container-registry: add target image TLS integration

Install CA certificates and registry configuration into target images so they can pull from the secure registry at runtime. docker-registry-config.bb: When CONTAINER_REGISTRY_SECURE=1, install the CA cert to /etc/docker/certs.d/{host}/ca.crt instead of adding insecure-registries to daemon.json. Translates localhost/127.0.0.1 to 10.0.2.2 for QEMU targets where the host registry is accessed via slirp networking. container-oci-registry-config.bb: Same secure mode support for podman/CRI-O with insecure=false in registries.conf. container-registry-ca.bb: New recipe that installs the CA certificate to Docker, podman/CRI-O, and system trust store paths on the target. container-cross-install.bbclass: Auto-add docker-registry-config or container-oci-registry-config to IMAGE_INSTALL when CONTAINER_REGISTRY_SECURE=1, based on the configured container engine. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-09 03:17:24 +0000
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-09 03:34:12 +0000
commit: 52fc4ca7c75594fe8b3c92a9f88df19f8f4d0944 (patch)
tree: f003083cf14ecb0543303ab0023d39fd3457eb78 /recipes-containers
parent: 092aa81983335b2346a725eebd2a75fc785bb42b (diff)
download: meta-virtualization-52fc4ca7c75594fe8b3c92a9f88df19f8f4d0944.tar.gz
3 files changed, 278 insertions, 40 deletions
diff --git a/recipes-containers/container-registry/container-oci-registry-config.bb b/recipes-containers/container-registry/container-oci-registry-config.bb
index ba8cf4c3..294defc3 100644
--- a/recipes-containers/container-registry/container-oci-registry-config.bb
+++ b/recipes-containers/container-registry/container-oci-registry-config.bb
@@ -17,21 +17,27 @@
 #   See: docker-registry-config.bb for Docker configuration
 #
 # This recipe creates a drop-in configuration file for accessing a custom
-# container registry. It is completely OPT-IN and does not modify any
+# container registry. It supports both insecure (HTTP) and secure (HTTPS with TLS)
-# existing configuration files.
+# modes. It is completely OPT-IN and does not modify any existing configuration files.
 #
 # IMPORTANT: This recipe:
 #   - Does NOT modify docker-distribution or container-host-config
 #   - Does NOT clobber public registry access (docker.io, quay.io, etc.)
 #   - Uses drop-in files in /etc/containers/registries.conf.d/
 #   - Skips entirely if CONTAINER_REGISTRY_URL is not set
+#   - In secure mode: installs CA cert to /etc/containers/certs.d/{registry}/
 #
 # Usage:
-#   # In local.conf or image recipe:
+#   # Insecure mode (HTTP):
 #   CONTAINER_REGISTRY_URL = "localhost:5000"
 #   CONTAINER_REGISTRY_INSECURE = "1"
 #   IMAGE_FEATURES += "container-registry"
 #
+#   # Secure mode (HTTPS with TLS):
+#   CONTAINER_REGISTRY_SECURE = "1"
+#   CONTAINER_REGISTRY_URL = "localhost:5000"
+#   IMAGE_FEATURES += "container-registry"
+#
 #   The IMAGE_FEATURES mechanism auto-selects this recipe for Podman/CRI-O
 #   or docker-registry-config for Docker based on VIRTUAL-RUNTIME_container_engine.
 #
@@ -40,6 +46,7 @@
 SUMMARY = "Configure custom container registry for Podman/Skopeo/Buildah (opt-in)"
 DESCRIPTION = "Adds drop-in configuration for Podman, Skopeo, Buildah, and CRI-O. \
 NOT for Docker (use docker-registry-config for Docker). \
+Supports both insecure (HTTP) and secure (HTTPS with TLS) modes. \
 Does NOT modify existing registries.conf - creates a separate file in \
 registries.conf.d/ that is merged at runtime. Public registries remain accessible. \
 This recipe is opt-in: requires CONTAINER_REGISTRY_URL to be set. \
@@ -48,12 +55,14 @@ Use IMAGE_FEATURES container-registry to auto-select based on container engine."
