devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
sharenet/registry
History
continuist 0b4fb89e77
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Details
Change to use nginx instead of Caddy for docker registry
2025-08-18 18:18:30 -04:00
..
docker-compose.registry.yml Change to use nginx instead of Caddy for docker registry 2025-08-18 18:18:30 -04:00
docker-registry.service Finish making Caddyfile work correctly 2025-08-16 16:25:23 -04:00
nginx.conf Change to use nginx instead of Caddy for docker registry 2025-08-18 18:18:30 -04:00
openssl.conf Update the CI guide to match the new config files for docker registry + caddy 2025-08-15 18:44:28 -04:00
README.md Change to use nginx instead of Caddy for docker registry 2025-08-18 18:18:30 -04:00

README.md

Docker Registry Configuration

This folder contains the configuration files for the Docker Registry setup used in the CI/CD pipeline.

Files

  • docker-compose.registry.yml: Docker Compose configuration for the registry and nginx reverse proxy
  • nginx.conf: nginx configuration for HTTPS and authentication
  • docker-registry.service: Systemd service file for Docker Registry
  • README.md: This documentation file

Architecture

The registry setup uses:

  • Docker Registry: Basic registry for storing Docker images
  • nginx: Reverse proxy with automatic HTTPS and authentication
  • Environment Variables: For authentication credentials and registry configuration
  • Service User: The registry and nginx services run as the existing CI_SERVICE_USER (not a separate registry user)

Authentication Model

  • Pulls: Unauthenticated (public read access)
    • /v2/*/blobs/* - Download image layers
    • /v2/*/manifests/* - Download image manifests
    • /v2/_catalog - List repositories
    • /v2/*/tags/list - List image tags
  • Pushes: Require authentication with registry-user credentials
    • /v2/*/blobs/uploads/* - Upload image layers
    • /v2/*/manifests/* (PUT/POST/PATCH/DELETE) - Upload/update manifests

Security Features

  • URL-based access control: Different paths require different authentication levels
  • Method-based restrictions: Push operations require authentication
  • Path validation: Prevents method spoofing by validating both URL patterns and HTTP methods
  • Security headers: X-Content-Type-Options, X-Frame-Options for additional protection

Configuration

The setup is configured through:

  1. Environment Variables: Stored in .env file (created during setup) for authentication
  2. Docker Compose Environment: Registry configuration via environment variables
  3. nginx.conf: Handles HTTPS and authentication
  4. Docker Compose: Orchestrates the registry and nginx services
  5. Systemd Service: Manages the Docker Registry service lifecycle
  6. User/Permissions: All files and services are owned and run by CI_SERVICE_USER for consistency and security

Usage

The registry is automatically set up during the CI/CD pipeline setup process. The configuration files are copied from this folder to the registry server and customized with the appropriate IP address and credentials. All files and running services should be owned by CI_SERVICE_USER.

Security

  • Authentication is handled by nginx using htpasswd file
  • HTTPS is automatically managed by nginx
  • Registry data is persisted in Docker volumes
  • Environment file contains sensitive credentials and should be properly secured
  • All files and services are owned by CI_SERVICE_USER (not a separate registry user)