Custom registry support

[sardaukar]

I logged in to my private registry on the local Docker daemon and tried creating an app with an image from that registry, but it says it's missing basic auth.

[YuukanOO]

This will be my next priority after #17

Thanks for reporting it ;)

[YuukanOO]

Some initial thoughts. We should provide a new section in the target configuration to configure custom registries with:

• address
• username
• password

When configuring a target, we can use those credentials to populate the docker CredentialsStore:

cli, _ := command.NewDockerCli()

cli.Initialize(flags.NewClientOptions())

store := cli.ConfigFile().GetCredentialsStore("https://index.docker.io/v1/") // Look like the domain here is only used to get an appropriate helper

err = store.Store(types.AuthConfig{
    Username:      "<username>",
    Password:      "<personal access token>",
    ServerAddress: "https://index.docker.io/v1/", // Here for the docker hub private registries
})

[YuukanOO]

I logged in to my private registry on the local Docker daemon and tried creating an app with an image from that registry, but it says it's missing basic auth.

When you're talking about your private registry, are you talking about Docker Hub private ones or self-hosted with the registry image?

[sardaukar]

I mean my personal self-hosted one, yes

[YuukanOO]

I'd never use custom self-hosted docker registries. Could you provide the command you use to start the registry and how you log into it so I can reproduce it exactly?

[sardaukar]

This is my setup for it on dockge, should be similar on normal compose:

services:
  registry:
    image: registry:2.8.3
    restart: always
    volumes:
      - /volume1/docker/compose/data/registry/config.yml:/etc/docker/registry/config.yml
      - /volume1/docker/compose/data/registry/data:/data
      - /volume1/docker/compose/data/registry/auth:/auth

  ui:
    image: joxit/docker-registry-ui:main
    restart: always
    environment:
      - SINGLE_REGISTRY=true
      - REGISTRY_TITLE=Docker Registry UI
      - DELETE_IMAGES=true
      - SHOW_CONTENT_DIGEST=true
      - NGINX_PROXY_PASS_URL=http://registry:5000
      - SHOW_CATALOG_NB_TAGS=true
      - CATALOG_MIN_BRANCHES=1
      - CATALOG_MAX_BRANCHES=1
      - TAGLIST_PAGE_SIZE=100
      - REGISTRY_SECURED=true
      - CATALOG_ELEMENTS_LIMIT=1000
    labels:
      traefik.enable: "true"
      traefik.http.routers.registry-ui.rule: Host(`registry.my.domain`)
      traefik.http.routers.registry-ui.service: registry-ui
      traefik.http.routers.registry-ui.entrypoints: https
      traefik.http.routers.registry-ui.tls.certresolver: gandi
      traefik.http.routers.registry-ui.tls.domains[0].main: my.domain
      traefik.http.routers.registry-ui.tls.domains[0].sans: "*.my.domain"
      traefik.http.services.registry-ui.loadbalancer.server.port: "80"

I run the registry image and a UI for it. The auth mount for the registry has a simple htpasswd file, created with apache-utils.

This is the config.yml for the registry:

version: 0.1

log:
  fields:
    service: registry

storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /data
  delete:
    enabled: true

http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
    Access-Control-Allow-Origin: ['*']
    Access-Control-Allow-Methods: ['*']
    Access-Control-Allow-Credentials: [true]
    Access-Control-Allow-Headers: [Authorization, Accept, Cache-Control]
    Access-Control-Expose-Headers: [Docker-Content-Digest]
  secret: super_secret_string
  host: https://registry.my.domain

health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

auth:
  htpasswd:
    realm: "Registry Realm"
    path: /auth/htpasswd

Let me know if you need more info

[YuukanOO]

I got something working but would like your opinion. At first, I've decided to add a custom registries option to the Docker provider (so they are configured per target) but I'm wondering if it should be a resource on its own, like Apps & Targets :/ What do you think?

And thanks for providing your configuration, I got it working locally to test my implementation :)

[sardaukar]

The custom registries aren't a property of the running Docker daemon, so to me it makes sense to have them separately.

OR just use the ones that the running Docker has logins for (in ~/.docker/config.json) and then the user logs in to those registries outside of seelf and you don't have a UI for it.

I do prefer the first option 😃

[YuukanOO]

So from your perspective registries should be shared across targets right?

And yes, the goal is to have an UI so you don't have to mess with the CLI :)

[sardaukar]

I think they should be shared, yes. I can run the same custom registry image on multiple Docker daemons, and configuring it just once would make the most sense.

[YuukanOO]

I'm almost done, will work on the appropriate documentation this afternoon.

[YuukanOO]

:tada: This issue has been resolved in version 2.3.0 :tada:

The release is available on:

• v2.3.0
• GitHub release

Your semantic-release bot :package::rocket:

[sardaukar]

Excited to try this out later, kudos!

On 27 May 2024 2:31:02 pm GMT+01:00, Julien LEICHER @.***> wrote:

:tada: This issue has been resolved in version 2.3.0 :tada:

The release is available on:

• v2.3.0
• GitHub release

Your semantic-release bot :package::rocket:

-- Reply to this email directly or view it on GitHub: https://github.com/YuukanOO/seelf/issues/61#issuecomment-2133492934 You are receiving this because you authored the thread.

Message ID: @.***> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[YuukanOO]

Fingers crossed! I hope everything will be good :)

[sardaukar]

Ok, just tried it and works flawlessly! Thanks - I did find an issue but will open it separately