Challenge, Medium,  on  ContainersSecurity

Secure a Container Registry with Authentication and TLS

Ivan Velichko
by  Ivan Velichko

A container registry without authentication is rarely useful outside of a local context. Once other machines and services can reach it, you usually need to decide who is allowed to push and pull images.

The common (for registries) way to implement authentication is HTTP Basic Auth. But Basic Auth is only secure over HTTPS - the username and password are sent unencrypted, so using it without TLS would make the credentials leak rather quickly.

In this challenge, you'll set up a registry that requires a username and password, and serves traffic over TLS.

Given

The TLS certificate and key for the registry-1.corp hostname (trusted in the challenge's environment):

~/certs/

The username and password for authenticated access:

username: iximiuzlabs
password: rules!

The task

Expose an OCI Distribution compatible registry at:

https://registry-1.corp

It must listen on port 443 on the registry-1 (current) host.

The endpoint must:

  • Serve HTTPS using the provided registry-1.corp certificate (in ~/certs/)
  • Reject anonymous requests with HTTP 401 or HTTP 403
  • Allow iximiuzlabs / rules! to push an image
  • Allow the same user to pull the image back

The implementation is up to you. You can use the registry's built-in TLS and auth support, put a reverse proxy in front, or use another setup entirely. The verifier only checks the behavior of the https://registry-1.corp endpoint (as a black box).

Hint 1

A registry is just an HTTP server speaking the OCI Distribution Spec API. "Authenticated and served over HTTPS" adds two orthogonal concerns on top of that:

  • Authentication
  • TLS termination

Those two jobs can be handled by the registry itself, or by a reverse proxy in front of it.

Hint 2

Two common approaches:

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge run-secure-container-registry

This will create a local copy of the challenge content in a directory named run-secure-container-registry. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge run-secure-container-registry

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge