feat(registry): add docker registry credential store and app selector

Author: camilohollanda

app/Http/Controllers/Api/ApplicationsController.php

@@ -932,7 +932,7 @@ private function create_application(Request $request, $type)
         if ($return instanceof \Illuminate\Http\JsonResponse) {
             return $return;
         }
-        $allowedFields = ['project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'type', 'name', 'description', 'is_static', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'private_key_uuid', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container',  'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'redirect', 'github_app_uuid', 'instant_deploy', 'dockerfile', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'watch_paths', 'use_build_server', 'static_image', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'autogenerate_domain'];
+        $allowedFields = ['project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'type', 'name', 'description', 'is_static', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'private_key_uuid', 'docker_registry_image_name', 'docker_registry_image_tag', 'docker_registry_id', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container',  'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'redirect', 'github_app_uuid', 'instant_deploy', 'dockerfile', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'watch_paths', 'use_build_server', 'static_image', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'autogenerate_domain'];
 
         $validator = customApiValidator($request->all(), [
             'name' => 'string|max:255',
@@ -945,6 +945,7 @@ private function create_application(Request $request, $type)
             'is_http_basic_auth_enabled' => 'boolean',
             'http_basic_auth_username' => 'string|nullable',
             'http_basic_auth_password' => 'string|nullable',
+            'docker_registry_id' => 'integer|nullable|exists:docker_registries,id',
             'autogenerate_domain' => 'boolean',
         ]);
 
@@ -2136,7 +2137,7 @@ public function update_by_uuid(Request $request)
         $this->authorize('update', $application);
 
         $server = $application->destination->server;
-        $allowedFields = ['name', 'description', 'is_static', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override'];
+        $allowedFields = ['name', 'description', 'is_static', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'docker_registry_id', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override'];
 
         $validationRules = [
             'name' => 'string|max:255',
@@ -2152,6 +2153,7 @@ public function update_by_uuid(Request $request)
             'is_http_basic_auth_enabled' => 'boolean|nullable',
             'http_basic_auth_username' => 'string',
             'http_basic_auth_password' => 'string',
+            'docker_registry_id' => 'integer|nullable|exists:docker_registries,id',
         ];
         $validationRules = array_merge(sharedDataApplications(), $validationRules);
         $validator = customApiValidator($request->all(), $validationRules);

app/Jobs/ApplicationDeploymentJob.php

@@ -19,6 +19,7 @@
 use App\Models\SwarmDocker;
 use App\Notifications\Application\DeploymentFailed;
 use App\Notifications\Application\DeploymentSuccess;
+use App\Services\DockerImageParser;
 use App\Traits\EnvironmentVariableAnalyzer;
 use App\Traits\ExecuteRemoteCommand;
 use Carbon\Carbon;
@@ -572,6 +573,8 @@ private function deploy_dockerimage_buildpack()
         // Save runtime environment variables (including empty .env file if no variables defined)
         $this->save_runtime_environment_variables();
 
+        $this->login_to_docker_registry_if_needed();
+
         $this->rolling_update();
     }
 
@@ -2783,6 +2786,37 @@ private function pull_latest_image($image)
         );
     }
 
+    private function login_to_docker_registry_if_needed(): void
+    {
+        $registry = $this->application->dockerRegistry;
+        $username = $registry?->username;
+        $password = $registry?->password;
+
+        if (str($username)->isEmpty() || str($password)->isEmpty()) {
+            return;
+        }
+
+        if (str($this->application->docker_registry_image_name)->isEmpty()) {
+            return;
+        }
+
+        $imageName = str($this->application->docker_registry_image_name)->before('@sha256')->value();
+        $parser = new DockerImageParser;
+        $parser->parse($imageName.':latest');
+        $registryUrl = $registry?->registry_url ?: $parser->getRegistryUrl();
+        $registryArg = $registryUrl ? ' '.escapeshellarg($registryUrl) : '';
+        $usernameArg = escapeshellarg($username);
+        $passwordArg = escapeshellarg($password);
+
+        $this->application_deployment_queue->addLogEntry('Logging in to Docker registry for image pull.');
+        $this->execute_remote_command(
+            [
+                executeInDocker($this->deployment_uuid, "echo {$passwordArg} | docker login{$registryArg} -u {$usernameArg} --password-stdin"),
+                'hidden' => true,
+            ]
+        );
+    }
+
     private function build_static_image()
     {
         $this->application_deployment_queue->addLogEntry('----------------------------------------');

