I have a dockerized app that I’m looking to deploy, and these are my requirements:
- Images are published somewhere
- App servers retrieve images from somewhere
- Images are only accessible to authorized app servers (i.e. non-public)
So the obvious candidate for somewhere would appear to be a docker registry. But after looking at some options (standalone Docker registry, Docker Hub, Amazon ECR) I found that the third requirement would be surprisingly awkward to implement:
There seems to be no way to authorize app servers that does not require them to have a full account with the registry (or even their parent platform, e.g. Amazon AWS).
The deployment tutorials I’ve looked at just tell you to “docker login” on the app server - but why would I want to authorize full (write) access to the repository if I only want to pull images?
For finer grained access control, I (or the admins deploying my app) would have to have a separate, read-only account with the registry, which seems unreasonable to me.
I was kind of expecting there to be a mechanism along the lines of deployment keys in Github or Bitbucket, where you can just authorize read-only access without requiring say e.g. a Github account (let alone my Github account).
I’m starting to think that a registry is not really suited for this kind of deployment at all - even though all those deployment guides just tell you to “docker pull” and be on your way.
So is there something I am missing here?
Do people just use other distribution mechanisms for this kind of deployment?