Skip to main content

Advanced CLI Configuration

You can modify the deployment of the pack registry by providing a YAML configuration file. You can also override default configuration options through the usage of environment variables.

The configuration file is divided into keys and values. The following is an example of a YAML configuration.

version: 0.1
log:
level: info
fields:
environment: test

The key version has a number value. The log key has a value with multiple keys, which in turn have more keys.

To override the value of log.level you can specify an environment variable named REGISTRY_LOG_LEVEL.

export REGISTRY_LOG_LEVEL=debug

Default Configuration

The docker image for the registry contains the following default configuration values.

version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /data/.spectro-server
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
Strict-Transport-Security: [max-age=63072000; includeSubdomains; preload]
Content-Security-Policy: [img-src 'self'; script-src 'self'; style-src 'self]
X-Frame-Options: [DENY]
X-XSS-Protection: [1; mode=block]
Referrer-Policy: [same-origin]
auth:
htpasswd:
realm: basic-realm
path: /auth/htpasswd-basic

The server is started with the command registy serve /etc/spectro/config.yml. You can override the default values with specific values through environment variables, or you can use your own configuration file.

For example, you can start the docker container image with the following environment by using the variables to override the basic auth realm and logging level. In the following example, the -e flag is used to provide environment variables to the container.

docker run -d \
--rm \
-p 443:5000 \
--name spectro-registry\
--volume $(pwd)/spectropaxconfig/:/etc/spectropaxconfig/
-e REGISTRY_LOG_LEVEL=debug \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="My Enterprise Realm" \
gcr.io/spectro-images-public/release/spectro-registry:4.0.2

Alternatively, you can start the container by mounting a directory with a new configuration file and pointing the server command to the configuration file.

docker run -d \
--rm \
-p 443:5000 \
--name spectro-registry \
--volume $(pwd)/myconfig.yml:/etc/myconfig.yml \
gcr.io/spectro-images-public/release/spectro-registry:4.0.2 \
serve /etc/spectropaxconfig/myconfig.yml

Storage Backend

The pack registry can store data on a file system through a mounted volume, or you can specify object storage such as AWS S3.

The following is an example of a configuration using a file system backend.

storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /tmp/registry/data/.spectro-server

If you are using S3 Storage, ensure you specify the required S3 parameters.

storage:
cache:
blobdescriptor: inmemory
s3:
region: us-east-1
bucket: my-bucket
rootdirectory: /registry
encrypt: true|false
secure: false|true
accesskey: SAMPLEACCESSKEY
secretkey: SUPERSECRET
host: OPTIONAL_MINIO_HOST_IF_USING
port: OPTIONAL_MINIO_PORT_IF_USING

You can also use ephemeral storage. We recommend using ephemeral storage for testing purposes. Production environments should use object storage or a file system.

storage: inmemory

Authentication

You can configure basic HTTP Auth. Basic Auth requires providing the pack registry server with an httppasswd file containing the credentials.

auth:
htpasswd:
realm: basic-realm
path: /auth/htpasswd-basic

HTTP

The following options are available for modifying HTTP transport:

Server and Port

For serving content on all interfaces on port 5000:

http:
addr: :5000

Alternatively, the server can bind to a single IP and different port:

http:
addr: 192.168.122.77:25000

HTTP Headers

The following headers are the default, and can be overridden:

http:
headers:
X-Content-Type-Options: [nosniff]
Strict-Transport-Security: [max-age=63072000; includeSubdomains; preload]
Content-Security-Policy: [img-src 'self'; script-src 'self'; style-src 'self]
X-Frame-Options: [DENY]
X-XSS-Protection: [1; mode=block]
Referrer-Policy: [same-origin]

TLS

TLS can be configured using Let's Encrypt or custom TLS certificates:

When using Let's Encrypt, your registry server must be assigned to a public IP address accessible for HTTP-based validation by the Let's Encrypt services. Check out the Deploy Pack Registry Server with Let's Encrypt guide to learn more.

http:
addr: :5000
tls:
letsencrypt:
cachefile: le-cache
email: oz@spectrocloud.com
hosts:
- pax-registry.spectrocloud.com

Let's Encrypt limits the number of free certificates issued for each domain for a set time. We recommend you mount a volume where the certificates are permanently stored. Use the option cachefile to enable this behavior.

You can specify custom certificates by providing the file path to the certificate files.

http:
tls:
certificate: /path/to/x509/certificate/file
key: /pat/to/x509/key/file/which contains/private key/for x509 certificate above
clientcas: /path/to/file/with one or more/CA certificates encoded as PEM
minimumtls: minimum tls version to use