devteam/sharenet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
sharenet/registry/README.md
continuist 838078f896
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Details
Use CI service user to run docker registry
2025-07-13 11:06:38 -04:00

2.6 KiB
Raw Permalink Blame History

Docker Registry Configuration

This folder contains the configuration files for the Docker Registry setup used in the CI/CD pipeline.

Files

  • docker-compose.registry.yml: Docker Compose configuration for the registry and Caddy reverse proxy
  • Caddyfile: Caddy configuration for HTTPS and authentication
  • config.yml: Docker Registry configuration file
  • README.md: This documentation file

Architecture

The registry setup uses:

  • Docker Registry: Basic registry for storing Docker images
  • Caddy: Reverse proxy with automatic HTTPS and authentication
  • Environment Variables: For authentication credentials
  • Service User: The registry and Caddy services run as the existing CI_SERVICE_USER (not a separate registry user)

Authentication Model

  • Pulls: Unauthenticated (public read access)
    • /v2/*/blobs/* - Download image layers
    • /v2/*/manifests/* - Download image manifests
    • /v2/_catalog - List repositories
    • /v2/*/tags/list - List image tags
  • Pushes: Require authentication with registry-user credentials
    • /v2/*/blobs/uploads/* - Upload image layers
    • /v2/*/manifests/* (PUT/POST/PATCH/DELETE) - Upload/update manifests

Security Features

  • URL-based access control: Different paths require different authentication levels
  • Method-based restrictions: Push operations require authentication
  • Path validation: Prevents method spoofing by validating both URL patterns and HTTP methods
  • Security headers: X-Content-Type-Options, X-Frame-Options for additional protection

Configuration

The setup is configured through:

  1. Environment Variables: Stored in .env file (created during setup)
  2. Caddyfile: Handles HTTPS and authentication
  3. Docker Compose: Orchestrates the registry and Caddy services
  4. Registry Config: config.yml contains the Docker Registry configuration
  5. User/Permissions: All files and services are owned and run by CI_SERVICE_USER for consistency and security

Usage

The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials. All files and running services should be owned by CI_SERVICE_USER.

Security

  • Authentication is handled by Caddy using environment variables
  • HTTPS is automatically managed by Caddy
  • Registry data is persisted in Docker volumes
  • Environment file contains sensitive credentials and should be properly secured
  • All files and services are owned by CI_SERVICE_USER (not a separate registry user)