Subtenant Remote Registries

A list of remote registries used when fetching application images. By adding an entry here, and adding credentials to Strongbox it is possible to fetch images from an authenticated registry.

Create a new remote registry

SecurityaccessToken

Request

path Parameters

tenant-name

required

string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

query Parameters

validate

string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"

Request Body schema:
application/yaml

address required	string <registry-address> The address of the remote registry.
override-address	string <registry-address> When override-address is set, that will be used instead of address.
ca-cert	string <ca-cert> One or more root certificates in PEM format. By default the system root CA certs will be used to verify the remote registry. If the remote registry does not have an official certificate (for example if it is using a self-signed certificate) add its CA cert or the cert itself here.
	Array of objects Credentials to use when connecting to this registry. When the credentials should be used for all repositories in this registry, set the repository to . In order to only use credentials for a specific repository, or set of repositories their name can be set here, and the longest matching repository name will be chosen. For example, if you have `repository: avassa-public` it will be used for `avassa-public/kettle-popper-manager` as well as `avassa-public/projector-operations`. But not for example for `redis`. `- repository: "" vault: myvault secret: a - repository: avassa-public vault: myvault secret: b - repository: avassa-public/digital-assets-manager vault: myvault secret: c` With the above example, secret `b` would be used for `avassa-public/kettle-popper-manager` as well as `avassa-public/projector-operations`. However for `avassa-public/digital-assets-manager` secret c would be used. And for `redis` secret a would be used.

Responses

201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

409

Conflict (instance exists)

503

Service Unavailable (strongbox sealed)

post/v1/config/tenants/{tenant-name}/image-registry/remote-registries

Request samples

Payload

address: registry.example.com
override-address: registry.example.com:6000
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIFcDCCA1igAwIBAgIUIPuDwU8c4lqnTlPNHmDlqsw7b8QwDQYJKoZIhvcNAQEL
  XiMeFT5d7CImdCSZxjzfBGoLNEkOpU6F799icb3VX2URbzfPuSKVp3umsdT8gx4s
  WqxB6A==
  -----END CERTIFICATE-----
credentials:
  - repository: "*"
    vault: myvault
    secret: a
  - repository: avassa-public
    vault: myvault
    secret: b
  - repository: avassa-public/digital-assets-manager
    vault: myvault
    secret: c

Retrieve the configuration of all remote registries

SecurityaccessToken

Request

path Parameters

tenant-name

required

string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

query Parameters

fields	string Retrieve only requested fields from the resource See section fields
validate	string <enumeration> Validate the request but do not actually perform the requested operation Value: "true"
keys	string <enumeration> Retrieve only the keys for the list Value: "true"
count	string <enumeration> Retrieve only the number of elements in the list Value: "true"

Responses

200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/tenants/{tenant-name}/image-registry/remote-registries

Response samples

200

- address: registry.example.com
  override-address: registry.example.com:6000
  ca-cert: |
    -----BEGIN CERTIFICATE-----
    MIIFcDCCA1igAwIBAgIUIPuDwU8c4lqnTlPNHmDlqsw7b8QwDQYJKoZIhvcNAQEL
    XiMeFT5d7CImdCSZxjzfBGoLNEkOpU6F799icb3VX2URbzfPuSKVp3umsdT8gx4s
    WqxB6A==
    -----END CERTIFICATE-----
  credentials:
    - repository: "*"
      vault: myvault
      secret: a
    - repository: avassa-public
      vault: myvault
      secret: b
    - repository: avassa-public/digital-assets-manager
      vault: myvault
      secret: c

Update a remote registry

SecurityaccessToken

Request

path Parameters

tenant-name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ name of tenant
remote-registry-address required	string <registry-address> The address of the remote registry.

query Parameters

validate

string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"

Request Body schema:
application/yaml

address required	string <registry-address> The address of the remote registry.
override-address	string <registry-address> When override-address is set, that will be used instead of address.
ca-cert	string <ca-cert> One or more root certificates in PEM format. By default the system root CA certs will be used to verify the remote registry. If the remote registry does not have an official certificate (for example if it is using a self-signed certificate) add its CA cert or the cert itself here.
	Array of objects Credentials to use when connecting to this registry. When the credentials should be used for all repositories in this registry, set the repository to . In order to only use credentials for a specific repository, or set of repositories their name can be set here, and the longest matching repository name will be chosen. For example, if you have `repository: avassa-public` it will be used for `avassa-public/kettle-popper-manager` as well as `avassa-public/projector-operations`. But not for example for `redis`. `- repository: "" vault: myvault secret: a - repository: avassa-public vault: myvault secret: b - repository: avassa-public/digital-assets-manager vault: myvault secret: c` With the above example, secret `b` would be used for `avassa-public/kettle-popper-manager` as well as `avassa-public/projector-operations`. However for `avassa-public/digital-assets-manager` secret c would be used. And for `redis` secret a would be used.