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+inherit allarch container-registry
 # User MUST set these - recipe skips otherwise
-CONTAINER_REGISTRY_URL ?= ""
-CONTAINER_REGISTRY_INSECURE ?= "0"
 CONTAINER_REGISTRY_SEARCH_FIRST ?= "1"
-inherit allarch
+# Path to OCI auth config (for baked credentials)
+# NOT stored in bitbake - should point to external file
+CONTAINER_REGISTRY_AUTHFILE ?= ""
 # Skip recipe entirely if not configured
 # User must explicitly set CONTAINER_REGISTRY_URL to enable
@@ -61,20 +70,54 @@ python() {
    registry = d.getVar('CONTAINER_REGISTRY_URL')
    if not registry:
        raise bb.parse.SkipRecipe("CONTAINER_REGISTRY_URL not set - recipe is opt-in only")
+    # Check for conflicting settings
+    secure = d.getVar('CONTAINER_REGISTRY_SECURE') == '1'
+    insecure = d.getVar('CONTAINER_REGISTRY_INSECURE') == '1'
+    if secure and insecure:
+        bb.fatal("CONTAINER_REGISTRY_SECURE='1' and CONTAINER_REGISTRY_INSECURE='1' cannot both be set. "
+                 "Use secure mode (TLS+auth) OR insecure mode (HTTP), not both.")
+    # In secure mode, depend on PKI generation
+    if secure:
+        d.appendVarFlag('do_install', 'depends', ' container-registry-index:do_generate_registry_script')
 }
 python do_install() {
    import os
+    import shutil
    registry = d.getVar('CONTAINER_REGISTRY_URL')
    insecure = d.getVar('CONTAINER_REGISTRY_INSECURE') == "1"
+    secure = d.getVar('CONTAINER_REGISTRY_SECURE') == "1"
    search_first = d.getVar('CONTAINER_REGISTRY_SEARCH_FIRST') == "1"
+    ca_cert = d.getVar('CONTAINER_REGISTRY_CA_CERT')
+    authfile = d.getVar('CONTAINER_REGISTRY_AUTHFILE') or ''
+    # Extract registry host (strip any path)
+    registry_host = registry.split('/')[0] if '/' in registry else registry
    dest = d.getVar('D')
    confdir = os.path.join(dest, d.getVar('sysconfdir').lstrip('/'),
                           'containers', 'registries.conf.d')
    os.makedirs(confdir, exist_ok=True)
+    # Install CA cert in secure mode
+    if secure:
+        if os.path.exists(ca_cert):
+            cert_dir = os.path.join(dest, 'etc/containers/certs.d', registry_host)
+            os.makedirs(cert_dir, exist_ok=True)
+            shutil.copy(ca_cert, os.path.join(cert_dir, 'ca.crt'))
+            bb.note(f"Installed CA certificate for registry: {registry_host}")
+        else:
+            bb.warn(f"Secure mode enabled but CA certificate not found at {ca_cert}")
+            bb.warn("Run 'container-registry.sh start' to generate PKI, then rebuild this package")
+    # In secure mode, insecure should be false
+    if secure:
+        insecure = False
    # Generate drop-in config
    # Filename starts with 50- so it's processed after base config but
    # can be overridden by higher-numbered files
@@ -82,11 +125,17 @@ python do_install() {
    with open(config_path, 'w') as f:
        f.write(f"# Custom container registry: {registry}\n")
-        f.write(f"# Generated by container-registry-config recipe\n")
+        f.write(f"# Generated by container-oci-registry-config recipe\n")
        f.write(f"# This is ADDITIVE - base registries.conf is unchanged\n")
        f.write(f"# Public registries (docker.io, quay.io) remain accessible\n")
