devteam/sharenet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use HTTPS instead of HTTP for registry
Some checks are pending
CI/CD Pipeline / Test Backend (push) Waiting to run
Details
CI/CD Pipeline / Test Frontend (push) Waiting to run
Details
CI/CD Pipeline / Build and Push Docker Images (push) Blocked by required conditions
Details
CI/CD Pipeline / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-06-28 16:02:27 -04:00
parent 325095474a
commit 1ab19597a6
1 changed files with 49 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
CI_CD_PIPELINE_SETUP_GUIDE.md
View file

@ -456,10 +456,16 @@ storage:
blobdescriptor: inmemory
http:
addr: :5000
tls:
certificate: /etc/docker/registry/ssl/registry.crt
key: /etc/docker/registry/ssl/registry.key
headers:
X-Content-Type-Options: [nosniff]
X-Frame-Options: [DENY]
X-XSS-Protection: [1; mode=block]
Access-Control-Allow-Origin: ["*"]
Access-Control-Allow-Methods: ["HEAD", "GET", "OPTIONS", "DELETE"]
Access-Control-Allow-Headers: ["Authorization", "Content-Type", "Accept", "Accept-Encoding", "Accept-Language", "Cache-Control", "Connection", "DNT", "Pragma", "User-Agent"]
# Public read access, authentication required for push
auth:
htpasswd:
@ -477,13 +483,37 @@ exit
```
**What this configuration does:**
- **HTTPS Enabled**: Uses TLS certificates for secure communication
- **Public Read Access**: Anyone can pull images without authentication
- **Authenticated Push**: Only authenticated users can push images
- **Security Headers**: Protects against common web vulnerabilities
- **CORS Headers**: Allows the registry UI to access the registry API with all necessary headers
- **No Secret Key**: The `secret` field was unnecessary and has been removed
**Security Note**: We switch to SERVICE_USER because the registry directory is owned by SERVICE_USER, maintaining proper file ownership and security.
#### 4.2.1 Generate SSL Certificates
```bash
# Switch to SERVICE_USER (registry directory owner)
sudo su - SERVICE_USER
# Create SSL directory
mkdir -p /opt/registry/ssl
# Generate self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout /opt/registry/ssl/registry.key -out /opt/registry/ssl/registry.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=YOUR_CI_CD_IP"
# Set proper permissions
chmod 600 /opt/registry/ssl/registry.key
chmod 644 /opt/registry/ssl/registry.crt
# Exit SERVICE_USER shell
exit
```
**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address in the certificate generation command.
#### 4.3 Create Authentication File
```bash
@ -520,6 +550,7 @@ services:
volumes:
- ./config.yml:/etc/docker/registry/config.yml:ro
- ./auth/auth.htpasswd:/etc/docker/registry/auth/auth.htpasswd:ro
- ./ssl:/etc/docker/registry/ssl:ro
- registry_data:/var/lib/registry
restart: unless-stopped
networks:
@ -531,7 +562,7 @@ services:
- "8080:80"
environment:
- REGISTRY_TITLE=APP_NAME Registry
- REGISTRY_URL=http://registry:5000
- REGISTRY_URL=https://YOUR_CI_CD_IP:5000
depends_on:
- registry
restart: unless-stopped
@ -550,6 +581,10 @@ EOF
exit
```
**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address in the `REGISTRY_URL` environment variable.
**Note**: The registry now uses HTTPS, which will resolve the crypto.subtle error and provide secure communication.
#### 4.5 Install Required Tools
```bash
@ -609,15 +644,18 @@ docker pull localhost:5000/test:latest
# Remove from local Docker
docker rmi localhost:5000/test:latest
# Delete test repository from registry (simpler approach)
echo "Deleting test repository from registry..."
curl -X DELETE http://localhost:5000/v2/test/repository
# Clean up test file
rm /tmp/test.Dockerfile
# Clean up test repository using registry UI
# 1. Open your browser and go to: https://YOUR_CI_CD_IP:8080
# 2. You should see the 'test' repository listed
# 3. Click on the 'test' repository
# 4. Click the delete button (trash icon) next to the 'latest' tag
# 5. Confirm the deletion
# 6. The test repository should now be removed
# Verify registry is empty
echo "Registry contents after cleanup:"
curl http://localhost:5000/v2/_catalog
# Exit SERVICE_USER shell
@ -645,9 +683,13 @@ exit
PUSH_USER="push-user"
PUSH_PASSWORD=$(grep push-user /opt/registry/auth/auth.htpasswd | cut -d: -f2)
# Copy the certificate to Docker's trusted certificates
sudo cp /opt/registry/ssl/registry.crt /usr/local/share/ca-certificates/registry.crt
sudo update-ca-certificates
sudo tee /etc/docker/daemon.json << EOF
{
"insecure-registries": ["YOUR_CI_CD_IP:5000"],
"insecure-registries": [],
"registry-mirrors": [],
"auths": {
"YOUR_CI_CD_IP:5000": {