I'm building a new product, and I plan to deliver it to paying subscribers via Docker image only.
My CI is pushing the images to Github's ghcr.io, and - for now - I created a Github PAT (personal access token) with just package:read permission in order to distribute to beta testers. So far so good, but:
- Github PATs should be ...personal!
- I already have my homebrew customer portal that produces JWT based "Activation Keys" that expire when the subscription ends. And I would really like to them as
docker loginpasswords
Custom auth Strategies that come to mind
What's the best strategy to let subscribers "docker login" with my custom secret? I came up with few options:
- Create some API endpoints that implements the bare minimum Docker registry API, serving blobs from localhost's docker layers copy?
- Run an instance of docker registry in pull-through mode, but behind a reverse proxy that checks-and-replaces the auth token on the fly?
- Create a reverse-proxy API that replaces
docker logincredentials on the fly, returns a "real"ghrc.ioregistry token (obtained via docker login with master credentials) and responds with a redirect toghcr.ioto any further requests? - Use a ready made product/SDK that allows for auth logic replacement?
The #3 would be great, because it would look like I have my own private registry, but I use Github bandwidth for blob downloads (provided docker CLI clients are able to follow redirects!)
Questions for you
- is there any Docker registry server-side library available for any programming language?
- what's the best strategy?
Thanks!