Have a mirror repository for docker repositories

[remy-tiitre]

What would you like Renovate to be able to do?

We use internal Artifactory as docker registry. All our internal images seem to work fine, but we also proxy dockerhub through Artifactory so we can whitelist images that are allowed and have an overview that images are in use. So instead of having FROM ubuntu for example we use FROM internal.repo.com/ubuntu. Unfortunately this will break Renovate as queries https://internal.repo.com/v2/ubuntu/tags/list?n=10000 or https://internal.repo.com/v2/library/ubuntu/tags/list?n=10000 return nothing as Artifactory does not proxy this information for remote repositories.

If you have any ideas on how this should be implemented, please tell us here.

If we could define alternative source for image version with hostRules or with annotation in Dockerfile etc, this could solve the issue. Maybe there is a solution already, I just don't know it.

Is this a feature you are interested in implementing yourself?

No

[rarkins]

Converted to a discussion, Please stick to those in future instead of issues

[MindTooth]

You can configure Renovate to use your proxy so that you don't use the Docker Hub rate-limit when doing lookups. Also, I would look into if your container runtime (docker engine, cri-o, etc.) can be configured to use your proxy registry too.

Currently I'm using registryAliases to configure our Docker lookups to use out proxy.. Some places I explicitly add the proxy address in-front on the image tag (image: <proxy>/renovate/renovate:1.1.1). Your miles may vary.

---

{
  "registryAliases": {
    "index.docker.io": "<proxy address>"
  },
}

Ref.: https://docs.renovatebot.com/configuration-options/#registryaliases Note! It only works for some managers. The same can be done inside a regexManage using registryUrlTemplate.

[viceice]

that should also work the other way around to force renovate to lookup updates from artifactory proxy images on docker hub.

queries to the tags list don't count to pull limits. only fetching configs (Labels) and blobs (do t used by renovate) are counted to rate limits.

[remy-tiitre]

I got registryAliases working. But only when I set it at the global level. When I tried to set it at packageRules section it did not work. Maybe I did something wrong. But this is an issue for my use case. I only want to use registryAliases for a very limited set of docker images. Everything build in house should still go to local repository. Why I suspect that I did something wrong. I also tried this, and it didn't work either:

{
    "matchPackageNames": ["artifactory.local.repo/centos"],
    "replacementName": "index.docker.io/centos",
 },

And I also tried the "replacementNameTemplate": "{{{replace 'artifactory.local.repo/' 'docker\\.io/' packageName}}}"

[remy-tiitre]

For a moment I thought that it works, but it doesn't. I confirmed that the packageRule is working.

            "matchDatasources": ["docker"],
            "matchPackageNames": [
                "docker.repo.internal/python"
            ],
            "enabled": false

This did disable the package. But this does not replace the package name:

            "matchDatasources": ["docker"],
            "matchPackageNames": [
                "docker.repo.internal/python"
            ],
            "replacementNameTemplate": "{{{replace 'docker.repo.internal/' 'docker.io/' packageName}}}"

The internal repo name has been modified but other than that its exact code from my Renovate config.

[remy-tiitre]

This subject is not relevant as I understood later that replacementName or replacementNameTemplate will not help me anyway. I don't want Renovate to commit those changes to repository in Dockerfile or any other location.

[remy-tiitre]

I also tried these configurations:

    "packageRules": [
        {
            "description": "Take Dockerhub images version information directly from Dockerhub",
            "matchDatasources": ["docker"],
            "matchPackageNames": ["docker.repo.internal/python"],
            "registryAliases": {
                "docker.repo.internal": "docker.io"
            }
        }
    ]

And this does not work. When I move registryAliases to packageRules sibling:

    "packageRules": [
        {
            "description": "Take Dockerhub images version information directly from Dockerhub",
            "matchDatasources": ["docker"],
            "matchPackageNames": ["docker.repo.internal/python"],
            ...
        }
    ],
    "registryAliases": {
        "docker.repo.internal": "docker.io"
    }

it works, but like I said this is problematic. I could move this configuration out of global configuration to repository. But even there it is problematic. I might have docker images in .gitlab-ci.yml that we are building ourselves and that are in internal repo but the Dockerfile might have images from Dockerhub. Right now it seems that the only solution is to disable Dockerfile manager and use regex.

[remy-tiitre]

How I got it working in a way I need it to work:

    "packageRules": [
        {
            "description": "Disable Dockerfile for Dockerhub images",
            "matchManagers": ["dockerfile"],
            "matchPackageNames": [
                "docker.internal.repo/ubuntu"
            ],
            "enabled": false
        }
    ],
    "regexManagers": [
        {
            "fileMatch": ["^Dockerfile$"],
            "matchStrings": ["(?:#[ ]+renovate:[ ]+registryUrl=(?<registryUrl>[\\S]+?))\\sFROM(?:[ \\t]*\\r?\\n| |\\t|#.*?\\r?\\n|--platform=\\S+)+(?:[^\\/]+?)\\/(?<depName>.*?)(?::(?<currentValue>.*?))(?:@(?<currentDigest>sha256:[a-f0-9]+))?\\s"],
            "datasourceTemplate": "docker"
        }
    ]

And then in Dockerfile:

# renovate: registryUrl=docker.io
FROM docker.internal.repo/ubuntu:22.04@sha256:9a0bdde4188b896a372804be2384015e90e3f84906b750c1a53539b585fbbe7f

Bonus was that I could add versioning configuration as well with that comment. Would be nice if Dockerfile one supported those comments.