Docker Registry Implementation #889
Conversation
There was a problem hiding this comment.
It's almost real!
Documentation is awesome. Overall, three things to consider:
- Make all addresses configurable for easy build on dev/prod
- Make it possible to prevent public image pulls
- Link to critical knowledge to prevent future pain if anyone needs to revisit this logic
| }, 403 | ||
|
|
||
| dojo_name = m.group("dojo_id") | ||
| dojo_hex = m.group("dojo_hex") |
There was a problem hiding this comment.
All dojos do not have a dojo_hex. A dojo can be made "official" at which point the dojo_hex is removed from the reference_id.
| requested = set(a.strip() for a in actions if a) | ||
| allowed = set() | ||
|
|
||
| if "pull" in requested: |
There was a problem hiding this comment.
I can think of cases where we do not want all challenge images to be pullable.
| continue | ||
|
|
||
| for client in all_docker_clients(): | ||
| image_name = f"registry.localhost.pwn.college/{image}" |
There was a problem hiding this comment.
Hardcoded address, likely will not resolve on prod or custom deployments.
| if DOCKER_USERNAME and DOCKER_TOKEN: | ||
| client.login(DOCKER_USERNAME, DOCKER_TOKEN) | ||
| logger.info(f"Pulling image {image} on {client.api.base_url}...") | ||
| client.login(DOCKER_USERNAME, DOCKER_TOKEN, registry="registry.localhost.pwn.college") |
|
|
||
| PRIVATE_KEY_PATH = os.getenv("PRIVATE_KEY_PATH", "/keys/private.key") | ||
| PUBLIC_KEY_PATH = os.getenv("PUBLIC_KEY_PATH", "/keys/public.key") | ||
| ISSUER = os.getenv("TOKEN_ISSUER", "auth.localhost.pwn.college") |
| @@ -0,0 +1,154 @@ | |||
| #!/usr/bin/env python3 | |||
There was a problem hiding this comment.
IIRC some of the implementation details here were based on hard to find documentation. Can we include the a link to the relevant documentation as a comment?
|
|
||
| ## Nginx Proxy Routes | ||
|
|
||
| `dojo/nginx-proxy/etc/nginx/vhost.d/registry.localhost.pwn.college` illustrates path-based routing (replace with your domain in production): |
There was a problem hiding this comment.
We should probably wrap all domain names used in the code in a variable that we can change in the docker-compose.yml.
More generally, we need to easily configure the registry to work in a dev environment (without HTTPS with localhost addresses) and also in prod (with HTTPS with publicly resolvable addresses).
| - Confirm vhost routes for `/v2/` and `/auth/token` | ||
| - If you change `REGISTRY_AUTH_TOKEN_ISSUER`, remember to change the auth service token issuer variable. | ||
|
|
||
| ## Private Docker Registry with Token Auth (Correct KID + Cert Flow) |
There was a problem hiding this comment.
Include link to relevant outside resources on registery auth process?
| - VIRTUAL_PORT=5000 | ||
| - HTTPS_METHOD=noredirect | ||
| - REGISTRY_AUTH=token | ||
| - REGISTRY_AUTH_TOKEN_REALM=https://registry.pwn.college/auth/token #https://registry.localhost.pwn.college/auth/token |
There was a problem hiding this comment.
We should set this up such that these environment variables are configured via .env with docker compose to allow easy dev & prod standup.
|
It'd also be amazing if we could have some tests for this so we don't accidentally break prod. 😆 |
Setting up a private pwn college docker registry. documentation is listed under the docs folder named
registry.md.