I'd like to setup a docker registry that allows anonymous pulls but authenticates pushes.
My naive approach was to allow get requests. But that seems to break the login as the client only creates the credentials if the initial Get request to /v2/ yields a 401.
However also repository reads start with that so I cannot put this behind authentication either.
Basically it seems I'd have to distinguish between a ping before a pull and a ping before a login.
I'm also happy to setup token authentication. But that would probably run into the same conundrum.
Apparently the way to go is to set up token authentication.
Then you can return a valid token for the scope pull even if no Basic Authentication was given.
You can find an example code on https://github.com/cloudfleet/floating-dock/blob/master/app/controllers/api/v1/jwt_controller.rb and https://github.com/cloudfleet/floating-dock/blob/master/app/services/auth/container_registry_authentication_service.rb
It is an adapted version of GitLabs JWT implementation for the registry.