Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-9012

Cannot use proxy cache for ghcr.io

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      When creating an organization and trying to configure the remote registry ghcr.io it's not possible to save the config: 

      That's because https://ghcr.io/v2/ responds with 401 and header `www-authenticate: Bearer realm="https://ghcr.io/token",service="ghcr.io",scope="repository:user/image:pull"` and the token endpoint https://ghcr.io/token?service=ghcr.io&scope=repository:user/image:pull responds with 403.

      Harbor's implementation of proxy repositories handles this case more gracefully. Changing the condition in https://github.com/quay/quay/blob/bf82e26c56416ec3d0a812c051baa60ccdc76bea/proxy/__init__.py#L209 from

              # ignore fetching a token when validating proxy cache config to allow anonymous pulls from registries,
        # since the repo name is not known during the initial proxy configuration
        if resp.status_code == 401 and auth is None and self._repo is None:
            return

      to

              # ignore fetching a token when validating proxy cache config to allow anonymous pulls from registries,
        # since the repo name is not known during the initial proxy configuration
        if (resp.status_code == 401 or resp.status_code == 403) and auth is None and self._repo is None:
            return

      allows saving the proxy config and pulling images works.

        1. screenshot 2025-06-12.png
          155 kB
          Christophe Kamphaus

              Unassigned Unassigned
              ckamphaus-ccss Christophe Kamphaus
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: