RE8CH REGISTRY

Re8ch Registry

面向 Re8ch 產品與成員的簽名容器分發。

這是 image.re8ch.com 的獨立產品頁。Harbor 繼續作為 OCI 流量事實源，本頁說明會員申請、映像簽名、SBOM、掃描與租戶安全發布路徑。

基於 cloud-functions 的 registry 方案 Membership applications, project-per-member isolation, prebuilt image deployment, Cosign enforcement, scan events, SBOMs, and an independent ops webhook receiver.

The product page does not sit in the image path.

Docker, containerd, Cosign, Trivy, Kubernetes, and Harbor APIs keep using their normal endpoints. The Worker only answers the product microsite route.

image.re8ch.comPublic product page

image.re8ch.com/assets/*Static site assets

registry.re8ch.com/v2/*Not handled by this Worker

registry.re8ch.com/service/*Harbor token service remains untouched

What the Registry product promises

▣

Prebuilt releases

Images are built outside production nodes, pushed by immutable tag, signed by digest, then deployed.

◈

Member isolation

Each approved member receives an isolated Harbor project, quota, retention policy, and audit trail.

◉

Supply-chain signals

Cosign signatures, vulnerability scans, and SBOM availability are visible product-level signals.

◎

Ops events

Registry events flow into a separate receiver before notifications, automation, or incident handling.

Registry Live Case

Anonymous public snapshot generated from private Harbor and registry operations. Names are HMAC-hashed before publishing.

Projects--Anonymous project spaces

Repositories--OCI repositories tracked

Artifacts--Published image artifacts

Quota used--Aggregate storage pressure

Scan coverage--Latest public security signal

Signature coverage--Cosign or equivalent signing

SBOM coverage--Materials visibility

Fresh artifacts--Recently refreshed images

Pulls 24h--Anonymous registry demand

Pushes 24h--Release activity

Critical findings--Public aggregate only

Supply grade--Scan + sign + SBOM

Release activityLoading snapshot...

Severity distributioncritical / high / medium / low

Supply-chain trendscan / sign / SBOM

Project storageanonymous project ratios

Semantic groupsproduct roles

Anonymous projectRoleArtifactsQuotaHealth

Loading latest public snapshot...

Anonymous repoRoleArtifactsPulls 24hRiskSBOM

Membership onboarding

1Submit email, namespace, use case, public/private preference, and storage estimate.

2Ops reviews the request and creates a Harbor project with default security metadata.

3The member receives documented pull access first; push access is granted when the release contract is clear.

4Runtime tenants can later be upgraded into the full SaaS infrastructure bundle.

Guardrails for registry.re8ch.com

1Do not proxy Docker layer blobs through the product page.

2Do not expose private project names, robot credentials, or cluster node names.

3Do not mix public registry members with SaaS runtime namespaces by default.

4Do keep Harbor as the source of truth for OCI operations.

OCI path stays boring

The happy path remains the standard container workflow:

docker login registry.re8ch.com
docker pull registry.re8ch.com/functions-shared/alpine:3.23.4
cosign verify --key cosign.pub registry.re8ch.com/<project>/<repo>@sha256:<digest>