Implement Container Virtual Registry pass-through proxy

🌱 Context

This is part of the Container Virtual Registry implementation series:

• Add Container Virtual Registry routes and stub ... (!210622 - merged) ✅
• Modify Container Virtual Registry HandleFileReq... (!210719 - merged) ✅
• Implement Container Virtual Registry cache hit ... (!212712 - merged)
• Implement pass-through proxy (cache miss scenario) 👈 WE ARE HERE
• Add background caching (follow-up MR)
• Cleanup: DRY up duplicated code between VirtualRegistries::ContainersController and Groups::DependencyProxy::ApplicationController

What does this MR do and why?

This MR implements the pass-through proxy for Container Virtual Registry pull requests. When a requested image is not in cache, we:

1. Proxy the download from upstream via Workhorse
2. Stream the content to the Docker client

Note: This MR does NOT create cache entries yet. Cache entry creation will be added in a follow-up MR via background worker.

The implementation includes:

• authorize_upload endpoint for Workhorse file upload authorization
• upload endpoint for creating cache entries (when called directly)
• send_workhorse_proxy implementation that proxies requests to upstream
• skip_permission_check parameter in CreateOrUpdateService for background worker use

EE: true

References

#549131

🔬 How to set up and validate locally

🛠️ 1. Setup

Follow the same setup steps from !212712 (merged) to enable the feature flag and create a virtual registry with upstreams.

2. 🔓 Docker login to the virtual registry

docker login gdk.test:3000/virtual_registries/containers/<registry_id>

When the docker client asks for the password, paste a personal access token with read_virtual_registry permission.

3. 🔽 Docker pull from the virtual registry (cache miss)

Pull an image that is NOT in the cache:

# Pull an image from upstream (e.g., Docker Hub via the virtual registry)
docker pull gdk.test:3000/virtual_registries/containers/<registry_id>/library/alpine:latest

💡 NOTE: The docker CLI automatically prepends library/ when pulling official images from DockerHub. But it does not do that for Virtual Registry. Hence, we have to add that to the URL ourselves: docker pull alpine => docker pull <gitlab-registry-url>/library/alpine

4. ✅ 🔽 Verify that the cache hit scenario still works

Follow steps 2 in !212712+ to artificially create cache entry records for the hello-world image.

Pull the hello-world image with:

docker pull gdk.test:3000/virtual_registries/container/<registry-id>/hello-world@sha256:0c0473b2781ff136160d27c53706e6e593b0a7ded422170058d17101a5b92ff5

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #549131