container-registry: add secure registry infrastructure with TLS and auth

Add opt-in secure registry mode with auto-generated TLS certificates
and htpasswd authentication.

New BitBake variables:
  CONTAINER_REGISTRY_SECURE - Enable TLS (HTTPS) for local registry
  CONTAINER_REGISTRY_AUTH - Enable htpasswd auth (requires SECURE=1)
  CONTAINER_REGISTRY_USERNAME/PASSWORD - Credential configuration
  CONTAINER_REGISTRY_CERT_DAYS/CA_DAYS - Certificate validity
  CONTAINER_REGISTRY_CERT_SAN - Custom SAN entries

The bbclass validates conflicting settings (AUTH without SECURE) and
provides credential helper functions for skopeo push operations.

PKI infrastructure (CA + server cert with SAN) is auto-generated at
bitbake build time via openssl-native. The generated helper script
supports both TLS-only and TLS+auth modes.

The script now supports environment variable overrides for
CONTAINER_REGISTRY_STORAGE, CONTAINER_REGISTRY_URL, and
CONTAINER_REGISTRY_NAMESPACE, uses per-port PID files to allow
multiple instances, and auto-generates config files when running
from an overridden storage path.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

1 files changed, 66 insertions, 0 deletions

diff --git a/recipes-containers/container-registry/files/container-registry-secure.yml b/recipes-containers/container-registry/files/container-registry-secure.yml
new file mode 100644
index 00000000..73036d99
--- /dev/null
+++ b/recipes-containers/container-registry/files/container-registry-secure.yml
@@ -0,0 +1,66 @@
+# Container Registry Secure Configuration (TLS + htpasswd authentication)
+# ============================================================================
+#
+# This configuration enables HTTPS with TLS certificates and htpasswd auth.
+# Certificates and credentials are auto-generated on first start.
+#
+# Usage:
+#   Enable secure mode in local.conf:
+#     CONTAINER_REGISTRY_SECURE = "1"
+#
+#   Run: container-registry.sh start
+#   This auto-generates:
+#     - pki/ca.crt, ca.key (CA certificate)
+#     - pki/server.crt, server.key (server certificate with SAN)
+#     - auth/htpasswd (bcrypt credentials)
+#     - auth/password (plaintext password for reference)
+#
+# See: https://distribution.github.io/distribution/about/configuration/
+
+version: 0.1
+
+log:
+  level: info
+  formatter: text
+  fields:
+    service: container-registry-secure
+
+storage:
+  filesystem:
+    # Storage directory - replaced at generation time
+    rootdirectory: __STORAGE_PATH__
+  # Enable deletion of images/tags
+  delete:
+    enabled: true
+  # Don't redirect to external storage
+  redirect:
+    disable: true
+  # Maintenance settings
+  maintenance:
+    uploadpurging:
+      enabled: true
+      age: 168h    # 1 week
+      interval: 24h
+      dryrun: false
+
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+  # TLS configuration - paths replaced at generation time
+  tls:
+    certificate: __PKI_DIR__/server.crt
+    key: __PKI_DIR__/server.key
+
+# htpasswd authentication
+auth:
+  htpasswd:
+    realm: "Yocto Container Registry"
+    path: __AUTH_DIR__/htpasswd
+
+# Health check endpoint
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3