* chore(pre-commit): match black version with requirements-dev
* run `make black` against repo
* ci: switch to black 24.4.2
* fix: py312
* fix: flake8 errors
* fix: flake8 conflicts
* chore: add git blame ignore revs file
* proxy: Drop error 403 token requests for anonymous pulls (PROJQUAY-9012)
ghcr.io returns 403 when attempting an anonymous pull, which causes the
proxy to attempt authentication even when authentication is disabled.
This change ignores 403 status codes when requesting anonymous pulls,
similar to the existing behavior for 401 responses.
* fix formatting
This change allows validation of proxy cache config api to support anonymous pulls
when the registry returns a 401 since repo name is not known during initial proxy config
Signed-off-by: harishsurf <hgovinda@redhat.com>
When authenticating again a registry, if the www-authenticate header
doesn't specify a service, exclude it from the url
Signed-off-by: harishsurf <hgovinda@redhat.com>
The distribution spec does not require the docker-content-digest header
to be set in response to a manifest GET/HEAD request.
This changes both the proxy client and the registry proxy model to
correctly check whether a manifest is up-to-date with the upstream
registry or not when no digest header is received.
NOTE: when checking staleness against registries that do not return the
docker-content-digest header, Quay will make a GET request to the
registry and calculate the digest from the manifest itself. GET requests
usually count towards rate-limiting.
This change also sets the accept-encoding header to 'identity'. The python
requests library seems to automatically set the accept-encoding header to
'gzip'. Dockerhub ignores that header when serving blobs, but some
registries don't (namely registry.access.redhat.com). When Quay receives a
gzipped config blob (have not tested non-config blobs) for some reason it
doesn't know how to handle it. I suspect it has to do wit the fact that in
this case the content-length header will differ from the actual size of
the response body, so when Quay tries to upload the blob it cannot
correctly calculate the actual blob size, so it does a partial upload to
its object storage, which then results in a digest mismatch error
(BlobDigestMismatchException).
requests will either throw a RequestException or a ConnectionError if it
fails to request the given url for whatever reason.
callers are only expected to treat UpstreamRegistryError, so we throw it
instead of the requests related exceptions, adding the original message
to the new exception.
introduces the possibility to pull images from external registries
through Quay, storing them locally for faster subsequent pulls.
Closes PROJQUAY-3030 and PROJQUAY-3033
