diff --git a/.github/workflows/docker-registry.yml b/.github/workflows/docker-registry.yml new file mode 100644 index 0000000..251d11c --- /dev/null +++ b/.github/workflows/docker-registry.yml @@ -0,0 +1,82 @@ +--- +name: docker-mcvs-registry +"on": + push: + tags: + - "*" + paths: + - "registry/**" + pull_request: + paths: + - "registry/**" +permissions: + contents: read + packages: write +env: + DOCKERFILE_CONTEXT: ./registry + IMAGE_MANIFEST_LIST: datadog/agent:7.59.0 + IMAGE_MANIFEST_SINGLE: nginx/nginx:1.27.0 + REGCTL_VERSION: v0.8.0 + REGISTRY_LOCAL: localhost:5000 + REGISTRY_REMOTE: public.ecr.aws + REGISTRY_VERSION: 3.0.0-rc.2 +jobs: + build-and-publish: + runs-on: ubuntu-22.04 + strategy: + matrix: + build-args: + - mcvs-registry + steps: + - name: Checkout repository + uses: actions/checkout@v4.0.0 + - name: Install regctl + uses: regclient/actions/regctl-installer@main + with: + release: ${{ env.REGCTL_VERSION }} + - name: Create registry backup directory + run: mkdir -p ${{ env.DOCKERFILE_CONTEXT }}/backup-registry + - name: Pull images data and prepare context directory + if: startsWith(github.ref, 'refs/tags/') + shell: bash + run: | + #!/bin/bash + + docker run -d \ + -p 5000:5000 \ + --name mcvs-registry-tmp \ + registry:${{ env.REGISTRY_VERSION }} + + # disable tls for local tmp registry + regctl registry set --tls disabled ${{ env.REGISTRY_LOCAL }} + + # import image with manifest list + regctl \ + image \ + copy --digest-tags \ + ${{ env.REGISTRY_REMOTE }}/${{ env.IMAGE_MANIFEST_LIST }} \ + ${{ env.REGISTRY_LOCAL }}/${{ env.IMAGE_MANIFEST_LIST }} + + # import image with single manifest + regctl \ + image \ + copy --digest-tags \ + ${{ env.REGISTRY_REMOTE }}/${{ env.IMAGE_MANIFEST_SINGLE }} \ + ${{ env.REGISTRY_LOCAL }}/${{ env.IMAGE_MANIFEST_SINGLE }} + + # export images files to backup directory + docker \ + cp \ + mcvs-registry-tmp:/var/lib/registry \ + ${{ env.DOCKERFILE_CONTEXT }}/backup-registry + + # clean up the registry container + docker rm -f mcvs-registry-tmp + + - uses: schubergphilis/mcvs-docker-action@v0.6.1 + with: + build-args: ${{ matrix.build-args }} + context: ${{ env.DOCKERFILE_CONTEXT }} + dockle-accept-key: "curl,HOME,libcrypto3,libssl3,PATH" + images: ghcr.io/${{ github.repository }}/${{ matrix.build-args }} + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..b29deec --- /dev/null +++ b/.trivyignore @@ -0,0 +1 @@ +CVE-2024-45338 exp:2025-01-26 diff --git a/registry/Dockerfile b/registry/Dockerfile new file mode 100644 index 0000000..f2a46bc --- /dev/null +++ b/registry/Dockerfile @@ -0,0 +1,10 @@ +FROM registry:3.0.0-rc.2 +ARG APPLICATION +RUN apk update && \ + apk upgrade +# A custom config file is needed to disable default cache +# By default the cache is "blobdescriptor: inmemory" +# The config-example.yml file of this repo disables it +# https://github.com/distribution/distribution-library-image +COPY ./config-example.yml /etc/docker/registry/config.yml +COPY ./backup-registry /var/lib/registry diff --git a/registry/config-example.yml b/registry/config-example.yml new file mode 100644 index 0000000..e55bc99 --- /dev/null +++ b/registry/config-example.yml @@ -0,0 +1,19 @@ +--- +version: 0.1 +log: + fields: + service: registry +storage: + cache: + blobdescriptor: "" + filesystem: + rootdirectory: /var/lib/registry +http: + addr: :5000 + headers: + X-Content-Type-Options: [nosniff] +health: + storagedriver: + enabled: true + interval: 10s + threshold: 3