        f.write(f"#\n")
-        f.write(f"# To remove: uninstall container-registry-config package\n")
+        if secure:
+            f.write(f"# Mode: secure (TLS with CA certificate verification)\n")
+            f.write(f"# CA cert: /etc/containers/certs.d/{registry_host}/ca.crt\n")
+        else:
+            f.write(f"# Mode: insecure (HTTP or untrusted TLS)\n")
+        f.write(f"#\n")
+        f.write(f"# To remove: uninstall container-oci-registry-config package\n")
        f.write(f"# or delete this file\n\n")
        if search_first:
@@ -95,17 +144,40 @@ python do_install() {
            f.write(f"# Search this registry for unqualified image names\n")
            f.write(f'unqualified-search-registries = ["{registry}"]\n\n')
+        # Always create registry entry to set insecure flag explicitly
+        f.write(f'[[registry]]\n')
+        f.write(f'location = "{registry_host}"\n')
        if insecure:
-            # Mark registry as insecure (HTTP or self-signed TLS)
-            f.write(f"# Registry uses HTTP or has untrusted TLS certificate\n")
-            f.write(f'[[registry]]\n')
-            f.write(f'location = "{registry}"\n')
            f.write(f'insecure = true\n')
+        else:
+            f.write(f'insecure = false\n')
-    bb.note(f"Created registry config for {registry} (insecure={insecure})")
+    # Install authfile if provided (for baked credentials)
+    if authfile and os.path.exists(authfile):
+        containers_dir = os.path.join(dest, 'etc/containers')
+        os.makedirs(containers_dir, exist_ok=True)
+        auth_json = os.path.join(containers_dir, 'auth.json')
+        shutil.copy(authfile, auth_json)
+        os.chmod(auth_json, 0o600)
+        bb.note(f"Installed OCI auth config from {authfile}")
+    mode = "secure" if secure else ("insecure" if insecure else "default")
+    bb.note(f"Created registry config for {registry} (mode={mode})")
 }
-FILES:${PN} = "${sysconfdir}/containers/registries.conf.d"
+FILES:${PN} = " \
+    ${sysconfdir}/containers/registries.conf.d \
+    ${sysconfdir}/containers/certs.d/*/ca.crt \
+    ${sysconfdir}/containers/auth.json \
+"
+# Ensure proper permissions on auth file
+pkg_postinst:${PN}() {
+#!/bin/sh
+if [ -f $D/etc/containers/auth.json ]; then
+    chmod 600 $D/etc/containers/auth.json
+fi
+}
 # Soft dependency - works with or without container-host-config
 # If container-host-config is installed, our drop-in extends it
diff --git a/recipes-containers/container-registry/container-registry-ca.bb b/recipes-containers/container-registry/container-registry-ca.bb
new file mode 100644
index 00000000..85bb206f
--- /dev/null
+++ b/recipes-containers/container-registry/container-registry-ca.bb
@@ -0,0 +1,98 @@
+# SPDX-FileCopyrightText: Copyright (C) 2025 Bruce Ashfield
+#
+# SPDX-License-Identifier: MIT
+#
+# container-registry-ca.bb
+# ============================================================================
+# Install CA certificate for secure container registry on target images.
+#
+# This recipe installs the CA certificate generated during
+# container-registry-index:do_generate_registry_script to the appropriate
+# locations for Docker, Podman/CRI-O, and system trust.
