SS-1076 improve image pull error

[churnikov]

Link to related charts pull request ScilifelabDataCentre/serve-charts#101
TODO:

• Improve documentation of the introduced functions
• Add documentation on confluence, that describes how this validation work
  https://scilifelab.atlassian.net/wiki/spaces/AIportal/pages/3697836225/On+pulling+users+images+on+serve#Validating-incoming-images

This pull request introduces a feature to validate Docker image architectures for both Docker Hub and GitHub Container Registry (GHCR). The changes include adding new utility functions, validators, and settings to ensure Docker images are built for the correct CPU architecture (amd64). It also integrates a feature flag to toggle this validation.

Docker image architecture validation:

• Added a new feature to validate Docker image architectures (amd64) in validate_ghcr_image and validate_docker_image functions. This validation is controlled by the docker_image_architecture_validator feature flag using the waffle library. [1] [2]

New utilities for Docker and GHCR integration:

• Introduced DockerHubAuthenticator and GHCRAuthenticator classes for handling authentication with Docker Hub and GHCR, respectively. These classes retrieve Bearer tokens for API requests.
• Added utility functions like get_manifest_list, get_config_blob, and get_image_architecture to fetch and parse image manifests and configurations to determine supported architectures.

Configuration updates:

• Added new environment variables (DOCKER_HUB_TOKEN, DOCKER_HUB_USERNAME, GITHUB_API_USERNAME) to studio/settings.py for authentication with Docker Hub and GHCR.

Checklist

If you're unsure about any of the items below, don't hesitate to ask. We're here to help!
This is simply a reminder of what we are going to look for before merging your code.

• This pull request is against develop branch (not applicable for hotfixes)
• I have included a link to the issue on GitHub or JIRA (if any)
• I have included migration files (if there are changes to the model classes)
• I have included, reviewed and executed tests (unit and end2end) to complement my changes
• I have updated the related documentation (if necessary)
• I have added a reviewer for this pull request
• I have added myself as an author for this pull request
• In the case I have modified settings.py, then I have also updated the studio-settings-configmap.yaml file in serve-charts

Further comments

Anything else you think we should know before merging your code!

[Copilot]

Pull Request Overview

Adds validation of Docker image CPU architectures and supporting utilities.

• Introduces DockerHubAuthenticator and GHCRAuthenticator for registry token retrieval.
• Implements get_manifest_list, get_config_blob, and get_image_architecture to fetch and parse image architectures.
• Integrates a docker_image_architecture_validator waffle switch into validate_ghcr_image and validate_docker_image to enforce amd64 images.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
studio/settings.py	Added new env vars for Docker Hub and GHCR authentication
apps/validators/container_images.py	New registry auth classes and manifest/config-fetching utilities
apps/helpers.py	Wired image-architecture checks behind feature flag in validators

Comments suppressed due to low confidence (1)

apps/validators/container_images.py:135

• [nitpick] The parameter name refence is misspelled; consider renaming it to reference for clarity and consistency.

def get_image_architecture(

[Copilot]

get_image_architecture can return None on unsupported manifests, but callers assume a list. Ensure it always returns a list (possibly empty) or raise an exception to prevent runtime errors.

Suggested change

	return architectures
	return architectures or []

[j-awada]

@churnikov did you choose to create the flag manually? Here's where the Depictio one gets created.
But in general image arch verification sounds more like a switch than a feature flag.

[churnikov]

@j-awada

But in general image arch verification sounds more like a switch than a feature flag.

My bad, I named it in commit messages feature flag, while it's already a switch. Good point thought, thank you:)

[churnikov]

Here's where the Depictio one gets created.

Thanks, good idea, will do that!

[j-awada]

Did not run this locally but LGTM.

[j-awada]

is refence missing the r on purpose? haha

[churnikov]

Oops:))

[j-awada]

Do we also need to update .env.template to include those variables there?

[churnikov]

True, will do that:)