From e1920d1cc7fcd9c9037b9474415615a23593d522 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sun, 3 Aug 2025 15:19:16 +0200
Subject: [PATCH] Work around bug in Docker 28.3.3 that prevents pushing to
 registry without authentication. (#1110)

---
 changelogs/fragments/1110-push-fix.yml | 3 +++
 plugins/modules/docker_image.py        | 8 ++++++--
 plugins/modules/docker_image_push.py   | 8 ++++++--
 3 files changed, 15 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/fragments/1110-push-fix.yml

diff --git a/changelogs/fragments/1110-push-fix.yml b/changelogs/fragments/1110-push-fix.yml
new file mode 100644
index 00000000..498dbbf6
--- /dev/null
+++ b/changelogs/fragments/1110-push-fix.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - "docker_image, docker_image_push - work around a bug in Docker 28.3.3 that prevents pushing without authentication to a registry
+     (https://github.com/ansible-collections/community.docker/pull/1110)."
diff --git a/plugins/modules/docker_image.py b/plugins/modules/docker_image.py
index 0c97cd98..dd17a6f4 100644
--- a/plugins/modules/docker_image.py
+++ b/plugins/modules/docker_image.py
@@ -363,6 +363,7 @@ stdout:
   version_added: 1.0.0
 """
 
+import base64
 import errno
 import json
 import os
@@ -716,8 +717,11 @@ class ImageManager(DockerBaseClass):
                     push_registry, dummy = resolve_repository_name(push_repository)
                     headers = {}
                     header = get_config_header(self.client, push_registry)
-                    if header:
-                        headers['X-Registry-Auth'] = header
+                    if not header:
+                        # For some reason, from Docker 28.3.3 on not specifying X-Registry-Auth seems to be invalid.
+                        # See https://github.com/moby/moby/issues/50614.
+                        header = base64.urlsafe_b64encode(b"{}")
+                    headers['X-Registry-Auth'] = header
                     response = self.client._post_json(
                         self.client._url("/images/{0}/push", push_repository),
                         data=None,
diff --git a/plugins/modules/docker_image_push.py b/plugins/modules/docker_image_push.py
index 58b64693..89ba1e31 100644
--- a/plugins/modules/docker_image_push.py
+++ b/plugins/modules/docker_image_push.py
@@ -72,6 +72,7 @@ image:
   sample: {}
 """
 
+import base64
 import traceback
 
 from ansible.module_utils.common.text.converters import to_native
@@ -142,8 +143,11 @@ class ImagePusher(DockerBaseClass):
 
             headers = {}
             header = get_config_header(self.client, push_registry)
-            if header:
-                headers['X-Registry-Auth'] = header
+            if not header:
+                # For some reason, from Docker 28.3.3 on not specifying X-Registry-Auth seems to be invalid.
+                # See https://github.com/moby/moby/issues/50614.
+                header = base64.urlsafe_b64encode(b"{}")
+            headers['X-Registry-Auth'] = header
             response = self.client._post_json(
                 self.client._url("/images/{0}/push", self.name),
                 data=None,