devteam/sharenet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
sharenet/registry/README.md
continuist 838078f896
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Details
Use CI service user to run docker registry
2025-07-13 11:06:38 -04:00

57 lines
No EOL
2.6 KiB
Markdown
Raw Permalink Blame History

# Docker Registry Configuration
This folder contains the configuration files for the Docker Registry setup used in the CI/CD pipeline.
## Files
- **`docker-compose.registry.yml`**: Docker Compose configuration for the registry and Caddy reverse proxy
- **`Caddyfile`**: Caddy configuration for HTTPS and authentication
- **`config.yml`**: Docker Registry configuration file
- **`README.md`**: This documentation file
## Architecture
The registry setup uses:
- **Docker Registry**: Basic registry for storing Docker images
- **Caddy**: Reverse proxy with automatic HTTPS and authentication
- **Environment Variables**: For authentication credentials
- **Service User**: The registry and Caddy services run as the existing `CI_SERVICE_USER` (not a separate registry user)
## Authentication Model
- **Pulls**: Unauthenticated (public read access)
- `/v2/*/blobs/*` - Download image layers
- `/v2/*/manifests/*` - Download image manifests
- `/v2/_catalog` - List repositories
- `/v2/*/tags/list` - List image tags
- **Pushes**: Require authentication with `registry-user` credentials
- `/v2/*/blobs/uploads/*` - Upload image layers
- `/v2/*/manifests/*` (PUT/POST/PATCH/DELETE) - Upload/update manifests
## Security Features
- **URL-based access control**: Different paths require different authentication levels
- **Method-based restrictions**: Push operations require authentication
- **Path validation**: Prevents method spoofing by validating both URL patterns and HTTP methods
- **Security headers**: X-Content-Type-Options, X-Frame-Options for additional protection
## Configuration
The setup is configured through:
1. **Environment Variables**: Stored in `.env` file (created during setup)
2. **Caddyfile**: Handles HTTPS and authentication
3. **Docker Compose**: Orchestrates the registry and Caddy services
4. **Registry Config**: `config.yml` contains the Docker Registry configuration
5. **User/Permissions**: All files and services are owned and run by `CI_SERVICE_USER` for consistency and security
## Usage
The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials. All files and running services should be owned by `CI_SERVICE_USER`.
## Security
- Authentication is handled by Caddy using environment variables
- HTTPS is automatically managed by Caddy
- Registry data is persisted in Docker volumes
- Environment file contains sensitive credentials and should be properly secured
- All files and services are owned by `CI_SERVICE_USER` (not a separate registry user)
Reference in a new issue View git blame Copy permalink