Remove unnecessary secret field in registry config.yml for public read access

2025-06-28 13:43:54 -04:00 · 2025-06-28 13:43:54 -04:00 · 81c70f85cb
commit 81c70f85cb
parent fdaec65250
1 changed files with 14 additions and 4 deletions
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@ -453,9 +453,7 @@ http:
    X-Content-Type-Options: [nosniff]
    X-Frame-Options: [DENY]
    X-XSS-Protection: [1; mode=block]
-  # Enable public read access
-  secret: "your-secret-key-here"
-  # Restrict write access to specific IPs
+  # Public read access, authentication required for push
  auth:
    htpasswd:
      realm: basic-realm
@ -468,10 +466,16 @@ health:
 EOF
 ```

+**What this configuration does:**
+- **Public Read Access**: Anyone can pull images without authentication
+- **Authenticated Push**: Only authenticated users can push images
+- **Security Headers**: Protects against common web vulnerabilities
+- **No Secret Key**: The `secret` field was unnecessary and has been removed
+
 #### 4.3 Create Authentication File

 ```bash
-# Create htpasswd file for authentication
+# Create htpasswd file for authentication (required for push operations)
 mkdir -p /opt/registry/auth
 htpasswd -Bbn push-user "$(openssl rand -base64 32)" > /opt/registry/auth.htpasswd

@ -479,6 +483,12 @@ htpasswd -Bbn push-user "$(openssl rand -base64 32)" > /opt/registry/auth.htpass
 htpasswd -Bbn read-user "$(openssl rand -base64 32)" >> /opt/registry/auth.htpasswd
 ```

+**What this does**: Creates user credentials for registry authentication.
+- `push-user`: Can push and pull images (used by CI/CD pipeline for deployments)
+- `read-user`: Can only pull images (optional, for read-only access)
+
+**Note**: Pull operations are public and don't require authentication, but push operations require these credentials.
+
 #### 4.4 Create Docker Compose for Registry

 ```bash