app/Livewire/Project/Application/General.php

@@ -4,9 +4,11 @@
 
 use App\Actions\Application\GenerateConfig;
 use App\Models\Application;
+use App\Models\DockerRegistry;
 use App\Support\ValidationPatterns;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Collection;
+use Illuminate\Validation\Rule;
 use Livewire\Attributes\Validate;
 use Livewire\Component;
 use Spatie\Url\Url;
@@ -85,6 +87,11 @@ class General extends Component
     #[Validate(['string', 'nullable'])]
     public ?string $dockerRegistryImageTag = null;
 
+    #[Validate(['nullable', 'integer'])]
+    public ?int $dockerRegistryId = null;
+
+    public ?Collection $dockerRegistries = null;
+
     #[Validate(['string', 'nullable'])]
     public ?string $dockerComposeLocation = null;
 
@@ -198,6 +205,7 @@ protected function rules(): array
             'dockerfile' => 'nullable',
             'dockerRegistryImageName' => 'nullable',
             'dockerRegistryImageTag' => 'nullable',
+            'dockerRegistryId' => ['nullable', 'integer', Rule::exists('docker_registries', 'id')->where('team_id', currentTeam()->id)],
             'dockerfileLocation' => 'nullable',
             'dockerComposeLocation' => 'nullable',
             'dockerCompose' => 'nullable',
@@ -279,6 +287,7 @@ protected function messages(): array
         'dockerfile' => 'Dockerfile',
         'dockerRegistryImageName' => 'Docker registry image name',
         'dockerRegistryImageTag' => 'Docker registry image tag',
+        'dockerRegistryId' => 'Docker registry credentials',
         'dockerfileLocation' => 'Dockerfile location',
         'dockerComposeLocation' => 'Docker compose location',
         'dockerCompose' => 'Docker compose',
@@ -364,6 +373,8 @@ public function mount()
             $this->dispatch('configurationChanged');
         }
 
+        $this->dockerRegistries = DockerRegistry::ownedByCurrentTeam(['name', 'registry_url'])->get();
+
         // Sync data from model to properties at the END, after all business logic
         // This ensures any modifications to $this->application during mount() are reflected in properties
         $this->syncData();
@@ -396,6 +407,7 @@ public function syncData(bool $toModel = false): void
             $this->application->dockerfile_target_build = $this->dockerfileTargetBuild;
             $this->application->docker_registry_image_name = $this->dockerRegistryImageName;
             $this->application->docker_registry_image_tag = $this->dockerRegistryImageTag;
+            $this->application->docker_registry_id = $this->dockerRegistryId;
             $this->application->docker_compose_location = $this->dockerComposeLocation;
             $this->application->docker_compose = $this->dockerCompose;
             $this->application->docker_compose_raw = $this->dockerComposeRaw;
@@ -448,6 +460,7 @@ public function syncData(bool $toModel = false): void
             $this->dockerfileTargetBuild = $this->application->dockerfile_target_build;
             $this->dockerRegistryImageName = $this->application->docker_registry_image_name;
             $this->dockerRegistryImageTag = $this->application->docker_registry_image_tag;
+            $this->dockerRegistryId = $this->application->docker_registry_id;
             $this->dockerComposeLocation = $this->application->docker_compose_location;
             $this->dockerCompose = $this->application->docker_compose;
             $this->dockerComposeRaw = $this->application->docker_compose_raw;

app/Livewire/Project/New/DockerImage.php

@@ -3,10 +3,12 @@
 namespace App\Livewire\Project\New;
 
 use App\Models\Application;
+use App\Models\DockerRegistry;
 use App\Models\Project;
 use App\Models\StandaloneDocker;
 use App\Models\SwarmDocker;
 use App\Services\DockerImageParser;
+use Illuminate\Validation\Rule;
 use Livewire\Component;
 use Visus\Cuid2\Cuid2;
 
@@ -18,6 +20,10 @@ class DockerImage extends Component
 
     public string $imageSha256 = '';
 
