fix: [#34] added workflow to generate mcvs-registry docker image (#35)

* fix: [#34] added workflow to generate mcvs-registry docker image * fix: [#34] fixed linter warnings * fix: [#34] added tmp mcvs-docker-action version to text build with context * fix: [#34] changes to resolve PR feedback * fix: [#34] updated dockerfile context path * fix: [#34] added missing permissions to manage docker images * fix: [#34] removed buildx * fix: [#34] upgraded pkgs to fix vulns * fix: [#34] updated registry base image to RC to solve vulns * fix: [#34] added trivy ignore file * fix: [#34] removed condition block to test pulling of images * fix: [#34] updated docker github action version * fix: [#34] added go setup * fix: [#34] added regctl version for test * fix: [#34] removed condition for testing * fix: [#34] added shell parameter * fix: [#34] added print ls -la * fix: [#34] added cat to regctl * fix: [#34] added cat to regctl * fix: [#34] removed condition for testing * fix: [#34] added correct version of regctl * fix: [#34] disabled regctl tls for local registry * fix: [#34] added condition to prevent images pulling
schubergphilis · Dec 27, 2024 · dea41ad · dea41ad
1 parent 7ac6697
commit dea41ad
Show file tree

Hide file tree

Showing 4 changed files with 112 additions and 0 deletions.
diff --git a/.github/workflows/docker-registry.yml b/.github/workflows/docker-registry.yml
@@ -0,0 +1,82 @@
+---
+name: docker-mcvs-registry
+"on":
+  push:
+    tags:
+      - "*"
+    paths:
+      - "registry/**"
+  pull_request:
+    paths:
+      - "registry/**"
+permissions:
+  contents: read
+  packages: write
+env:
+  DOCKERFILE_CONTEXT: ./registry
+  IMAGE_MANIFEST_LIST: datadog/agent:7.59.0
+  IMAGE_MANIFEST_SINGLE: nginx/nginx:1.27.0
+  REGCTL_VERSION: v0.8.0
+  REGISTRY_LOCAL: localhost:5000
+  REGISTRY_REMOTE: public.ecr.aws
+  REGISTRY_VERSION: 3.0.0-rc.2
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        build-args:
+          - mcvs-registry
+    steps:
+      - name: Checkout repository
+        uses: actions/[email protected]
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
+        with:
+          release: ${{ env.REGCTL_VERSION }}
+      - name: Create registry backup directory
+        run: mkdir -p ${{ env.DOCKERFILE_CONTEXT }}/backup-registry
+      - name: Pull images data and prepare context directory
+        if: startsWith(github.ref, 'refs/tags/')
+        shell: bash
+        run: |
+          #!/bin/bash
+
+          docker run -d \
+            -p 5000:5000 \
+            --name mcvs-registry-tmp \
+            registry:${{ env.REGISTRY_VERSION }}
+
+          # disable tls for local tmp registry
+          regctl registry set --tls disabled ${{ env.REGISTRY_LOCAL }}
+
+          # import image with manifest list
+          regctl \
+            image \
+            copy --digest-tags \
+            ${{ env.REGISTRY_REMOTE }}/${{ env.IMAGE_MANIFEST_LIST }} \
+            ${{ env.REGISTRY_LOCAL }}/${{ env.IMAGE_MANIFEST_LIST }}
+
+          # import image with single manifest
+          regctl \
+            image \
+            copy --digest-tags \
+            ${{ env.REGISTRY_REMOTE }}/${{ env.IMAGE_MANIFEST_SINGLE }} \
+            ${{ env.REGISTRY_LOCAL }}/${{ env.IMAGE_MANIFEST_SINGLE }}
+
+          # export images files to backup directory
+          docker \
+            cp \
+            mcvs-registry-tmp:/var/lib/registry \
+            ${{ env.DOCKERFILE_CONTEXT }}/backup-registry
+
+          # clean up the registry container
+          docker rm -f mcvs-registry-tmp
+
+      - uses: schubergphilis/[email protected]
+        with:
+          build-args: ${{ matrix.build-args }}
+          context: ${{ env.DOCKERFILE_CONTEXT }}
+          dockle-accept-key: "curl,HOME,libcrypto3,libssl3,PATH"
+          images: ghcr.io/${{ github.repository }}/${{ matrix.build-args }}
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1 @@
+CVE-2024-45338 exp:2025-01-26
diff --git a/registry/Dockerfile b/registry/Dockerfile
@@ -0,0 +1,10 @@
+FROM registry:3.0.0-rc.2
+ARG APPLICATION
+RUN apk update && \
+    apk upgrade
+# A custom config file is needed to disable default cache
+# By default the cache is "blobdescriptor: inmemory"
+# The config-example.yml file of this repo disables it
+# https://github.com/distribution/distribution-library-image
+COPY ./config-example.yml /etc/docker/registry/config.yml
+COPY ./backup-registry /var/lib/registry
diff --git a/registry/config-example.yml b/registry/config-example.yml
@@ -0,0 +1,19 @@
+---
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: ""
+  filesystem:
+    rootdirectory: /var/lib/registry
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3