Critical Description:
This is an issue found in Quay API V2, now when use Openshift "oc-mirror" CLI to mirror images to Quay, this utility will check if "/v2/openshift/graph-image/manifests/latest" is existed or not, at this step Quay should return 404 error code to indicate that this manifest is not existed, but the current behavior is Quay will return 401 error code, the results is Customers can't use "oc-mirror" to mirror OCP installation images to Quay, pls review this issue.
Quay: 3.15.1
Locations to download oc-mirror:
https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/oc-mirror.tar.gz
ubuntu@ip-10-0-1-126:~$ sudo ./oc-mirror --config=imagesetconfig.yaml --workspace file:///./oc-mirror-workspace docker://quay3151-quay-quay.apps.quaypg31512108.qe.devcluster.openshift.com --v2 --parallel-images 10 --parallel-layers 18 --authfile ./pull-secret.json 2025/08/21 03:36:48 [INFO] : 👋 Hello, welcome to oc-mirror 2025/08/21 03:36:48 [INFO] : ⚙️ setting up the environment for you... 2025/08/21 03:36:48 [INFO] : 🔀 workflow mode: mirrorToMirror 2025/08/21 03:36:48 [INFO] : 🕵 going to discover the necessary images... 2025/08/21 03:36:48 [INFO] : 🔍 collecting release images... 2025/08/21 03:36:52 [INFO] : mirror time : 4.595884839s 2025/08/21 03:36:52 [INFO] : 👋 Goodbye, thank you for using oc-mirror 2025/08/21 03:36:52 [ERROR] : [Executor] collection error: [ReleaseImageCollector] error processing graph image: HEAD https://quay3151-quay-quay.apps.quaypg31512108.qe.devcluster.openshift.com/v2/openshift/graph-image/manifests/latest: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details)
Check the same Quay API V2 manually hit the same 401 error:
curl --location 'https://quay3151-quay-quay.apps.quaypg31512108.qe.devcluster.openshift.com/v2/auth?service=quay3151-quay-quay.apps.quaypg31512108.qe.devcluster.openshift.com&scope=repository%3Aopenshift%2Fgraph-image%3Apull%2Cpush' \ --header 'Authorization: Basic ******' -k | jq { "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRoajluWWR0RDZSUngxbnFrV1lFaDk3VmdmQWhaSTdmNFJSaGI1NnRyLWsiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJxdWF5IiwiYXVkIjoicXVheTMxNTEtcXVheS1xdWF5LmFwcHMucXVheXBnMzE1MTIxMDgucWUuZGV2Y2x1c3Rlci5vcGVuc2hpZnQuY29tIiwibmJmIjoxNzU1NzUxNDUzLCJpYXQiOjE3NTU3NTE0NTMsImV4cCI6MTc1NTc1NTA1Mywic3ViIjoicXVheSIsImFjY2VzcyI6W3sidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoib3BlbnNoaWZ0L2dyYXBoLWltYWdlIiwiYWN0aW9ucyI6W119XSwiY29udGV4dCI6eyJ2ZXJzaW9uIjoyLCJlbnRpdHlfa2luZCI6InVzZXIiLCJlbnRpdHlfcmVmZXJlbmNlIjoiYjdmZGM0YzctMWEwNC00YzJhLWFlOWEtY2I3MGNhMWNiNjUyIiwia2luZCI6InVzZXIiLCJ1c2VyIjoicXVheSIsImNvbS5hcG9zdGlsbGUucm9vdHMiOnsib3BlbnNoaWZ0L2dyYXBoLWltYWdlIjoiJGRpc2FibGVkIn0sImNvbS5hcG9zdGlsbGUucm9vdCI6IiRkaXNhYmxlZCJ9fQ.SuMuls-oM2QLjdbOyoNEAuEp62OI1idAx2lEfdlvENO9kjHjiYYd47zsBdyd6z7nl9D2rO8_JDK5CxlUidv7ZGom8TEttp0MrqyHYTHDq4uoGLHJM53bH_jrxehvRteYA-nJeBbYYnhrar1pHLdN7utNWXkem_JJyvwrKD61w62-qttYnxwsNqGzEPuT4KrK-lcgQkLEm5tmv-YU91GWQJVUJnsbiiaK325pZpUBuvpAH76OrabCIDTphWhIU7fmNyTbKhpPkzLMkG2rQ4g5ucnA0hR141Q0fcknsDWAO62pL6Js3DwBM5-CB4JCmD_84C_3U0yD5LU7tG9Vg0bkAg" } curl --location 'https://quay3151-quay-quay.apps.quaypg31512108.qe.devcluster.openshift.com/v2/openshift/graph-image/manifests/latest' \ --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Il9NaUpjamp0UU9yeHlaN1dBWi1EWjBfNGg4NmRhcndfTVE0bkE2N084OWsiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJxdWF5IiwiYXVkIjoicXVheTMxNTEtcXVheS1xdWF5LmFwcHMucXVheXBnMzE1MTIxMDgucWUuZGV2Y2x1c3Rlci5vcGVuc2hpZnQuY29tIiwibmJmIjoxNzU1NzUxNTI3LCJpYXQiOjE3NTU3NTE1MjcsImV4cCI6MTc1NTc1NTEyNywic3ViIjoicXVheSIsImFjY2VzcyI6W3sidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoib3BlbnNoaWZ0L2dyYXBoLWltYWdlIiwiYWN0aW9ucyI6W119XSwiY29udGV4dCI6eyJ2ZXJzaW9uIjoyLCJlbnRpdHlfa2luZCI6InVzZXIiLCJlbnRpdHlfcmVmZXJlbmNlIjoiYjdmZGM0YzctMWEwNC00YzJhLWFlOWEtY2I3MGNhMWNiNjUyIiwia2luZCI6InVzZXIiLCJ1c2VyIjoicXVheSIsImNvbS5hcG9zdGlsbGUucm9vdHMiOnsib3BlbnNoaWZ0L2dyYXBoLWltYWdlIjoiJGRpc2FibGVkIn0sImNvbS5hcG9zdGlsbGUucm9vdCI6IiRkaXNhYmxlZCJ9fQ.E_oqNa1ZXFp0DT4027WcAGaTvYR70ZbEOx7FpOrWcKa7JGGziBBa_Wh5xauymOv-VFYL1ymhLrnGtjRoybnuR9ECV8eUkeS76wstvvqtm3gm5CX8XUPo2ZO4QoR0FvGqq3kWJuAaoJ0_SZQn5H_I1NucBuMLVZt1p72s3nePzLHfAYb0tspsyJAdubYpruKA6EQQYtC8zDf2WaOX250dHU38EnWcLuIVQGB2wVzJYAby7zaj3nhHdF7JwarQUMY3LvzW5LQxzRPqvkJUYQ2ukMY_PRxewPSnHl0XwHfpAK9jk9xkdq3DebDrYC5mOeyNus_PolFHhTCCwAU_jXa1ew' -k { "errors": [ { "code": "UNAUTHORIZED", "detail": {}, "message": "access to the requested resource is not authorized" } ] } curl --location --head 'https://quay3151-quay-quay.apps.quaypg31512108.qe.devcluster.openshift.com/v2/openshift/graph-image/manifests/latest' \ --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Il9NaUpjamp0UU9yeHlaN1dBWi1EWjBfNGg4NmRhcndfTVE0bkE2N084OWsiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJxdWF5IiwiYXVkIjoicXVheTMxNTEtcXVheS1xdWF5LmFwcHMucXVheXBnMzE1MTIxMDgucWUuZGV2Y2x1c3Rlci5vcGVuc2hpZnQuY29tIiwibmJmIjoxNzU1NzUxNTI3LCJpYXQiOjE3NTU3NTE1MjcsImV4cCI6MTc1NTc1NTEyNywic3ViIjoicXVheSIsImFjY2VzcyI6W3sidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoib3BlbnNoaWZ0L2dyYXBoLWltYWdlIiwiYWN0aW9ucyI6W119XSwiY29udGV4dCI6eyJ2ZXJzaW9uIjoyLCJlbnRpdHlfa2luZCI6InVzZXIiLCJlbnRpdHlfcmVmZXJlbmNlIjoiYjdmZGM0YzctMWEwNC00YzJhLWFlOWEtY2I3MGNhMWNiNjUyIiwia2luZCI6InVzZXIiLCJ1c2VyIjoicXVheSIsImNvbS5hcG9zdGlsbGUucm9vdHMiOnsib3BlbnNoaWZ0L2dyYXBoLWltYWdlIjoiJGRpc2FibGVkIn0sImNvbS5hcG9zdGlsbGUucm9vdCI6IiRkaXNhYmxlZCJ9fQ.E_oqNa1ZXFp0DT4027WcAGaTvYR70ZbEOx7FpOrWcKa7JGGziBBa_Wh5xauymOv-VFYL1ymhLrnGtjRoybnuR9ECV8eUkeS76wstvvqtm3gm5CX8XUPo2ZO4QoR0FvGqq3kWJuAaoJ0_SZQn5H_I1NucBuMLVZt1p72s3nePzLHfAYb0tspsyJAdubYpruKA6EQQYtC8zDf2WaOX250dHU38EnWcLuIVQGB2wVzJYAby7zaj3nhHdF7JwarQUMY3LvzW5LQxzRPqvkJUYQ2ukMY_PRxewPSnHl0XwHfpAK9jk9xkdq3DebDrYC5mOeyNus_PolFHhTCCwAU_jXa1ew' -k HTTP/1.1 401 UNAUTHORIZED server: nginx/1.22.1 date: Thu, 21 Aug 2025 04:46:36 GMT content-type: application/json content-length: 112 www-authenticate: Bearer realm="https://quay3151-quay-quay.apps.quaypg31512108.qe.devcluster.openshift.com/v2/auth",service="quay3151-quay-quay.apps.quaypg31512108.qe.devcluster.openshift.com",scope="repository:openshift/graph-image:pull" docker-distribution-api-version: registry/2.0