Responses

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/tenants/{tenant-name}/image-registry/remote-registries/{remote-registry-address}

Request samples

Payload

address: registry.example.com
override-address: registry.example.com:6000
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIFcDCCA1igAwIBAgIUIPuDwU8c4lqnTlPNHmDlqsw7b8QwDQYJKoZIhvcNAQEL
  XiMeFT5d7CImdCSZxjzfBGoLNEkOpU6F799icb3VX2URbzfPuSKVp3umsdT8gx4s
  WqxB6A==
  -----END CERTIFICATE-----
credentials:
  - repository: "*"
    vault: myvault
    secret: a
  - repository: avassa-public
    vault: myvault
    secret: b
  - repository: avassa-public/digital-assets-manager
    vault: myvault
    secret: c

Delete a remote registry

SecurityaccessToken

Request

path Parameters

tenant-name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ name of tenant
remote-registry-address required	string <registry-address> The address of the remote registry.

query Parameters

validate

string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"

Responses

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/tenants/{tenant-name}/image-registry/remote-registries/{remote-registry-address}

Replace or create a new remote registry

SecurityaccessToken

Request

path Parameters

tenant-name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ name of tenant
remote-registry-address required	string <registry-address> The address of the remote registry.

query Parameters

validate

string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"

Request Body schema:
application/yaml

address required	string <registry-address> The address of the remote registry.
override-address	string <registry-address> When override-address is set, that will be used instead of address.
ca-cert	string <ca-cert> One or more root certificates in PEM format. By default the system root CA certs will be used to verify the remote registry. If the remote registry does not have an official certificate (for example if it is using a self-signed certificate) add its CA cert or the cert itself here.
	Array of objects Credentials to use when connecting to this registry. When the credentials should be used for all repositories in this registry, set the repository to . In order to only use credentials for a specific repository, or set of repositories their name can be set here, and the longest matching repository name will be chosen. For example, if you have `repository: avassa-public` it will be used for `avassa-public/kettle-popper-manager` as well as `avassa-public/projector-operations`. But not for example for `redis`. `- repository: "" vault: myvault secret: a - repository: avassa-public vault: myvault secret: b - repository: avassa-public/digital-assets-manager vault: myvault secret: c` With the above example, secret `b` would be used for `avassa-public/kettle-popper-manager` as well as `avassa-public/projector-operations`. However for `avassa-public/digital-assets-manager` secret c would be used. And for `redis` secret a would be used.

Responses

201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/tenants/{tenant-name}/image-registry/remote-registries/{remote-registry-address}

Request samples

Payload

address: registry.example.com
override-address: registry.example.com:6000
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIFcDCCA1igAwIBAgIUIPuDwU8c4lqnTlPNHmDlqsw7b8QwDQYJKoZIhvcNAQEL
  XiMeFT5d7CImdCSZxjzfBGoLNEkOpU6F799icb3VX2URbzfPuSKVp3umsdT8gx4s
  WqxB6A==
  -----END CERTIFICATE-----
credentials:
  - repository: "*"
    vault: myvault
    secret: a
  - repository: avassa-public
    vault: myvault
    secret: b
  - repository: avassa-public/digital-assets-manager
    vault: myvault
    secret: c

Retrieve the configuration of a remote registry

SecurityaccessToken

Request

path Parameters

tenant-name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ name of tenant
remote-registry-address required	string <registry-address> The address of the remote registry.

query Parameters

fields	string Retrieve only requested fields from the resource See section fields
validate	string <enumeration> Validate the request but do not actually perform the requested operation Value: "true"

Responses

200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/tenants/{tenant-name}/image-registry/remote-registries/{remote-registry-address}

Response samples

200

address: registry.example.com
override-address: registry.example.com:6000
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIFcDCCA1igAwIBAgIUIPuDwU8c4lqnTlPNHmDlqsw7b8QwDQYJKoZIhvcNAQEL
  XiMeFT5d7CImdCSZxjzfBGoLNEkOpU6F799icb3VX2URbzfPuSKVp3umsdT8gx4s
  WqxB6A==
  -----END CERTIFICATE-----
credentials:
  - repository: "*"
    vault: myvault
    secret: a
  - repository: avassa-public
    vault: myvault
    secret: b
  - repository: avassa-public/digital-assets-manager
    vault: myvault
    secret: c

Retrieve the state of all remote registries

SecurityaccessToken

Request

path Parameters

tenant-name

required

string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

query Parameters

fields	string Retrieve only requested fields from the resource See section fields
site	string Send the request to the specfifed site
content	string <enumeration> Filter descendant nodes in the response Enum: "config" "nonconfig"
keys	string <enumeration> Retrieve only the keys for the list Value: "true"
count	string <enumeration> Retrieve only the number of elements in the list Value: "true"

