Skip to content

ADR-0010 Container Registry

Context

Containers allow us to package and run applications in a standardized and portable way. To be able to (re)use and share images, they need to be stored in a registry that is accessible by others.

There are many container registries. During research the following registries have been noted:

Docker Hub, GitHub Container Registry, Amazon Elastic Container Registry (ECR), Azure Container Registry (ACR), Google Artifact Registry (GAR), Red Hat Quay, GitLab Container Registry, Harbor, Sonatype Nexus Repository Manager, JFrog Artifactory.

Assumptions

  • We do not want to host our own registry.
  • The images we create can be kept private or publicly shared.
  • For development and testing, images should be kept private to prevent accidental use of unfinished products.
  • Images we provide are safe and secure. This means a container registry should have the option to (continuously) verify the security status of an image.
  • By configuration, tags can be made immutable, to prevent image tags from being overwritten.
  • The registry keeps logs of events regarding containers.
  • The registry needs to have a Role Based Access model.
  • No additional sign up is required to pull the image
  • We can use a kubernetes authorization token to pull images.
  • The registry has support for scheduled deletion of images by criteria.

Decision

We will use GitHub Container Registry.

This aligns best with the previously made choices for GitHub as a code repository and CI/CD workflow.

Risks

Traditionally, Docker Hub has been the place to publish images. Therefore, our images may be more difficult to discover.

The following assumptions are not (directly) covered by the chosen registry:

  • Security scans are not implemented by default, meaning we should find another solution to cover this, for example by using a GitHub Action.
  • Private packages are limited by space and an additional license may be required, see Billing for GitHub Packages.
  • It is unclear if it is possible to overwrite tags.
  • Removing images by criteria is not implemented by default, but could be solved using a GitHub Action.

Consequences

By using GitHub Container Registry we have a container registry we can use both internally as well as share with others. This has low impact, we can always move to another registry since the Open Container Initiative is standardized.

More Information

The following sites have been consulted: