8

We are developing and building docker images in our intranet, and need to deploy them to several hosts belonging to us (developers, internal testing, external testing and so on). Some of these are in our intranet, some are accessible for 3rd parties on the internet.

The final deployment is inside the customer's intranet on several nodes (production, different test stages). These are behind firewalls that don't regularly let them access things outside their intranet, i.e., while some of them can be allowed to access an external registry for deployment, others can't and images have to be delivered manually through some arcane software upload tool.

I am looking for a way to have a registry on the internet (possibly ran by ourselves on some VM out there, preferably not) which allows the images to be stored encrypted (preferably GPG or similar, not a simple password). But then also being able to rather simply delivering "half" of the stuff via some upload mechanism manually. The customer is very paranoid, so keeping the end-to-end-encryption up is quite important.

Is there a tool that springs to mind, which is perfectly able to handle it? One solution would be to mirror the full registry to the customer premises on a dedicated host, keeping the encryption part intact.

A "standard" solution would be great, I'd be loath to hack something together if there is something lean/lightweight/established/stable around, already.

EDIT (+edit to the title): An extensive permission scheme like the one offered by Portus is a good start, but I am looking ideally for end-to-end encryption of the actual images. The customer is ultra paranoid and just getting started with Docker, cloud-based services etc.

AnoE
  • 4,876
  • 13
  • 25
  • https://stackoverflow.com/q/37584961/2777965 – 030 May 02 '18 at 18:39
  • Thanks, @030. That question you linked considers hiding the stuff from the eye of users; my question is about hiding it from people along the way (i.e., I don't need encryption at either end, only when transferring it through some registry). – AnoE May 02 '18 at 19:29
  • Ok. So basically you are looking for SSL for a docker registry like https for a website? – 030 May 02 '18 at 19:40
  • @030, as given in the question, I am looking for a way to have a registry [...] which allows the images to be stored encrypted (preferably GPG or similar, not a simple password). – AnoE May 02 '18 at 21:21
  • https://github.com/moby/moby/issues/23200 – 030 May 02 '18 at 21:36
  • https://serverfault.com/a/894975/215599 – 030 May 02 '18 at 21:36
  • Perhaps you could file an issue in the github tracker of docker? Sorry I tried to help, but I cannot find an answer either. Apart from that I will upvote the question. – 030 May 02 '18 at 21:39
  • Yeah, no problem @030, and thanks for the help. I guess not every question has an answer, especially if it's about a feature a software simply does not have (yet?). ;) – AnoE May 02 '18 at 21:56
  • @AnoE if I may ask what is that in the images you try to protect? I had a use case where separate files (data and/or custom software artefacts) needed to be protected, so we used standard encryption/decryption (encrypt on build - decrypt on run). All the other parts are imho not worth to be protected. Not exact answer to your question but I find myself what is the business problem you need to solve. – Ta Mu May 03 '18 at 05:25
  • @PeterMuryshkin, nothing special, just the application (no secrets, no data). It's one of those customers who prefers not to have their stuff outside of their ("physical") intranet unencrypted. You know, large, ex-government... – AnoE May 03 '18 at 05:57

2 Answers2

2

Google Container Registry is a potential option.

  1. Registry is private
  2. Image layers are stored on a Google Cloud Storage bucket, which is encrypted by Google (RSA) and can be additionally encrypted with a client key (RSA)
  3. Access control is granular down to each individual object stored on GCS bucket
  4. Client-side authentication is enforced via oauth2. Clients configure docker to use the google cloud sdk as a credentials manager
  5. Images are pulled via ssl connections

The fact that the registry is part of Google's Cloud Platform also means you can build up to some other interesting things. For example, you could set up a VM to serve as reverse-proxy and set up the GCP firewall to only allow 443 from a certain set of IPs (like your clients' offices).

tazer84
  • 121
  • 3
0

Have a look at https://github.com/Senetas/crypto-cli

It allows you to encrypt/decrypt containers when pushing and pulling from a public or private repo.

(Full disclosure I know the guy who wrote it)

Rubblesink
  • 1