Responses

200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/tenants/{tenant-name}/image-registry/remote-registries

Response samples

200

- address: registry.example.com
  override-address: registry.example.com:6000
  ca-cert: |
    -----BEGIN CERTIFICATE-----
    MIIFcDCCA1igAwIBAgIUIPuDwU8c4lqnTlPNHmDlqsw7b8QwDQYJKoZIhvcNAQEL
    XiMeFT5d7CImdCSZxjzfBGoLNEkOpU6F799icb3VX2URbzfPuSKVp3umsdT8gx4s
    WqxB6A==
    -----END CERTIFICATE-----
  credentials:
    - repository: "*"
      vault: myvault
      secret: a
    - repository: avassa-public
      vault: myvault
      secret: b
    - repository: avassa-public/digital-assets-manager
      vault: myvault
      secret: c

Retrieve the state of a remote registry

SecurityaccessToken

Request

path Parameters

tenant-name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ name of tenant
remote-registry-address required	string <registry-address> The address of the remote registry.

query Parameters

fields	string Retrieve only requested fields from the resource See section fields
site	string Send the request to the specfifed site
content	string <enumeration> Filter descendant nodes in the response Enum: "config" "nonconfig"

Responses

200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/tenants/{tenant-name}/image-registry/remote-registries/{remote-registry-address}

Response samples

200

address: registry.example.com
override-address: registry.example.com:6000
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIFcDCCA1igAwIBAgIUIPuDwU8c4lqnTlPNHmDlqsw7b8QwDQYJKoZIhvcNAQEL
  XiMeFT5d7CImdCSZxjzfBGoLNEkOpU6F799icb3VX2URbzfPuSKVp3umsdT8gx4s
  WqxB6A==
  -----END CERTIFICATE-----
credentials:
  - repository: "*"
    vault: myvault
    secret: a
  - repository: avassa-public
    vault: myvault
    secret: b
  - repository: avassa-public/digital-assets-manager
    vault: myvault
    secret: c

Invoke the list-images operation

Fetch the list of available images from the remote registry.

SecurityaccessToken

Request

path Parameters

tenant-name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ name of tenant
remote-registry-address required	string <registry-address> The address of the remote registry.

Request Body schema:
application/yaml

One of:

tag	string <tag> ^[a-zA-Z0-9_][a-zA-Z0-9_.-]*$ Only fetch the images with this tag.
repository required	string <repository-string>
brief	boolean Must have the value `true`.
digest-length	string or integer <enumeration \| uint8> Default: "full" enumeration: - `full` - `short` uint8

Responses

200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/tenants/{tenant-name}/image-registry/remote-registries/{remote-registry-address}/list-images

Request samples

Payload

repository: avassa-public/movie-theaters-demo/kettle-popper-manager
tags:
  - latest
  - v1.0
digest-length: full

Response samples

200

images:
  - name: registry.gitlab.com/avassa-public/movie-theaters-demo/kettle-popper-manager:latest
    digest: sha256:27ca0299125baf78014065152a1bd786573e309f15ae3dea9727239966ee0f4e
    image-index:
      media-type: application/vnd.oci.image.index.v1+json
      annotations: {}
      manifests:
        - digest: sha256:40356c753dbef81b769a59564a7aecae47fe9aaf25ac38e484189f83c3ddb6b0
          media-type: application/vnd.oci.image.manifest.v1+json
          platform: linux/amd64
          annotations: {}
        - digest: sha256:f26a93437cc3e662fc3cc3ee598e38dd765a56f1970956f963f74ddd4443c6ec
          media-type: application/vnd.oci.image.manifest.v1+json
          platform: unknown/unknown
          annotations:
            vnd.docker.reference.type: attestation-manifest
            vnd.docker.reference.digest: sha256:40356c753dbef81b769a59564a7aecae47fe9aaf25ac38e484189f83c3ddb6b0
        - digest: sha256:6fda815f671babdff2629fefb9c4cde1238e39530b838b03a1bf242fe1fa4b59
          media-type: application/vnd.oci.image.manifest.v1+json
          platform: linux/arm64
          annotations: {}
        - digest: sha256:3a417f1a4e7509393792ed8676bb47f6fe4fb95dceb6e55fdac56f8a835e9b91
          media-type: application/vnd.oci.image.manifest.v1+json
          platform: unknown/unknown
          annotations:
            vnd.docker.reference.type: attestation-manifest
            vnd.docker.reference.digest: sha256:6fda815f671babdff2629fefb9c4cde1238e39530b838b03a1bf242fe1fa4b59
  - name: registry.gitlab.com/avassa-public/movie-theaters-demo/kettle-popper-manager:v1.0
    digest: sha256:dadd899f7fe436b604183cbe0cc69d2144eea14a3050aff59c6a596d09a2cca7
    image-index:
      media-type: application/vnd.oci.image.index.v1+json
      annotations: {}
      manifests:
        - digest: sha256:66d89ad90c22706d7a7d9bb94f094239ce91157793bb0ec7d606ca732118a902
          media-type: application/vnd.oci.image.manifest.v1+json
          platform: linux/amd64
          annotations: {}
        - digest: sha256:e25f813685e4ce58d81dba1db905bc76f6c4da877c0baa094a03766ab650bbf2
          media-type: application/vnd.oci.image.manifest.v1+json
          platform: linux/arm64
          annotations: {}
        - digest: sha256:eab51c73922605a50430720e7b9b6eb0ab4225fd77cda474ccd84b38866cd35d
          media-type: application/vnd.oci.image.manifest.v1+json
          platform: unknown/unknown
          annotations:
            vnd.docker.reference.type: attestation-manifest
            vnd.docker.reference.digest: sha256:66d89ad90c22706d7a7d9bb94f094239ce91157793bb0ec7d606ca732118a902
        - digest: sha256:9cd226818a10503d97068514672e9af0aa91e9c26d3c8c4f494b61ab98c0dab7
          media-type: application/vnd.oci.image.manifest.v1+json
          platform: unknown/unknown
          annotations:
            vnd.docker.reference.type: attestation-manifest
            vnd.docker.reference.digest: sha256:e25f813685e4ce58d81dba1db905bc76f6c4da877c0baa094a03766ab650bbf2

