devteam/sharenet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
sharenet/registry
History
Exact
continuist 491deea461
Some checks failed
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Has been cancelled
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Has been cancelled
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Has been cancelled
Details
Use own self-signed cert chain for Option A
2025-07-13 15:48:53 -04:00
..
Caddyfile Use own self-signed cert chain for Option A 2025-07-13 15:48:53 -04:00
config.yml Use own self-signed cert chain for Option A 2025-07-13 15:48:53 -04:00
docker-compose.registry.yml Configure for self-signed TLS 2025-07-13 11:35:11 -04:00
openssl.conf Use own self-signed cert chain for Option A 2025-07-13 15:48:53 -04:00
README.md Use CI service user to run docker registry 2025-07-13 11:06:38 -04:00

README.md

Docker Registry Configuration

This folder contains the configuration files for the Docker Registry setup used in the CI/CD pipeline.

Files

  • docker-compose.registry.yml: Docker Compose configuration for the registry and Caddy reverse proxy
  • Caddyfile: Caddy configuration for HTTPS and authentication
  • config.yml: Docker Registry configuration file
  • README.md: This documentation file

Architecture

The registry setup uses:

  • Docker Registry: Basic registry for storing Docker images
  • Caddy: Reverse proxy with automatic HTTPS and authentication
  • Environment Variables: For authentication credentials
  • Service User: The registry and Caddy services run as the existing CI_SERVICE_USER (not a separate registry user)

Authentication Model

  • Pulls: Unauthenticated (public read access)
    • /v2/*/blobs/* - Download image layers
    • /v2/*/manifests/* - Download image manifests
    • /v2/_catalog - List repositories
    • /v2/*/tags/list - List image tags
  • Pushes: Require authentication with registry-user credentials
    • /v2/*/blobs/uploads/* - Upload image layers
    • /v2/*/manifests/* (PUT/POST/PATCH/DELETE) - Upload/update manifests

Security Features

  • URL-based access control: Different paths require different authentication levels
  • Method-based restrictions: Push operations require authentication
  • Path validation: Prevents method spoofing by validating both URL patterns and HTTP methods
  • Security headers: X-Content-Type-Options, X-Frame-Options for additional protection

Configuration

The setup is configured through:

  1. Environment Variables: Stored in .env file (created during setup)
  2. Caddyfile: Handles HTTPS and authentication
  3. Docker Compose: Orchestrates the registry and Caddy services
  4. Registry Config: config.yml contains the Docker Registry configuration
  5. User/Permissions: All files and services are owned and run by CI_SERVICE_USER for consistency and security

Usage

The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials. All files and running services should be owned by CI_SERVICE_USER.

Security

  • Authentication is handled by Caddy using environment variables
  • HTTPS is automatically managed by Caddy
  • Registry data is persisted in Docker volumes
  • Environment file contains sensitive credentials and should be properly secured
  • All files and services are owned by CI_SERVICE_USER (not a separate registry user)