Skip to content

Commit 15be065

Browse files
committed
chore: wip
1 parent d2054f4 commit 15be065

File tree

4 files changed

+148
-9
lines changed

4 files changed

+148
-9
lines changed

Dockerfile

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,11 @@ ENV NODE_ENV=production \
9494
PNPM_HOME=/usr/local/share/pnpm \
9595
PATH="/app/node_modules/.bin:$PNPM_HOME:$PATH"
9696

97+
# Install envsubst (gettext-base) for runtime templating of Verdaccio configs
98+
RUN apt-get update \
99+
&& apt-get install -y --no-install-recommends gettext-base \
100+
&& rm -rf /var/lib/apt/lists/*
101+
97102
# Copy built repo and dependencies from builder (includes Verdaccio plugins)
98103
COPY --from=builder /app /app
99104

@@ -112,12 +117,4 @@ EXPOSE 4873 4874
112117
# VERDACCIO_STRICT_PORT / VERDACCIO_LENIENT_PORT control the listen port for each mode.
113118
ENV REGISTRY_MODE=strict
114119

115-
CMD ["sh", "-c", "\
116-
if [ \"$REGISTRY_MODE\" = \"lenient\" ]; then \
117-
CONFIG=secure-registry/verdaccio/lenient/config.docker.yaml; \
118-
PORT=${VERDACCIO_LENIENT_PORT:-4874}; \
119-
else \
120-
CONFIG=secure-registry/verdaccio/strict/config.docker.yaml; \
121-
PORT=${VERDACCIO_STRICT_PORT:-4873}; \
122-
fi; \
123-
npx verdaccio --config \"$CONFIG\" --listen 0.0.0.0:${PORT}"]
120+
CMD ["/app/secure-registry/verdaccio/entrypoint.sh"]
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
#!/bin/sh
2+
set -e
3+
4+
# Runtime entrypoint for Verdaccio registry.
5+
#
6+
# - Chooses strict vs lenient config based on REGISTRY_MODE
7+
# - Renders the appropriate Docker config template with envsubst
8+
# - Applies sane defaults for SECURITY_DECISION_API_URL when not provided
9+
10+
MODE="${REGISTRY_MODE:-strict}"
11+
12+
if [ "$MODE" = "lenient" ]; then
13+
TEMPLATE="secure-registry/verdaccio/lenient/config.docker.template.yaml"
14+
CONFIG="/tmp/verdaccio-lenient.yaml"
15+
PORT="${VERDACCIO_LENIENT_PORT:-4874}"
16+
else
17+
TEMPLATE="secure-registry/verdaccio/strict/config.docker.template.yaml"
18+
CONFIG="/tmp/verdaccio-strict.yaml"
19+
PORT="${VERDACCIO_STRICT_PORT:-4873}"
20+
fi
21+
22+
# Apply defaults for env-driven settings used in the templates.
23+
# SECURITY_DECISION_API_URL controls where security plugins call the decision API.
24+
: "${SECURITY_DECISION_API_URL:=http://decision-api:4000}"
25+
26+
export SECURITY_DECISION_API_URL
27+
28+
echo "[entrypoint] REGISTRY_MODE=$MODE PORT=$PORT SECURITY_DECISION_API_URL=$SECURITY_DECISION_API_URL" >&2
29+
30+
echo "[entrypoint] Rendering Verdaccio config from $TEMPLATE to $CONFIG" >&2
31+
envsubst < "$TEMPLATE" > "$CONFIG"
32+
33+
echo "[entrypoint] Starting Verdaccio on port $PORT" >&2
34+
exec npx verdaccio --config "$CONFIG" --listen 0.0.0.0:"$PORT"
Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
storage: ./storage
2+
3+
uplinks:
4+
npmjs:
5+
url: https://registry.npmjs.org/
6+
# No malware uplink in Docker/Kubernetes; malware registry is only used
7+
# in dedicated local dev/test setups.
8+
9+
packages:
10+
'@*/*':
11+
access: $authenticated
12+
publish: $authenticated
