Skip to content

Default image pulls to GHCR and harden registry host resolution#26

Open
Copilot wants to merge 14 commits intomainfrom
copilot/deploy-to-azure-using-github-actions
Open

Default image pulls to GHCR and harden registry host resolution#26
Copilot wants to merge 14 commits intomainfrom
copilot/deploy-to-azure-using-github-actions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 18, 2026
edited
Loading

  • Inspect current CI workflows and project verification commands
  • Add a minimal GitHub Actions workflow to deploy/verify on Azure Kubernetes Service (AKS)
  • Verify volume and ResourceCapsule functionality in the Azure workflow
  • Document required Azure/GitHub secrets and how to trigger the workflow
  • Re-run go test ./... and go build ./... after changes

Copilot AI and others added 4 commits April 18, 2026 11:13
@j143
Use GHCR as default container registry with explicit registry parsing
a4785a0 
Agent-Logs-Url: https://github.com/j143/basic-docker-engine/sessions/63030a95-e379-4aa4-81af-d71cc883fe9c

Co-authored-by: j143 <53068787+j143@users.noreply.github.com>
@j143
Refine loopback registry handling after review feedback
d22da25 
Agent-Logs-Url: https://github.com/j143/basic-docker-engine/sessions/63030a95-e379-4aa4-81af-d71cc883fe9c

Co-authored-by: j143 <53068787+j143@users.noreply.github.com>
@j143
Harden registry host parsing for loopback addresses
eb6be8a 
Agent-Logs-Url: https://github.com/j143/basic-docker-engine/sessions/63030a95-e379-4aa4-81af-d71cc883fe9c

Co-authored-by: j143 <53068787+j143@users.noreply.github.com>
@j143
Normalize import grouping in main registry logic
91706e0 
Agent-Logs-Url: https://github.com/j143/basic-docker-engine/sessions/63030a95-e379-4aa4-81af-d71cc883fe9c

Co-authored-by: j143 <53068787+j143@users.noreply.github.com>
@j143 j143 marked this pull request as ready for review April 18, 2026 11:32
Copilot finished work on behalf of j143 April 18, 2026 11:50
Copilot AI requested a review from j143 April 18, 2026 11:50
@j143
Copy link
Copy Markdown
Owner

j143 commented Apr 19, 2026

@copilot fix the go test issue

172.17.0.1 - - [18/Apr/2026:11:32:01 +0000] "HEAD /v2/alpine/blobs/sha256:3cb067eab609612d81b4d82ff8ad71d73482bb3059a87b642d7e14f0ed659cde HTTP/1.1" 200 0 "" "docker/28.0.4 go/go1.23.7 git-commit/6430e49 kernel/6.17.0-1010-azure os/linux arch/amd64 UpstreamClient(Docker-Client/28.0.4 \(linux\))"
172.17.0.1 - - [18/Apr/2026:11:32:01 +0000] "PUT /v2/alpine/manifests/latest HTTP/1.1" 201 0 "" "docker/28.0.4 go/go1.23.7 git-commit/6430e49 kernel/6.17.0-1010-azure os/linux arch/amd64 UpstreamClient(Docker-Client/28.0.4 \(linux\))"
Verifying the image in the local registry...
Registry catalog: {"repositories":["alpine"]}
Environment detected: inContainer=false, hasNamespacePrivileges=true, hasCgroupAccess=true, cgroupVersion=2
Fetching image 'user:password@localhost:5000/alpine' from registry...
[DEBUG] Starting to pull image 'alpine'
[DEBUG] Fetching manifest for repo 'alpine' and tag 'latest'
Error: Failed to fetch image 'user:password@localhost:5000/alpine': failed to fetch manifest: failed to fetch manifest: Get "***localhost:5000/v2/alpine/manifests/latest": http: server gave HTTP response to HTTPS client
Error: basic-docker failed to run the image.
Cleaning up...
Cleanup completed.

Copilot AI and others added 4 commits April 19, 2026 06:46
@j143
Fix credentialed localhost registry resolution to use HTTP
8f765d7 
Agent-Logs-Url: https://github.com/j143/basic-docker-engine/sessions/9b259d2d-2dd2-4094-849b-5fb1f50355c2

Co-authored-by: j143 <53068787+j143@users.noreply.github.com>
@j143
Adjust credential host stripping to handle all @ positions
b439617 
Agent-Logs-Url: https://github.com/j143/basic-docker-engine/sessions/9b259d2d-2dd2-4094-849b-5fb1f50355c2

Co-authored-by: j143 <53068787+j143@users.noreply.github.com>
@j143
Add edge-case test for @ in registry credentials
2d1fcf2 
Agent-Logs-Url: https://github.com/j143/basic-docker-engine/sessions/9b259d2d-2dd2-4094-849b-5fb1f50355c2