+    public ?int $dockerRegistryId = null;
+
+    public $dockerRegistries;
+
     public array $parameters;
 
     public array $query;
@@ -26,6 +32,7 @@ public function mount()
     {
         $this->parameters = get_route_parameters();
         $this->query = request()->query();
+        $this->dockerRegistries = DockerRegistry::ownedByCurrentTeam(['name', 'registry_url'])->get();
     }
 
     /**
@@ -86,6 +93,7 @@ public function submit()
             'imageName' => ['required', 'string'],
             'imageTag' => ['nullable', 'string', 'regex:/^[a-z0-9][a-z0-9._-]*$/i'],
             'imageSha256' => ['nullable', 'string', 'regex:/^[a-f0-9]{64}$/i'],
+            'dockerRegistryId' => ['nullable', 'integer', Rule::exists('docker_registries', 'id')->where('team_id', currentTeam()->id)],
         ]);
 
         // Validate that either tag or sha256 is provided, but not both
@@ -142,6 +150,7 @@ public function submit()
             'ports_exposes' => 80,
             'docker_registry_image_name' => $imageName,
             'docker_registry_image_tag' => $imageTag,
+            'docker_registry_id' => $this->dockerRegistryId,
             'environment_id' => $environment->id,
             'destination_id' => $destination->id,
             'destination_type' => $destination_class,

app/Livewire/Security/DockerRegistry/Create.php

@@ -0,0 +1,84 @@
+<?php
+
+namespace App\Livewire\Security\DockerRegistry;
+
+use App\Models\DockerRegistry;
+use App\Support\ValidationPatterns;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Component;
+
+class Create extends Component
+{
+    use AuthorizesRequests;
+
+    public string $name = '';
+
+    public ?string $description = null;
+
+    public ?string $registryUrl = null;
+
+    public ?string $username = null;
+
+    public ?string $password = null;
+
+    protected function rules(): array
+    {
+        return [
+            'name' => ValidationPatterns::nameRules(),
+            'description' => ValidationPatterns::descriptionRules(),
+            'registryUrl' => 'nullable|string',
+            'username' => 'nullable|string|required_with:password',
+            'password' => 'nullable|string|required_with:username',
+        ];
+    }
+
+    public function createRegistry()
+    {
+        $this->validate();
+
+        $username = $this->username !== null ? trim($this->username) : null;
+        $password = $this->password !== null ? trim($this->password) : null;
+        $registryUrl = $this->registryUrl !== null ? trim($this->registryUrl) : null;
+
+        if ($username === '') {
+            $username = null;
+        }
+
+        if ($password === '') {
+            $password = null;
+        }
+
+        if ($registryUrl === '') {
+            $registryUrl = null;
+        }
+
+        if (($username && ! $password) || ($password && ! $username)) {
+            $this->addError('username', 'Please provide both username and password for the registry.');
+            $this->addError('password', 'Please provide both username and password for the registry.');
+
+            return;
+        }
+
+        try {
+            $this->authorize('create', DockerRegistry::class);
+
+            DockerRegistry::create([
+                'name' => $this->name,
+                'description' => $this->description,
+                'registry_url' => $registryUrl,
+                'username' => $username,
+                'password' => $password,
+                'team_id' => currentTeam()->id,
+            ]);
+
+            return redirectRoute($this, 'security.docker-registry.index');
+        } catch (\Throwable $e) {
+            return handleError($e, $this);
+        }
+    }
+
+    public function render()
+    {
+        return view('livewire.security.docker-registry.create');
+    }
+}

app/Livewire/Security/DockerRegistry/Index.php

@@ -0,0 +1,23 @@
+<?php
+
+namespace App\Livewire\Security\DockerRegistry;
+
+use App\Models\DockerRegistry;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Component;
+
+class Index extends Component
+{
+    use AuthorizesRequests;
+
+    public function render()
+    {
+        $this->authorize('viewAny', DockerRegistry::class);
+
+        $registries = DockerRegistry::ownedByCurrentTeam(['name', 'uuid', 'description', 'registry_url', 'team_id'])->get();
+
+        return view('livewire.security.docker-registry.index', [
+            'registries' => $registries,
+        ])->layout('components.layout');
+    }
+}