Invoke the list-repositories operation

Fetch the list of available repositories from the remote registry.

SecurityaccessToken

Request

path Parameters

tenant-name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ name of tenant
remote-registry-address required	string <registry-address> The address of the remote registry.

Responses

200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/tenants/{tenant-name}/image-registry/remote-registries/{remote-registry-address}/list-repositories

Response samples

200

repositories:
  - avassa-public/movie-theaters-demo/kettle-popper-manager
  - avassa-public/movie-theaters-demo/curtain-controller
  - avassa-public/movie-theaters-demo/visitors-counter

Invoke the pull operation

Pull an image from this remote registry.

SecurityaccessToken

Request

path Parameters

tenant-name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ name of tenant
remote-registry-address required	string <registry-address> The address of the remote registry.

Request Body schema:
application/yaml

One of:

all-platforms	boolean Must have the value `true`. Include all platforms that are available for this image.
image required	string <image-string>
to	string <image-string> Optional target repository and tag

Responses

200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/tenants/{tenant-name}/image-registry/remote-registries/{remote-registry-address}/pull

Request samples

Payload

image: avassa-public/movie-theaters-demo/kettle-popper-manager:v1.0
platform: x86_64
to: avassa/kettle-popper-manager

Response samples

200

name: avassa/kettle-popper-manager:latest
digest: sha256:38cd92e53bd34757638e833d179198fc8254b8ed6156e9fc70946bd4eec4ba26
tag-updated: true

Invoke the verify-credentials operation

Try to connect and authenticate with the remote registry. Returns 'success' or an error message.

SecurityaccessToken

Request

path Parameters

tenant-name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$ name of tenant
remote-registry-address required	string <registry-address> The address of the remote registry.

Request Body schema:
application/yaml

image

string <image-string>

If an image string is specified, try to authenticate and verify that that particular image is readable.

Responses

200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/tenants/{tenant-name}/image-registry/remote-registries/{remote-registry-address}/verify-credentials

Request samples

Payload

image: avassa-public/movie-theaters-demo/curtain-controller

Response samples

200

success: true
digest: sha256:565f2b8629c3f5e6b79b78157fdb0c640e5a4fc53a43f728624be7df8831bd3e

Subtenant Remote Registries

Create a new remote registry

path Parameters

query Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Retrieve the configuration of all remote registries

path Parameters

query Parameters

Update a remote registry

path Parameters

query Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Delete a remote registry

path Parameters

query Parameters

Replace or create a new remote registry

path Parameters

query Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Retrieve the configuration of a remote registry

path Parameters

query Parameters

Retrieve the state of all remote registries

path Parameters

query Parameters

Retrieve the state of a remote registry

path Parameters

query Parameters

Invoke the list-images operation

path Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Invoke the list-repositories operation

path Parameters

Invoke the pull operation

path Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Invoke the verify-credentials operation

path Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Request Body schema:
application/yaml

Request Body schema:
application/yaml

Request Body schema:
application/yaml

Request Body schema:
application/yaml

Request Body schema:
application/yaml

Request Body schema:
application/yaml