Co-authored-by: j143 <53068787+j143@users.noreply.github.com>
@j143
Use placeholder credentials in registry resolution tests
ab520af 
Agent-Logs-Url: https://github.com/j143/basic-docker-engine/sessions/9b259d2d-2dd2-4094-849b-5fb1f50355c2

Co-authored-by: j143 <53068787+j143@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 19, 2026

@copilot fix the go test issue

172.17.0.1 - - [18/Apr/2026:11:32:01 +0000] "HEAD /v2/alpine/blobs/sha256:3cb067eab609612d81b4d82ff8ad71d73482bb3059a87b642d7e14f0ed659cde HTTP/1.1" 200 0 "" "docker/...

Fixed in b439617 (plus extra coverage in ab520af). resolveRegistry now strips credentials before host detection, so user:pass@localhost:5000/... is treated as a local registry and uses http://localhost:5000/v2/ instead of HTTPS. I also added tests for credentialed local registry cases (including @ in username).

Copilot finished work on behalf of j143 April 19, 2026 06:51
Copilot AI requested a review from j143 April 19, 2026 06:51
j143 added 5 commits April 29, 2026 02:35
@j143
fix: sanitize dots in K8s volume names generated by AttachCapsuleToDe…
71af7c1 
…ployment

Kubernetes volume names must comply with DNS label syntax and cannot contain
dots. The previous code produced names like 'capsule-name-1.0' which were
rejected by the API server.

Fix: apply strings.ReplaceAll(version, ".", "-") when building the volume
name. The container mount path (/capsules/<name>/<version>) is unchanged.

Fixes error:
  spec.template.spec.volumes[0].name: Invalid value: "capsule-...-1.0":
  must not contain dots

Update kubernetes_test.go expected volume/mount names accordingly.
@j143
feat: add Azure AKS provisioning and ADR-001 verification scripts scr…
3965cbb 
…ipts/setup-azure-aks.sh - Creates resource group, AKS cluster, app registration, service principal, Contributor role assignment, and OIDC federated credential - Sets GitHub Actions secrets (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID) using GH_TOKEN env var; falls back to gh auth refresh or prints manual instructions on 403 scripts/verify-adr-001.sh - Verifies all four ADR-001 claims against a live Kubernetes cluster: C1 Versioning, C2 Dynamic Attachment, C3 Isolation, C4 Reusability - Runs matching unit tests (TestKubernetesConfigMapCapsule, TestAttachCapsuleToDeployment, TestResourceCapsule*) - Isolated namespace per run; cleanup on exit - Accepts --resource-group, --cluster, --keep-ns flags
@j143
feat: add AKS lifecycle workflow with deploy/verify/destroy options .…
5be9a9a 
…github/workflows/aks-lifecycle.yml — workflow_dispatch with four actions: deploy Create resource group + AKS cluster (idempotent) verify Run ADR-001 verification against existing cluster deploy-and-verify Deploy then verify, destroy on success destroy Delete AKS cluster and resource group (async) Inputs: action, resource_group (default: rg-basic-docker), aks_cluster (default: basic-docker-aks), location (default: eastus) Uses AZURE_CLIENT_ID / AZURE_TENANT_ID / AZURE_SUBSCRIPTION_ID secrets with OIDC login (no stored credentials).
@j143
docs: record AKS experimental verification results in ADR-001 Append …
4784071 
…'Experimental Verification on Azure AKS — April 29, 2026' section: - Test environment: AKS basic-docker-aks, East US, K8s v1.34.4, Standard_B2s - 16/16 checks passed across all four ADR-001 claims (C1-C4) - Per-claim technical observations noting what holds solid value and what limitations were found during live testing - Documents the dots-in-volume-names bug found and fixed during verification - Lists all artifacts produced (scripts, workflows) - Updates Status line to include April 29, 2026 AKS verification
@j143
fix: forward registry credentials from image name to HTTP Basic Auth
5c1460b 
- Add Username/Password fields to DockerHubRegistry
- Add NewDockerHubRegistryWithCreds constructor
- Update FetchManifest and FetchLayer to use http.NewRequest + SetBasicAuth
- Add extractCredentials() to parse user:pass@ prefix from image name
- Wire credentials through run() → NewDockerHubRegistryWithCreds
- Add TestExtractCredentials unit test

Fixes verify.sh CI failure: 'user:password@localhost:5000/alpine' was
returning 401 because credentials were stripped by resolveRegistry but
never sent in the manifest/layer HTTP requests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@j143 j143 Awaiting requested review from j143

Assignees

@j143 j143

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@j143