+#
+# Prerequisites:
+#   1. Enable secure mode: CONTAINER_REGISTRY_SECURE = "1"
+#   2. PKI is auto-generated when building this package
+#
+# Usage:
+#   IMAGE_INSTALL:append = " container-registry-ca"
+#
+# Installed files:
+#   /etc/docker/certs.d/{registry}/ca.crt        - Docker daemon trust
+#   /etc/containers/certs.d/{registry}/ca.crt    - Podman/CRI-O trust
+#   /usr/local/share/ca-certificates/container-registry-ca.crt - System trust
+#
+# ============================================================================
+SUMMARY = "CA certificate for secure container registry"
+DESCRIPTION = "Installs the CA certificate for TLS verification when pulling from the local container registry"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+inherit container-registry
+# Only build if secure mode is enabled
+python () {
+    secure = d.getVar('CONTAINER_REGISTRY_SECURE')
+    if secure != '1':
+        raise bb.parse.SkipRecipe("CONTAINER_REGISTRY_SECURE is not '1' - secure mode not enabled")
+}
+# No source files - we use the generated CA cert
+SRC_URI = ""
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+# Ensure PKI is generated before we try to install the CA cert
+do_install[depends] += "container-registry-index:do_generate_registry_script"
+python do_install() {
+    import os
+    import shutil
+    d_dir = d.getVar('D')
+    ca_cert = d.getVar('CONTAINER_REGISTRY_CA_CERT')
+    registry_url = d.getVar('CONTAINER_REGISTRY_URL')
+    # Extract registry host (strip port)
+    registry_host = registry_url.split('/')[0] if '/' in registry_url else registry_url
+    if not os.path.exists(ca_cert):
+        bb.fatal(f"CA certificate not found at {ca_cert}. "
+                 "This should have been auto-generated. Check container-registry-index:do_generate_registry_script logs.")
+    # Install for Docker: /etc/docker/certs.d/{registry}/ca.crt
+    docker_cert_dir = os.path.join(d_dir, 'etc/docker/certs.d', registry_host)
+    os.makedirs(docker_cert_dir, exist_ok=True)
+    shutil.copy(ca_cert, os.path.join(docker_cert_dir, 'ca.crt'))
+    # Install for Podman/CRI-O: /etc/containers/certs.d/{registry}/ca.crt
+    containers_cert_dir = os.path.join(d_dir, 'etc/containers/certs.d', registry_host)
+    os.makedirs(containers_cert_dir, exist_ok=True)
+    shutil.copy(ca_cert, os.path.join(containers_cert_dir, 'ca.crt'))
+    # Install for system trust: /usr/local/share/ca-certificates/
+    system_ca_dir = os.path.join(d_dir, 'usr/local/share/ca-certificates')
+    os.makedirs(system_ca_dir, exist_ok=True)
+    shutil.copy(ca_cert, os.path.join(system_ca_dir, 'container-registry-ca.crt'))
+    bb.note(f"Installed CA certificate for registry: {registry_host}")
+}
+# Package files
+FILES:${PN} = " \
+    ${sysconfdir}/docker/certs.d/*/ca.crt \
+    ${sysconfdir}/containers/certs.d/*/ca.crt \
+    /usr/local/share/ca-certificates/container-registry-ca.crt \
+"
+# Run update-ca-certificates after install if available
+pkg_postinst:${PN}() {
+#!/bin/sh
+if [ -x /usr/sbin/update-ca-certificates ]; then
+    /usr/sbin/update-ca-certificates 2>/dev/null || true
+fi
+}
+RDEPENDS:${PN} = ""
diff --git a/recipes-containers/container-registry/docker-registry-config.bb b/recipes-containers/container-registry/docker-registry-config.bb
index e03cd3eb..0e8d66ad 100644
--- a/recipes-containers/container-registry/docker-registry-config.bb
+++ b/recipes-containers/container-registry/docker-registry-config.bb
@@ -10,46 +10,55 @@
 # FOR DOCKER ONLY - creates /etc/docker/daemon.json
 #
 # NOT for Podman/Skopeo/Buildah - they use /etc/containers/registries.conf.d/
-#   See: container-registry-config.bb for Podman/Skopeo/Buildah
+#   See: container-oci-registry-config.bb for Podman/Skopeo/Buildah
 #
-# This recipe creates daemon.json for Docker to access insecure registries.
+# This recipe creates daemon.json for Docker to access registries.
-# It is completely OPT-IN and requires explicit configuration.
+# It supports both insecure (HTTP) and secure (HTTPS with TLS) modes.
 #
 # NOTE: Docker does not support "default registry" like our vdkr transform.
 # Users must still use fully qualified image names unless using Docker Hub.
-# This config only handles insecure registry trust.
