Unable to Display Private Registry Content with Traefik and Keycloak (docker-v2)

[Ereaey]

Hi, I use this docker registry UI and I have an issue

Bug description

I am encountering an issue while trying to display the content of my private Docker registry using the Docker Registry UI (version 2.5.5). I have set up Traefik, Keycloak (docker-v2), and a private Docker registry, but I am unable to view the contents of my registry through the UI. Although there are no visible errors displayed, I do see a 401 error related to the catalog in the console.

How to Reproduce

My private docker registry configuration

version: '3'

services:
  registry:
    image: registry:2.7
    container_name: registry_ui_back
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.registry.rule=Host(`registry.example.com`)"
      - "traefik.http.routers.registry.entrypoints=web-secure"
      - "traefik.http.services.registry.loadbalancer.server.port=5000"
      - "traefik.docker.network=traefik-net"
    volumes:
      - ./config/registry.yml:/etc/docker/registry/config.yml
      - ./certs:/opt/certs
    networks:
      - traefik-net
      - registry-net

networks:
  traefik-net:
    external: true
  registry-net:
    external: true

version: 0.1
log:
  fields:
    service: registry
storage:
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
auth:
  token:
    realm: https://keycloak.example.com/realms/example/protocol/docker-v2/auth
    service: registry
    issuer: https://keycloak.example.com/realms/example
    rootcertbundle: /opt/certs/registry_trust_chain.pem
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
    Access-Control-Allow-Origin: ['https://registry-ui.example.com']
    Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
    Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']
    Access-Control-Max-Age: [1728000]
    Access-Control-Allow-Credentials: [true]
    Access-Control-Expose-Headers: ['Docker-Content-Digest']

My docker-ui configuration

version: '3'

services:
  registry-ui:
    image: joxit/docker-registry-ui:2.5.5
    container_name: registry_ui
    environment:
      - REGISTRY_URL=https://registry.example.com
      - DELETE_IMAGES=true
      - REGISTRY_SECURED=true
      - SINGLE_REGISTRY=true
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.registry-ui.rule=Host(`registry-ui.example.com`)"
      - "traefik.http.routers.registry-ui.entrypoints=web-secure"
      - "traefik.http.routers.registry-ui.tls=true"
      - "traefik.http.routers.registry-ui.middlewares=keycloak@file"
      - "traefik.http.services.registry-ui.loadbalancer.server.port=80"
      - "traefik.docker.network=traefik-net"
    networks:
      - traefik-net
      - registry-net

networks:
  traefik-net:
    external: true
  registry-net:
    external: true

Expected behavior

See my images

Additional context

I can successfully push to my registry using docker login and docker push. I have also implemented a middleware for forward authentication:

[http.middlewares.keycloak.forwardAuth]
address = "http://traefik-forward-auth:4181"
trustForwardHeader = true
authResponseHeaders = "X-Forwarded-User"

Despite these configurations, I'm still unable to view the content of my registry through the Docker Registry UI. Any assistance or guidance on resolving this issue would be greatly appreciated. Thank you!

[Joxit]

Hi, thank you for using my project and submitting issues 😄

Hum, are the 401 error on OPTIONS requests ? If so it's a part of the FAQ

• Why OPTIONS (aka preflight requests) and DELETE fails with 401 status code (using Basic Auth) ?
  • This is caused by a bug in docker registry, it returns 401 status requests on preflight requests, this breaks W3C preflight-request specification. I suggest to have your UI on the same domain than your registry e.g. registry.example.com/ui/ or use NGINX_PROXY_PASS_URL or configure a nginx/apache/haproxy in front of your registry that returns 200 on each OPTIONS requests. (see Delete fails and HTTP 401 on every other request #104, Cannot delete image and view history #204, Unable to delete docker image and view history #207, DELETE woes (again) #214, Basic Auth problem on docker registry #266).

The official docker registry server did not implement correctly the preflight specification... To fix this, you have to return 200/204 on every OPTIONS requests and 401 on other non authenticated requests with the header WWW-Authenticate

Since you're using traefik, I cannot help you more, try to reproduce this example / NGINX configuration:
Joxit/docker-registry-ui/examples/token-auth-keycloak/conf/proxy/nginx.conf

[Ereaey]

Thank you for your answer !
I think I'll leave it aside for now.
The configuration for traefik does not seem suitable for correcting the problem :/

I have an error directly on this request but no display errors however.
I think it's still good to fix an error.
GET https://registry.longfish42.com/v2/_catalog?n=1000 401 (Unauthorized)