1 files changed, 12 insertions, 1 deletions

diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index ea4723c9e28..a92a2c8aef5 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -124,7 +124,8 @@ module Auth
         type: type,
         name: path.to_s,
         actions: authorized_actions,
-        migration_eligible: self.class.migration_eligible(project: requested_project)
+        migration_eligible: self.class.migration_eligible(project: requested_project),
+        cdn_redirect: cdn_redirect
       }.compact
     end
 
@@ -145,6 +146,16 @@ module Auth
       # we'll remove them manually from this deny list, and their new repositories will become eligible.
       Feature.disabled?(:container_registry_migration_phase1_deny, project.root_ancestor) &&
         Feature.enabled?(:container_registry_migration_phase1_allow, project)
+    rescue ContainerRegistry::Path::InvalidRegistryPathError => ex
+      Gitlab::ErrorTracking.track_and_raise_for_dev_exception(ex, **Gitlab::ApplicationContext.current)
+      false
+    end
+
+    # This is used to determine whether blob download requests using a given JWT token should be redirected to Google
+    # Cloud CDN or not. The intent is to enable a percentage of time rollout for this new feature on the Container
+    # Registry side. See https://gitlab.com/gitlab-org/gitlab/-/issues/349417 for more details.
+    def cdn_redirect
+      Feature.enabled?(:container_registry_cdn_redirect) || nil
     end
 
     ##