 #
 # IMPORTANT: This recipe:
-#   - Skips entirely if DOCKER_REGISTRY_INSECURE is not set
+#   - Skips entirely if neither insecure nor secure registry is configured
-#   - Creates /etc/docker/daemon.json (will be merged if docker recipe
+#   - Creates /etc/docker/daemon.json
-#     also creates one, or may need RCONFLICTS handling)
+#   - In secure mode: installs CA cert to /etc/docker/certs.d/{registry}/
+#   - In insecure mode: adds registry to insecure-registries list
 #
 # Usage:
-#   # In local.conf or image recipe:
+#   # Insecure mode (HTTP):
 #   DOCKER_REGISTRY_INSECURE = "10.0.2.2:5000 myregistry.local:5000"
 #   IMAGE_FEATURES += "container-registry"
 #
+#   # Secure mode (HTTPS with TLS):
+#   CONTAINER_REGISTRY_SECURE = "1"
+#   CONTAINER_REGISTRY_URL = "localhost:5000"
+#   IMAGE_FEATURES += "container-registry"
+#
 #   The IMAGE_FEATURES mechanism auto-selects this recipe for Docker
 #   or container-oci-registry-config for Podman/CRI-O based on
 #   VIRTUAL-RUNTIME_container_engine.
 #
 # ===========================================================================
-SUMMARY = "Configure insecure container registries for Docker daemon (opt-in)"
+SUMMARY = "Configure container registry for Docker daemon (opt-in)"
-DESCRIPTION = "Creates /etc/docker/daemon.json with insecure-registries config. \
+DESCRIPTION = "Creates /etc/docker/daemon.json with registry config. \
 FOR DOCKER ONLY - not for Podman/Skopeo (use container-oci-registry-config for those). \
-This recipe is opt-in: requires DOCKER_REGISTRY_INSECURE to be set. \
+Supports both insecure (HTTP) and secure (HTTPS with TLS) modes. \
 Use IMAGE_FEATURES container-registry to auto-select based on container engine."
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+inherit allarch container-registry
 # Space-separated list of insecure registries
 # Example: "10.0.2.2:5000 myregistry.local:5000"
 # Can also use runtime-agnostic CONTAINER_REGISTRY_URL + CONTAINER_REGISTRY_INSECURE
 DOCKER_REGISTRY_INSECURE ?= ""
-CONTAINER_REGISTRY_URL ?= ""
-CONTAINER_REGISTRY_INSECURE ?= ""
+# Path to Docker auth config (for baked credentials)
+# NOT stored in bitbake - should point to external file
+CONTAINER_REGISTRY_AUTHFILE ?= ""
 def get_insecure_registries(d):
    """Get insecure registries from either Docker-specific or generic config"""
@@ -64,40 +73,99 @@ def get_insecure_registries(d):
        return registry_url.strip()
    return ""
-inherit allarch
+def is_secure_mode(d):
+    """Check if secure registry mode is enabled"""
+    return d.getVar('CONTAINER_REGISTRY_SECURE') == '1'
 # Skip recipe entirely if not configured
 python() {
+    secure = is_secure_mode(d)
    registries = get_insecure_registries(d)
-    if not registries:
-        raise bb.parse.SkipRecipe("No insecure registry configured - recipe is opt-in only")
+    # Check for conflicting settings
+    if secure and registries:
+        bb.fatal("CONTAINER_REGISTRY_SECURE='1' conflicts with insecure registry settings. "
+                 "Use secure mode (TLS+auth) OR insecure mode (HTTP), not both.")
