# Docker Registry Configuration This folder contains the configuration files for the Docker Registry setup used in the CI/CD pipeline. ## Files - **`docker-compose.registry.yml`**: Docker Compose configuration for the registry and Caddy reverse proxy - **`Caddyfile`**: Caddy configuration for HTTPS and authentication - **`config.yml`**: Docker Registry configuration file - **`README.md`**: This documentation file ## Architecture The registry setup uses: - **Docker Registry**: Basic registry for storing Docker images - **Caddy**: Reverse proxy with automatic HTTPS and authentication - **Environment Variables**: For authentication credentials - **Service User**: The registry and Caddy services run as the existing `CI_SERVICE_USER` (not a separate registry user) ## Authentication Model - **Pulls**: Unauthenticated (public read access) - `/v2/*/blobs/*` - Download image layers - `/v2/*/manifests/*` - Download image manifests - `/v2/_catalog` - List repositories - `/v2/*/tags/list` - List image tags - **Pushes**: Require authentication with `registry-user` credentials - `/v2/*/blobs/uploads/*` - Upload image layers - `/v2/*/manifests/*` (PUT/POST/PATCH/DELETE) - Upload/update manifests ## Security Features - **URL-based access control**: Different paths require different authentication levels - **Method-based restrictions**: Push operations require authentication - **Path validation**: Prevents method spoofing by validating both URL patterns and HTTP methods - **Security headers**: X-Content-Type-Options, X-Frame-Options for additional protection ## Configuration The setup is configured through: 1. **Environment Variables**: Stored in `.env` file (created during setup) 2. **Caddyfile**: Handles HTTPS and authentication 3. **Docker Compose**: Orchestrates the registry and Caddy services 4. **Registry Config**: `config.yml` contains the Docker Registry configuration 5. **User/Permissions**: All files and services are owned and run by `CI_SERVICE_USER` for consistency and security ## Usage The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials. All files and running services should be owned by `CI_SERVICE_USER`. ## Security - Authentication is handled by Caddy using environment variables - HTTPS is automatically managed by Caddy - Registry data is persisted in Docker volumes - Environment file contains sensitive credentials and should be properly secured - All files and services are owned by `CI_SERVICE_USER` (not a separate registry user)