes through the artifactType query parameter for filtering
Related Issues
- Original RFE: RFE-8487
- Epic: PROJQUAY-10177
- Blocks: RHAIRFE-817 (Model signing for AI artifacts)
- is incorporated by
-
PROJQUAY-10177 OCI Referrers API Pass-through Support
-
- New
-
- is triggered by
-
-
- Approved
-