+    if not secure and not registries:
+        raise bb.parse.SkipRecipe("No registry configured - recipe is opt-in only")
+    # In secure mode, depend on PKI generation
+    if secure:
+        d.appendVarFlag('do_install', 'depends', ' container-registry-index:do_generate_registry_script')
 }
 python do_install() {
    import os
    import json
+    import shutil
-    registries = get_insecure_registries(d).split()
    dest = d.getVar('D')
    confdir = os.path.join(dest, d.getVar('sysconfdir').lstrip('/'), 'docker')
    os.makedirs(confdir, exist_ok=True)
-    config_path = os.path.join(confdir, 'daemon.json')
+    secure = is_secure_mode(d)
+    registries = get_insecure_registries(d).split()
+    ca_cert = d.getVar('CONTAINER_REGISTRY_CA_CERT')
+    registry_url = d.getVar('CONTAINER_REGISTRY_URL') or ''
+    authfile = d.getVar('CONTAINER_REGISTRY_AUTHFILE') or ''
+    config = {}
+    if secure:
+        # Secure mode: install CA cert, no insecure-registries
+        # Translate localhost/127.0.0.1 to 10.0.2.2 for QEMU slirp networking
+        qemu_url = registry_url.replace('localhost', '10.0.2.2').replace('127.0.0.1', '10.0.2.2')
+        registry_host = qemu_url.split('/')[0] if '/' in qemu_url else qemu_url
+        if os.path.exists(ca_cert):
+            # Install CA cert to /etc/docker/certs.d/{registry}/ca.crt
+            cert_dir = os.path.join(dest, 'etc/docker/certs.d', registry_host)
+            os.makedirs(cert_dir, exist_ok=True)
+            shutil.copy(ca_cert, os.path.join(cert_dir, 'ca.crt'))
+            bb.note(f"Installed CA certificate for registry: {registry_host}")
+        else:
+            bb.warn(f"Secure mode enabled but CA certificate not found at {ca_cert}")
+            bb.warn("Run 'container-registry.sh start' to generate PKI, then rebuild this package")
+        # daemon.json can be empty or minimal in secure mode
+        # (no insecure-registries needed when using TLS)
+        bb.note("Secure mode: Docker will use TLS verification with installed CA cert")
+    else:
+        # Insecure mode: add to insecure-registries
+        if registries:
+            config["insecure-registries"] = registries
+            bb.note(f"Created Docker config with insecure registries: {registries}")
-    # Create daemon.json
+    # Install authfile if provided (for baked credentials)
-    config = {
+    if authfile and os.path.exists(authfile):
-        "insecure-registries": registries
+        docker_dir = os.path.join(dest, 'root/.docker')
-    }
+        os.makedirs(docker_dir, mode=0o700, exist_ok=True)
+        config_json = os.path.join(docker_dir, 'config.json')
+        shutil.copy(authfile, config_json)
+        os.chmod(config_json, 0o600)
+        bb.note(f"Installed Docker auth config from {authfile}")
+    # Write daemon.json (may be empty in secure mode)
+    config_path = os.path.join(confdir, 'daemon.json')
    with open(config_path, 'w') as f:
        json.dump(config, f, indent=2)
        f.write("\n")
-    bb.note(f"Created Docker config with insecure registries: {registries}")
 }
-FILES:${PN} = "${sysconfdir}/docker/daemon.json"
+FILES:${PN} = " \
+    ${sysconfdir}/docker/daemon.json \
+    ${sysconfdir}/docker/certs.d/*/ca.crt \
+    /root/.docker/config.json \
+"
+# Ensure proper permissions on auth file
+pkg_postinst:${PN}() {
+#!/bin/sh
+if [ -f $D/root/.docker/config.json ]; then
+    chmod 600 $D/root/.docker/config.json
+fi
+}
 # Docker must be installed for this to be useful
 RDEPENDS:${PN} = "docker"
author	Bruce Ashfield <bruce.ashfield@gmail.com>	2026-02-09 03:17:24 +0000
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2026-02-09 03:34:12 +0000
commit	52fc4ca7c75594fe8b3c92a9f88df19f8f4d0944 (patch)
tree	f003083cf14ecb0543303ab0023d39fd3457eb78 /recipes-containers
parent	092aa81983335b2346a725eebd2a75fc785bb42b (diff)
download	meta-virtualization-52fc4ca7c75594fe8b3c92a9f88df19f8f4d0944.tar.gz