Creating a secure docker registry

#!/bin/bash
#downloads and run docker registry allowing us to
#store images we build locally in a place accessible by
#HashiCorp tools such as Packer

#load in some common functions and sub-scripts
source $(pwd)/scripts/functions.sh > /dev/null 2>&1
source $(pwd)/functions.sh > /dev/null 2>&1

function secureRegistryContains() {
  if [ -z $1 ]; then
     echo "must supply the image name in the first parameter.."
     exit 1
  fi     
  local auth=`echo -n "testuser:testpassword" | base64 | sed s/=$*//g`    
  local foo=`curl -s -H "Authorization: Basic $auth" --cacert $(pwd)/resources/domain.crt https://localhost:5001/v2/_catalog`
  local ret=`echo "$foo" | grep "$1"`
  if [ -z "$ret" ]; then
    return 1
  else
    return 0
  fi  
}

function buildImage() {
  #create htpasswd file if necessary
  if [ ! -f $(pwd)/resources/htpasswd ]; then
    echo "generate htpasswd"
    docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > $(pwd)/resources/htpasswd
  fi
  #create certificates if necessary
  if [ ! -f $(pwd)/resources/domain.crt ]; then
    echo "create certificates.."   
    #openssl req -newkey rsa:4096 -nodes -sha256 -x509 -days 365 -keyout $(pwd)/resources/domain.key -out $(pwd)/resources/domain.crt -subj "/C=UK/ST=West Yorkshire/L=Leeds/O=EE/CN=localhost/emailAddress=foo@foo.com/"
    echo "install $(pwd)/resources/domain.crt as a trusted root certificate then re-run this script"
    echo "if you're using Windows WSL do this by right clicking the crt file. Then don't forget to run sudo update-ca-certificates in your bash window"
    echo "Once the cert is installed you must run docker login localhost:5001, entering testuser:testpassword. This will update ~/.docker/config allowing push to registry"
    echo "docker can be configured (in the ~/docker/config file to use a credentials store, but remove the 'credsStore' line from config and it will place base64 encrypted details directly into the config file"
    echo "you must also configure kubernetes by first copying the docker secret : kubectl create secret generic regcred --from-file=.dockerconfigjson=$cfgfile --type=kubernetes.io/dockerconfigjson" 
    echo "then you must use imagePullSecrets: - name: regcred in your kube config files to tell kubernetes to use secure registry"
    exit 0
  fi

  #build extended docker image with all certs etc in place

  #create a docker registry   
  #copy necessary resources alongisde dockerfile for the sake of ease
  cp $(pwd)/resources/domain* $(pwd)/docker/registry/
  cp $(pwd)/resources/htpasswd $(pwd)/docker/registry/
  #build the image and tag it as secureregistry/latest
  docker build -t secureregistry $(pwd)/docker/registry/
}

function runContainer() {
  echo "run up the registry as 'secureregistry' on localhost:5001"
  echo "5000 may be used by a local insecure registry"
  docker run -d -p 5001:5000 --name secureregistry -e "REGISTRY_STORAGE_DELETE_ENABLED=true" -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" secureregistry
  sleepProgress 5 'Docker Registry'
}


if isDockerImageExists 'secureregistry'; then  
  read -p "secureregistry image already built, rebuild? (y,n)" -n 1 -r
  if [[ $REPLY =~ ^[Yy]$ ]]; then
    buildImage  
  fi
else 
  buildImage
fi 

#is registry running?
if isDockerContainerRunning 'secureregistry'; then
  echo "secure registry already running"
else 
  runContainer
fi 

if ! secureRegistryContains 'myee-ubuntu-base'; then
   #pull ubuntu base image
   docker pull ubuntu:16.04
   #login to our secure registry
   docker login -utestuser -ptestpassword localhost:5001
   #copy the secret to kube
   #cfgfile=~/.docker/config.json
   #kubectl create secret generic regcred --from-file=.dockerconfigjson=$cfgfile --type=kubernetes.io/dockerconfigjson
   #push the base ubuntu image into secure registry
   docker tag ubuntu:16.04 localhost:5001/myee-ubuntu-base/latest
   docker push localhost:5001/myee-ubuntu-base/latest
   #check registry contents with curl :
   #curl --insecure -u testuser:testpassword -v -X GET https://localhost:5001/v2/_catalog
fi

dockerfile

FROM registry:2 AS secureregistry
RUN apk add --update util-linux && mkdir /certs && mkdir /auth && chmod 777 /certs && chmod 777 /auth
COPY htpasswd /auth/htpasswd
COPY domain.crt /certs/domain.crt
COPY domain.key /certs/domain.key