From 1ab19597a6ddffefa8f6565792dabcdc66ed0c31 Mon Sep 17 00:00:00 2001
From: continuist <continuist02@gmail.com>
Date: Sat, 28 Jun 2025 16:02:27 -0400
Subject: [PATCH] Use HTTPS instead of HTTP for registry

---
 CI_CD_PIPELINE_SETUP_GUIDE.md | 56 ++++++++++++++++++++++++++++++-----
 1 file changed, 49 insertions(+), 7 deletions(-)

diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md
index df7c7d2..808a5d2 100644
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@@ -456,10 +456,16 @@ storage:
     blobdescriptor: inmemory
 http:
   addr: :5000
+  tls:
+    certificate: /etc/docker/registry/ssl/registry.crt
+    key: /etc/docker/registry/ssl/registry.key
   headers:
     X-Content-Type-Options: [nosniff]
     X-Frame-Options: [DENY]
     X-XSS-Protection: [1; mode=block]
+    Access-Control-Allow-Origin: ["*"]
+    Access-Control-Allow-Methods: ["HEAD", "GET", "OPTIONS", "DELETE"]
+    Access-Control-Allow-Headers: ["Authorization", "Content-Type", "Accept", "Accept-Encoding", "Accept-Language", "Cache-Control", "Connection", "DNT", "Pragma", "User-Agent"]
   # Public read access, authentication required for push
   auth:
     htpasswd:
@@ -477,13 +483,37 @@ exit
 ```
 
 **What this configuration does:**
+- **HTTPS Enabled**: Uses TLS certificates for secure communication
 - **Public Read Access**: Anyone can pull images without authentication
 - **Authenticated Push**: Only authenticated users can push images
 - **Security Headers**: Protects against common web vulnerabilities
+- **CORS Headers**: Allows the registry UI to access the registry API with all necessary headers
 - **No Secret Key**: The `secret` field was unnecessary and has been removed
 
 **Security Note**: We switch to SERVICE_USER because the registry directory is owned by SERVICE_USER, maintaining proper file ownership and security.
 
+#### 4.2.1 Generate SSL Certificates
+
+```bash
+# Switch to SERVICE_USER (registry directory owner)
+sudo su - SERVICE_USER
+
+# Create SSL directory
+mkdir -p /opt/registry/ssl
+
+# Generate self-signed certificate
+openssl req -x509 -newkey rsa:4096 -keyout /opt/registry/ssl/registry.key -out /opt/registry/ssl/registry.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=YOUR_CI_CD_IP"
+
+# Set proper permissions
+chmod 600 /opt/registry/ssl/registry.key
+chmod 644 /opt/registry/ssl/registry.crt
+
+# Exit SERVICE_USER shell
+exit
+```
+
+**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address in the certificate generation command.
+
 #### 4.3 Create Authentication File
 
 ```bash
@@ -520,6 +550,7 @@ services:
     volumes:
       - ./config.yml:/etc/docker/registry/config.yml:ro
       - ./auth/auth.htpasswd:/etc/docker/registry/auth/auth.htpasswd:ro
+      - ./ssl:/etc/docker/registry/ssl:ro
       - registry_data:/var/lib/registry
     restart: unless-stopped
     networks:
@@ -531,7 +562,7 @@ services:
       - "8080:80"
     environment:
       - REGISTRY_TITLE=APP_NAME Registry
-      - REGISTRY_URL=http://registry:5000
+      - REGISTRY_URL=https://YOUR_CI_CD_IP:5000
     depends_on:
       - registry
     restart: unless-stopped
@@ -550,6 +581,10 @@ EOF
 exit
 ```
 
+**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address in the `REGISTRY_URL` environment variable.
+
+**Note**: The registry now uses HTTPS, which will resolve the crypto.subtle error and provide secure communication.
+
 #### 4.5 Install Required Tools
 
 ```bash
@@ -609,15 +644,18 @@ docker pull localhost:5000/test:latest
 # Remove from local Docker
 docker rmi localhost:5000/test:latest
 
-# Delete test repository from registry (simpler approach)
-echo "Deleting test repository from registry..."
-curl -X DELETE http://localhost:5000/v2/test/repository
-
 # Clean up test file
 rm /tmp/test.Dockerfile
 
+# Clean up test repository using registry UI
+# 1. Open your browser and go to: https://YOUR_CI_CD_IP:8080
+# 2. You should see the 'test' repository listed
+# 3. Click on the 'test' repository
+# 4. Click the delete button (trash icon) next to the 'latest' tag
+# 5. Confirm the deletion
+# 6. The test repository should now be removed
+
 # Verify registry is empty
-echo "Registry contents after cleanup:"
 curl http://localhost:5000/v2/_catalog
 
 # Exit SERVICE_USER shell
@@ -645,9 +683,13 @@ exit
 PUSH_USER="push-user"
 PUSH_PASSWORD=$(grep push-user /opt/registry/auth/auth.htpasswd | cut -d: -f2)
 
+# Copy the certificate to Docker's trusted certificates
+sudo cp /opt/registry/ssl/registry.crt /usr/local/share/ca-certificates/registry.crt
+sudo update-ca-certificates
+
 sudo tee /etc/docker/daemon.json << EOF
 {
-  "insecure-registries": ["YOUR_CI_CD_IP:5000"],
+  "insecure-registries": [],
   "registry-mirrors": [],
   "auths": {
     "YOUR_CI_CD_IP:5000": {