Configure a private docker registry

You can set up a private docker registry using JFrog's Artifactory. A private docker registry allows you to use your own infrastructure to perform your own security scans and audit docker images consumed by Edge. It also reduces the risk of a compromised Collibra registry running compromised code on your network.

Your private docker registry, or the location where you pull your images from, must be behind a secure firewall that is not accessible via the internet. Otherwise, unintended users may gain access to proprietary information, which will trigger a security incident within your organization and Collibra.

Note 

  • Other forms of security scanning, such as penetration tests, can be performed either independently or as a part of the security flow that includes a private docker registry.

  • Security scan reports are only be accepted for supported Edge site versions. This is because security fixes are not applied to old, out-dated versions of Edge. For example, from November 19 2023 to February 24, 2024, security scans are only accepted for Edge site version 2023.11 and subsequent weekly updates (2023.11.x). For information on which Edge versions are supported with the latest release, go to the Compatibility between Edge sites and Collibra Data Intelligence Cloud.

Before you begin

  • Switching to a private docker registry is only possible during installation.

Requirements and permissions

  • You must have admin access to JFrog Artifactory.
  • You have the Edge site administrator global role.
  • The registry user should have read/pull permissions for the docker registry. This should be validated manually prior to installing Edge.

We use JFrog's Artifactory, which is a repository manager that allows for dynamic mirroring of docker registries, to manage our repository. If your company has their own JFrog Artifactory, you can configure it to automatically mirror images from Collibra's Artifactory.

This method is easy to set up and supports both manual and automatic upgrade modes. However, it has limited options for security scanning.

Steps

  1. Mirror Collibra's registry.
    Note When configuring a private Artifactory docker registry, the registry must follow the "subdomain first" method for pulling images.
    • Correct example: <repository-key>.artifactory.my.org
    • Incorrect example: artifactory.my.org/<repository-key>

    1. From the Administration pane in JFrog, in the Repositories menu, click Repositories.
    2. Click the Remote tab.
    3. Click New Remote Repository.
    4. In the Select Package Type section, select Docker .
    5. Name the registry using the repository key of your choice.
    6. Set the URL to: edge-docker-delivery.repository.collibra.io
    7. Enable remote authentication.

      Note The username and password can be found in the unzipped installer file registries.yaml.

    8. Click Save and finish.

  2. Install the new or reinstall the existing Edge site using the full private registry URL.  This full private registry URL is the private Artifactory hostname and repository key from sub-step 5, in the previous step.

    Note We recommend you download or redownload a new installer before performing this step.

    1. Create a new Edge site.
    2. Select the Edge site upgrade mode.
    3. Select the latest version of Edge.
    4. Download the installer.

    1. Upgrade to the latest Edge site version.
    2. Create a backup, and reinstall your Edge site.

    1. The installer supports the following installation parameters:
      • --registry-url, example: https://edge-docker-delivery.repository.collibra.io
      • --registry-host, this is optional and is automatically derived from --registry-url, i.e., edge-docker-delivery.my-registry.docker.io
      • --registry-pass, not required if registry is public.
      • --registry-user, not required if registry is public.
  3. Add the following setup parameters to install Edge with support for a private docker registry:
    • For Bare metal installations: 
      ./install-master.sh (...usual parameters...) --registry-url https://private-docker.registry.com --registry-user user --registry-pass pass
    • For EKS installations: 
      ./edgecli install --registry-url https://private-docker.registry.com --registry-user user --registry-pass pass