13+
proxy: npmjs
14+
'**':
15+
access: $authenticated
16+
publish: $authenticated
17+
proxy: npmjs
18+
19+
filters:
20+
"@secure-registry/verdaccio-security-gate-filter":
21+
enabled: true
22+
# In Docker/Kubernetes, the decision API URL is provided via
23+
# SECURITY_DECISION_API_URL and rendered at runtime by envsubst
24+
# in secure-registry/verdaccio/entrypoint.sh.
25+
apiUrl: ${SECURITY_DECISION_API_URL}
26+
timeoutMs: 2000
27+
policyId: "lenient"
28+
blocking: false
29+
30+
auth:
31+
"@secure-registry/verdaccio-security-token-auth":
32+
# See note above: apiUrl is rendered from SECURITY_DECISION_API_URL
33+
# by the Docker entrypoint.
34+
apiUrl: ${SECURITY_DECISION_API_URL}
35+
timeoutMs: 2000
36+
37+
middlewares:
38+
"@secure-registry/verdaccio-download-guard-middleware":
39+
# See note above: apiUrl is rendered from SECURITY_DECISION_API_URL
40+
# by the Docker entrypoint.
41+
apiUrl: ${SECURITY_DECISION_API_URL}
42+
timeoutMs: 60000
43+
policyId: "lenient"
44+
"@secure-registry/verdaccio-rate-limit-middleware":
45+
# Redis URL for rate limiting. VERDACCIO_REDIS_URL env var (if set)
46+
# takes precedence in the middleware implementation.
47+
redisUrl: "redis://redis:6379"
48+
windowSeconds: 86400 # 24h window
49+
maxRequests: 400 # 400 requests per 24h
50+
51+
log:
52+
type: stdout
53+
format: pretty
54+
level: http
Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
storage: ./storage
2+
3+
uplinks:
4+
npmjs:
5+
url: https://registry.npmjs.org/
6+
# No malware uplink in Docker/Kubernetes; malware registry is only used
7+
# in dedicated local dev/test setups.
8+
9+
packages:
10+
'@*/*':
11+
access: $authenticated
12+
publish: $authenticated
13+
proxy: npmjs
14+
'**':
15+
access: $authenticated
16+
publish: $authenticated
17+
proxy: npmjs
18+
19+
filters:
20+
"@secure-registry/verdaccio-security-gate-filter":
21+
enabled: true
22+
# In Docker/Kubernetes, the decision API URL is provided via
23+
# SECURITY_DECISION_API_URL and rendered at runtime by envsubst
24+
# in secure-registry/verdaccio/entrypoint.sh.
25+
apiUrl: ${SECURITY_DECISION_API_URL}
26+
timeoutMs: 2000
27+
policyId: "strict"
28+
blocking: true
29+
30+
auth:
31+
"@secure-registry/verdaccio-security-token-auth":
32+
# See note above: apiUrl is rendered from SECURITY_DECISION_API_URL
33+
# by the Docker entrypoint.
34+
apiUrl: ${SECURITY_DECISION_API_URL}
35+
timeoutMs: 2000
36+
37+
middlewares:
38+
"@secure-registry/verdaccio-download-guard-middleware":
39+
# See note above: apiUrl is rendered from SECURITY_DECISION_API_URL
40+
# by the Docker entrypoint.
41+
apiUrl: ${SECURITY_DECISION_API_URL}
42+
timeoutMs: 60000
43+
policyId: "strict"
44+
"@secure-registry/verdaccio-rate-limit-middleware":
45+
# Redis URL for rate limiting. VERDACCIO_REDIS_URL env var (if set)
46+
# takes precedence in the middleware implementation.
47+
redisUrl: "redis://redis:6379"
48+
windowSeconds: 86400 # 24h window
49+
maxRequests: 400 # 400 requests per 24h
50+
51+
log:
52+
type: stdout
53+
format: pretty
54+
level: http

0 commit comments

Comments
 (0)