Removed no longer needed docker-compose yml for registry

2025-08-22 22:37:51 -04:00 · 2025-08-22 22:37:51 -04:00 · 92a306ddc5
commit 92a306ddc5
parent 98c5fb948f
3 changed files with 13 additions and 88 deletions
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@ -702,17 +702,9 @@ sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/APP_NAME/registry/op
 sudo sed -i "s/YOUR_REGISTRY_NAME/APP_NAME-Registry/g" /opt/APP_NAME/registry/openssl.conf
 ```

-#### 5.2.1 Alternative: Use Podman Compose

-```bash
-# Use podman-compose (Docker Compose compatible)
-podman-compose -f docker-registry.yml up -d

-# Check status
-podman-compose -f docker-registry.yml ps
-```
-
-#### 5.2.2 Security Features Applied
+#### 5.2.1 Security Features Applied

 The Docker Registry v2 setup includes comprehensive security hardening:

@ -740,6 +732,9 @@ The Docker Registry v2 setup includes comprehensive security hardening:
 - ✅ Container policy enforcement via containers-policy.json
 - ✅ Volume mounts with read-only where possible

+#### 5.2.2 Set Up Authentication and Permissions
+
+```bash
 # Create FHS-compliant authentication directory
 sudo mkdir -p /etc/registry/auth
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/auth
@ -759,17 +754,15 @@ sudo chmod 600 /etc/registry/auth/.htpasswd
 # Set proper permissions for configuration files
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/nginx.conf
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/openssl.conf
-sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/docker-registry.yml
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/registry-pod.yaml
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/containers-policy.json
 sudo chmod 644 /opt/APP_NAME/registry/nginx.conf
 sudo chmod 644 /opt/APP_NAME/registry/openssl.conf
-sudo chmod 644 /opt/APP_NAME/registry/docker-registry.yml
 sudo chmod 644 /opt/APP_NAME/registry/registry-pod.yaml
 sudo chmod 644 /opt/APP_NAME/registry/containers-policy.json
 ```

-#### 5.3 Create FHS-Compliant Directory Structure
+#### 5.2.3 Create FHS-Compliant Directory Structure

 ```bash
 # Create FHS-compliant certificate directory structure
@ -794,7 +787,7 @@ sudo chmod 755 /var/lib/registry/data         # Registry data
 sudo ln -sf /var/lib/registry/data /opt/APP_NAME/registry/registry
 ```

-#### 5.4 Generate TLS Certificate and Install for Podman
+#### 5.2.4 Generate TLS Certificate and Install for Podman

 **Choose one of the following options based on whether you have a domain name:**

@ -888,9 +881,9 @@ sudo cp /etc/registry/certs/registry.crt /etc/containers/certs.d/YOUR_DOMAIN_NAM

 ---

-**After completing the steps for your chosen option, continue with Step 5.7 (Start Docker Registry with Docker Compose).**
+**After completing the steps for your chosen option, continue with Step 5.5 (Set Up Systemd Service for Docker Registry v2).**

-#### 5.5 Install Certificate for Podman (Option B Only)
+#### 5.3 Install Certificate for Podman (Option B Only)

 **Important**: This step adds the Let's Encrypt certificate for Podman. Since Let's Encrypt is a trusted CA, Podman will automatically trust this certificate.

@ -913,7 +906,7 @@ echo "Certificate installation completed successfully!"
 echo "Podman can now connect to the registry securely using your domain name"
 ```

-#### 5.6 Set Up Automatic Certificate Renewal (Option B Only)
+#### 5.4 Set Up Automatic Certificate Renewal (Option B Only)

 **Important**: Let's Encrypt certificates expire after 90 days, so we need to set up automatic renewal.

@ -930,7 +923,7 @@ echo "Automatic certificate renewal configured!"
 echo "Certificates will be renewed automatically and the registry service will be restarted"
 ```

-#### 5.7 Set Up Systemd Service for Docker Registry v2
+#### 5.5 Set Up Systemd Service for Docker Registry v2

 ```bash
 # Create system-wide Podman configuration to avoid permission issues
@ -969,7 +962,7 @@ sudo systemctl status docker-registry.service
 sudo journalctl -u docker-registry.service -f --no-pager -n 50
 ```

