Chainguard Container for boring-registry

Minimal image with the boring-registry server application.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/boring-registry:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Usage

To run boring-registry:

$ docker run cgr.dev/chainguard/boring-registry:latest
Usage:
  boring-registry [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  migrate     Migrate modules
  server      Starts the server component
  upload      Upload modules and providers
  version     Prints the version of the Boring Registry

Flags:
      --debug                                   Enable debug logging
  -h, --help                                    help for boring-registry
      --json                                    Enable json logging
      --storage-gcs-bucket string               Bucket to use when using the GCS registry type
      --storage-gcs-prefix string               Prefix to use when using the GCS registry type
      --storage-gcs-sa-email string             Google service account email to be used for Application Default Credentials (ADC).
                                                GOOGLE_APPLICATION_CREDENTIALS environment variable might be used as alternative.
                                                For GCS presigned URLs this SA needs the iam.serviceAccountTokenCreator role.
      --storage-gcs-signedurl-expiry duration   Generate GCS signed URL valid for X seconds. Only meaningful if used in combination with --gcs-signedurl (default 30s)
      --storage-s3-bucket string                S3 bucket to use for the registry
      --storage-s3-endpoint string              S3 bucket endpoint URL (required for MINIO)
      --storage-s3-pathstyle                    S3 use PathStyle (required for MINIO)
      --storage-s3-prefix string                S3 bucket prefix to use for the registry
      --storage-s3-region string                S3 bucket region to use for the registry
      --storage-s3-signedurl-expiry duration    Generate S3 signed URL valid for X seconds. Only meaningful if used in combination with --storage-s3-signedurl (default 30s)

Use "boring-registry [command] --help" for more information about a command.

The server command can be used to start the registry server:

# docker run cgr.dev/chainguard/boring-registry:latest server
Usage:
  boring-registry server [flags]

Flags:
      --auth-okta-claims strings               Okta claims to validate
      --auth-okta-issuer string                Okta issuer
      --auth-static-token strings              Static API token to protect the boring-registry
  -h, --help                                   help for server
      --listen-address string                  Address to listen on (default ":5601")
      --listen-telemetry-address string        Telemetry address to listen on (default ":7801")
      --login-authz string                     The server's authorization endpoint
      --login-client string                    The client_id value to use when making requests
      --login-grant-types strings              An array describing a set of OAuth 2.0 grant types (default [authz_code])
      --login-ports ints                       Inclusive range of TCP ports that Terraform may use (default [10000,10010])
      --login-scopes strings                   List of scopes
      --login-token string                     The server's token endpoint
      --storage-module-archive-format string   Archive file format for modules, specified without the leading dot (default "tar.gz")
      --tls-cert-file string                   TLS certificate to serve
      --tls-key-file string                    TLS private key to serve
Global Flags:
      --debug                                   Enable debug logging
      --json                                    Enable json logging
      --storage-gcs-bucket string               Bucket to use when using the GCS registry type
      --storage-gcs-prefix string               Prefix to use when using the GCS registry type
      --storage-gcs-sa-email string             Google service account email to be used for Application Default Credentials (ADC).
                                                GOOGLE_APPLICATION_CREDENTIALS environment variable might be used as alternative.
                                                For GCS presigned URLs this SA needs the iam.serviceAccountTokenCreator role.
      --storage-gcs-signedurl-expiry duration   Generate GCS signed URL valid for X seconds. Only meaningful if used in combination with --gcs-signedurl (default 30s)
      --storage-s3-bucket string                S3 bucket to use for the registry
      --storage-s3-endpoint string              S3 bucket endpoint URL (required for MINIO)
      --storage-s3-pathstyle                    S3 use PathStyle (required for MINIO)
      --storage-s3-prefix string                S3 bucket prefix to use for the registry
      --storage-s3-region string                S3 bucket region to use for the registry
      --storage-s3-signedurl-expiry duration    Generate S3 signed URL valid for X seconds. Only meaningful if used in combination with --storage-s3-signedurl (default 30s)

failed to setup server: please specify a valid storage provider

This will require specifying a storage provider and credentials to it using the appropriate flags.

Helm

This image is a drop-in replacement for the upstream image, and can be used in their helm chart with an invocation like:

helm upgrade --install boring-registry oci://ghcr.io/tiermobility/charts/boring-registry \
    --set global.image.repository=cgr.dev/chainguard/boring-registry \
    --set global.image.tag="latest" \
    --wait

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.