Add custom capabilities setting to registry config

wjordan · wjordan · commit 92cdb051afbe · 2025-07-10T01:17:07.000-07:00
Allows a registry mirror to be configured with the "push"
capability which can be helpful in some proxy use-cases.

Signed-off-by: Will Jordan &lt;will.jordan@gmail.com&gt;
diff --git a/util/resolver/config/config.go b/util/resolver/config/config.go
@@ -7,6 +7,7 @@ type RegistryConfig struct {
 	RootCAs      []string     `toml:"ca"`
 	KeyPairs     []TLSKeyPair `toml:"keypair"`
 	TLSConfigDir []string     `toml:"tlsconfigdir"`
+	Capabilities []string     `toml:"capabilities"`
 }
 
 type TLSKeyPair struct {
diff --git a/util/resolver/resolver.go b/util/resolver/resolver.go
@@ -3,6 +3,7 @@ package resolver
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"net"
 	"net/http"
 	"os"
@@ -25,6 +26,25 @@ const (
 	defaultPath = "/v2"
 )
 
+func fillConfigOpts(host string, c config.RegistryConfig, h docker.RegistryHost) (*docker.RegistryHost, error) {
+	if len(c.Capabilities) > 0 {
+		h.Capabilities = 0
+		for _, capability := range c.Capabilities {
+			switch strings.ToLower(capability) {
+			case "pull":
+				h.Capabilities |= docker.HostCapabilityPull
+			case "resolve":
+				h.Capabilities |= docker.HostCapabilityResolve
+			case "push":
+				h.Capabilities |= docker.HostCapabilityPush
+			default:
+				return nil, fmt.Errorf("unknown capability %v", c)
+			}
+		}
+	}
+
+	return fillInsecureOpts(host, c, h)
+}
 func fillInsecureOpts(host string, c config.RegistryConfig, h docker.RegistryHost) (*docker.RegistryHost, error) {
 	tc, err := loadTLSConfig(c)
 	if err != nil {
@@ -134,7 +154,7 @@ func NewRegistryConfig(m map[string]config.RegistryConfig) docker.RegistryHosts
 			for _, rawMirror := range c.Mirrors {
 				h := newMirrorRegistryHost(rawMirror)
 				mirrorHost := h.Host
-				host, err := fillInsecureOpts(mirrorHost, m[mirrorHost], h)
+				host, err := fillConfigOpts(mirrorHost, m[mirrorHost], h)
 				if err != nil {
 					return nil, err
 				}
@@ -154,7 +174,7 @@ func NewRegistryConfig(m map[string]config.RegistryConfig) docker.RegistryHosts
 				Capabilities: docker.HostCapabilityPush | docker.HostCapabilityPull | docker.HostCapabilityResolve,
 			}
 
-			hosts, err := fillInsecureOpts(host, c, h)
+			hosts, err := fillConfigOpts(host, c, h)
 			if err != nil {
 				return nil, err
 			}
diff --git a/util/resolver/resolver_test.go b/util/resolver/resolver_test.go
@@ -5,6 +5,7 @@ import (
 	"path"
 	"testing"
 
+	"github.com/containerd/containerd/v2/core/remotes/docker"
 	"github.com/moby/buildkit/cmd/buildkitd/config"
 	"github.com/stretchr/testify/require"
 )
@@ -66,3 +67,67 @@ mirrors = ["https://url/", "https://url/path/"]
 		}
 	}
 }
+
+func TestNewRegistryConfig(t *testing.T) {
+	const testConfig = `
+[registry."docker.io"]
+mirrors = ["yourmirror.local", "proxy.local:5000/proxy.docker.io"]
+
+[registry."yourmirror.local"]
+http = true
+
+[registry."proxy.local:5000"]
+capabilities = ["pull", "resolve", "push"]
+`
+
+	tests := map[string]struct {
+		description  string
+		http         bool
+		capabilities docker.HostCapabilities
+		mirrors      []string
+		scheme       string
+		path         string
+	}{
+		"registry-1.docker.io": {
+			description:  "valid_docker_io_with_mirrors",
+			mirrors:      []string{"yourmirror.local", "proxy.local:5000", "registry-1.docker.io"},
+			scheme:       "https",
+			path:         defaultPath,
+			capabilities: docker.HostCapabilityPull | docker.HostCapabilityResolve | docker.HostCapabilityPush,
+		},
+		"yourmirror.local": {
+			description:  "http_mirror",
+			scheme:       "http",
+			path:         defaultPath,
+			capabilities: docker.HostCapabilityPull | docker.HostCapabilityResolve,
+		},
+		"proxy.local:5000": {
+			description:  "proxy_push_mirror",
+			scheme:       "https",
+			path:         path.Join(defaultPath, "proxy.docker.io"),
+			capabilities: docker.HostCapabilityPull | docker.HostCapabilityResolve | docker.HostCapabilityPush,
+		},
+	}
+
+	cfg, err := config.Load(bytes.NewBuffer([]byte(testConfig)))
+	require.NoError(t, err)
+
+	require.NotEqual(t, 0, len(cfg.Registries))
+	registryHosts := NewRegistryConfig(cfg.Registries)
+	require.NotNil(t, registryHosts)
+	hosts, err := registryHosts("docker.io")
+	require.NoError(t, err)
+	hostnames := make([]string, 0, len(hosts))
+	for _, host := range hosts {
+		test := tests[host.Host]
+		desc := test.description
+		t.Run(desc, func(t *testing.T) {
+			hostnames = append(hostnames, host.Host)
+			require.NotNil(t, test, "unexpected registry host: %s", host.Host)
+			require.Equal(t, test.capabilities, host.Capabilities)
+			require.Equal(t, test.scheme, host.Scheme)
+			require.Equal(t, test.path, host.Path)
+		})
+	}
+	require.Equal(t, tests["registry-1.docker.io"].mirrors, hostnames)
+}

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ type RegistryConfig struct {`
`7`	`7`	RootCAs []string `toml:"ca"`
`8`	`8`	KeyPairs []TLSKeyPair `toml:"keypair"`
`9`	`9`	TLSConfigDir []string `toml:"tlsconfigdir"`
	`10`	+ Capabilities []string `toml:"capabilities"`
`10`	`11`	`}`
`11`	`12`
`12`	`13`	`type TLSKeyPair struct {`