6484 use upstream registry 3.x

registry/Dockerfile

@@ -12,29 +12,9 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-ARG GO_VERSION=1.15
-FROM golang:${GO_VERSION}-alpine3.14 AS build
 
-ENV DISTRIBUTION_DIR /go/src/github.com/distribution/distribution
-ENV BUILDTAGS include_oss include_gcs
-
-ARG GOOS=linux
-ARG GOARCH=amd64
-ARG GOARM=6
-ARG VERSION
-ARG REVISION
-
-RUN set -ex \
-    && apk add --no-cache make git file
-
-WORKDIR $DISTRIBUTION_DIR
-
-# this commit includes some important fixes we need to apply:  https://github.com/distribution/distribution/issues/3097 and
-# in includes fix of https://github.com/distribution/distribution/issues/625
-# since no official release since 2019 o_O
-RUN git clone https://github.com/astronomer/distribution.git $DISTRIBUTION_DIR && git checkout 26bdf12d62492d8cb8e8ed98f490ce99f655f343
-
-RUN CGO_ENABLED=0 make PREFIX=/go clean binaries && file ./bin/registry | grep "statically linked"
+# https://hub.docker.com/_/registry/tags
+FROM registry:3.0.0 AS upstream
 
 FROM quay.io/astronomer/ap-base:3.21.3-2
 LABEL maintainer="Astronomer <[email protected]>"
@@ -43,7 +23,8 @@ ARG BUILD_NUMBER=-1
 LABEL io.astronomer.docker=true
 LABEL io.astronomer.docker.build.number=$BUILD_NUMBER
 
-ENV UPDATE_CA_CERTS false
+ENV UPDATE_CA_CERTS=false
+ENV OTEL_TRACES_EXPORTER=none
 
 # Create registry user and group
 RUN addgroup -g 1000 -S registry \
@@ -57,7 +38,7 @@ RUN chown -R 1000:1000 /etc/ssl/ \
     && chown -R 1000:0 /etc/ssl/certs \
     && chmod -R ug+rwx /etc/ssl/certs
 
-COPY --from=build --chown=1000:1000 /go/src/github.com/distribution/distribution/bin/registry /bin/registry
+COPY --from=upstream --chown=1000:1000 /bin/registry /bin/registry
 COPY --chown=1000:1000 ./config-example.yml /etc/docker/registry/config.yml
 
 VOLUME ["/var/lib/registry"]

registry/README.md

@@ -0,0 +1,7 @@
+## Docker Registry
+
+This is our build of the docker registry (github.com/docker/distribution)
+
+### Version
+
+This version mechanism was changed from following the ap-vendor version to following the upstream build version on 2025-04-09, shortly after registry 3.0.0 was released. This caused a backwards bump from 3.21 (the version of alpine that was used in ap-base) to 3.0.0 (the version of docker/distribution). Be aware of this if you are sorting versions of this component, because higher semver versions do not necessarily mean newer builds of the component. More details can be found here: <https://github.com/astronomer/ap-vendor/pull/943>

registry/trivyignore

@@ -1,49 +1,7 @@
-# Upstream registry service include several CVEs. We should try to remove these each time we update.
-CVE-2021-33194
-CVE-2021-38561
-CVE-2021-39293
-CVE-2021-41771
-CVE-2021-41772
-CVE-2021-44716
-CVE-2022-21698
-CVE-2022-23772
-CVE-2022-23806
-CVE-2022-24675
-CVE-2022-24921
-CVE-2022-27664
-CVE-2022-28131
-CVE-2022-28327
-CVE-2022-2879
-CVE-2022-2880
-CVE-2022-29804
-CVE-2022-30580
-CVE-2022-30630
-CVE-2022-30631
-CVE-2022-30632
-CVE-2022-30633
-CVE-2022-30634
-CVE-2022-30635
-CVE-2022-32149
-CVE-2022-32189
-CVE-2022-41715
-CVE-2022-41716
-CVE-2022-41720
-CVE-2022-41722
-CVE-2022-41723
-CVE-2022-41724
-CVE-2022-41725
-CVE-2023-24534
-CVE-2023-24536
-CVE-2023-24537
-CVE-2023-24538
-CVE-2023-24539
-CVE-2023-24540
-CVE-2023-29400
-CVE-2023-29403
 CVE-2023-39325
 CVE-2023-45283
-CVE-2023-45287
 CVE-2023-45288
+CVE-2024-12797
 CVE-2024-24790
 CVE-2024-34156
 CVE-2024-45337

registry/twistcliignore

@@ -1,42 +1,6 @@
-CVE-2021-44716
-CVE-2021-44717
-CVE-2022-1705
-CVE-2022-21698
-CVE-2022-23772
-CVE-2022-23806
-CVE-2022-24675
-CVE-2022-24921
-CVE-2022-27664
-CVE-2022-28131
-CVE-2022-28327
-CVE-2022-2880
-CVE-2022-29526
-CVE-2022-30629
-CVE-2022-30631
-CVE-2022-30632
-CVE-2022-30633
-CVE-2022-32148
-CVE-2022-32189
-CVE-2022-41715
-CVE-2022-41717
-CVE-2022-41723
-CVE-2022-41724
-CVE-2022-41725
-CVE-2023-24534
-CVE-2023-24536
-CVE-2023-24538
-CVE-2023-24539
-CVE-2023-24540
-CVE-2023-29400
-CVE-2023-29403
-CVE-2023-29406
-CVE-2023-29409
-CVE-2023-39318
-CVE-2023-39319
 CVE-2023-39325
 CVE-2023-39326
 CVE-2023-45284
-CVE-2023-45287
 CVE-2023-45288
 CVE-2024-51744
 CVE-2025-30204

registry/version.txt

@@ -1 +1 @@
-3.21.3-2
+3.0.0