-#### 5.8 Verify Docker Registry v2 Service
+#### 5.6 Verify Docker Registry v2 Service

 ```bash
 # Check that the service is running properly
@ -985,7 +978,7 @@ sudo su - CI_SERVICE_USER -c "podman logs registry-pod-nginx"
 sudo su - CI_SERVICE_USER -c "podman logs registry-pod-registry"
 ```

-#### 5.9 Test Registry Setup
+#### 5.7 Test Registry Setup

 **For Option A (Self-signed certificates):**

@ -1432,7 +1425,6 @@ ls -la /tmp/ci-workspace
 The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) for better organization and security:

 **Application Files** (in `/opt/APP_NAME/registry/`):
- `docker-registry.yml` - Podman Compose configuration for Docker Registry v2 and nginx
 - `registry-pod.yaml` - Kubernetes Pod manifest for Docker Registry v2 and nginx
 - `nginx.conf` - nginx reverse proxy configuration from project repository  
 - `openssl.conf` - OpenSSL configuration for certificate generation from project repository
@ -2452,7 +2444,6 @@ sudo rm -rf /opt/APP_NAME/registry/openssl.conf
 sudo rm -rf /opt/APP_NAME/registry/certs/requests/openssl.conf

 # Note: DO NOT remove these files as they are needed for operation:
-# - /opt/APP_NAME/registry/docker-registry.yml
 # - /opt/APP_NAME/registry/registry-pod.yaml
 # - /opt/APP_NAME/registry/nginx.conf
 # - /opt/APP_NAME/registry/containers-policy.json  
--- a/registry/README.md
+++ b/registry/README.md
@ -4,7 +4,7 @@ This folder contains the configuration files for the Docker Registry setup used

 ## Files

- **`docker-registry.yml`**: Podman Compose configuration for Docker Registry v2 and nginx reverse proxy
+
 - **`nginx.conf`**: nginx configuration for HTTPS and authentication
 - **`docker-registry.service`**: Systemd service file for Docker Registry v2
 - **`README.md`**: This documentation file
--- a/registry/docker-registry.yml
+++ b/registry/docker-registry.yml
@ -1,66 +0,0 @@
-services:
-  registry:
-    image: registry@sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
-    container_name: registry
-    restart: unless-stopped
-    user: "1000:1000"
-    environment:
-      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
-      # Disable image deletion for security
-      REGISTRY_STORAGE_DELETE_ENABLED: "false"
-      # Listen only inside the compose network
-      REGISTRY_HTTP_ADDR: 0.0.0.0:5000
-      # TLS configuration
-      REGISTRY_HTTP_TLS_CERTIFICATE: /etc/registry/certs/registry.crt
-      REGISTRY_HTTP_TLS_KEY: /etc/registry/certs/private/registry.key
-    volumes:
-      - ./registry:/var/lib/registry
-      - /etc/registry/certs:/etc/registry/certs:ro
-    expose:
-      - "5000"   # internal only, not published
-    deploy:
-      resources:
-        limits:
-          cpus: '1.0'
-          memory: 1G
-        reservations:
-          cpus: '0.5'
-          memory: 512M
-    security_opt:
-      - no-new-privileges:true
-      - seccomp:unconfined
-    read_only: true
-    tmpfs:
-      - /tmp:noexec,nosuid,size=100m
-
-  nginx:
-    image: nginx@sha256:6650513efd1d27c1f8a5351cbd33edf85cc7e3b73dc4d4d4e8f8c0b3d0b3d0b3d
-    container_name: nginx
-    restart: unless-stopped
-    user: "1000:1000"
-    depends_on:
-      - registry
-    ports:
-      - "443:443"   # HTTPS only
-      - "4443:4443"
-      # deliberately no "80:80" – no HTTP
-    volumes:
-      - ./nginx.conf:/etc/nginx/nginx.conf:ro
-      - /etc/registry/certs:/etc/registry/certs:ro
-      - /etc/registry/auth/.htpasswd:/etc/nginx/.htpasswd:ro
-      - /var/log/nginx:/var/log/nginx
-      - ./containers-policy.json:/etc/containers/policy.json:ro
-    deploy:
-      resources:
-        limits:
-          cpus: '0.5'
-          memory: 512M
-        reservations:
-          cpus: '0.25'
-          memory: 256M
-    security_opt:
-      - no-new-privileges:true
-      - seccomp:unconfined
-    read_only: true
-    tmpfs:
-      - /tmp:noexec,nosuid,size=100m