RE8CH REGISTRY

Re8ch Registry

Signed container delivery for Re8ch products and members.

A public product page for image.re8ch.com. Harbor remains the source of truth for OCI traffic, while this page explains membership, image signing, SBOMs, scanning, and tenant-safe release paths.

Open product portal Apply for access

Built from the cloud-functions registry plan Membership applications, project-per-member isolation, prebuilt image deployment, Cosign enforcement, scan events, SBOMs, and an independent ops webhook receiver.

The product page does not sit in the image path.

Docker, containerd, Cosign, Trivy, Kubernetes, and Harbor APIs keep using their normal endpoints. The Worker only answers the product microsite route.

image.re8ch.comPublic product page

image.re8ch.com/assets/*Static site assets

registry.re8ch.com/v2/*Not handled by this Worker

registry.re8ch.com/service/*Harbor token service remains untouched

What the Registry product promises

▣

Prebuilt releases

Images are built outside production nodes, pushed by immutable tag, signed by digest, then deployed.

◈

Member isolation

Each approved member receives an isolated Harbor project, quota, retention policy, and audit trail.

◉

Supply-chain signals

Cosign signatures, vulnerability scans, and SBOM availability are visible product-level signals.

◎

Ops events

Registry events flow into a separate receiver before notifications, automation, or incident handling.

Registry Live Case

Anonymous public snapshot generated from private Harbor and registry operations. Names are HMAC-hashed before publishing.

Projects -- Anonymous project spaces

Repositories -- OCI repositories tracked

Artifacts -- Published image artifacts

Scan coverage -- Latest public security signal

Signature coverage -- Cosign or equivalent signing

SBOM coverage -- Materials visibility

Anonymous project Artifacts Quota Scan quality

Loading latest public snapshot...

Membership onboarding

1Submit email, namespace, use case, public/private preference, and storage estimate.

2Ops reviews the request and creates a Harbor project with default security metadata.

3The member receives documented pull access first; push access is granted when the release contract is clear.

4Runtime tenants can later be upgraded into the full SaaS infrastructure bundle.

Guardrails for registry.re8ch.com

1Do not proxy Docker layer blobs through the product page.

2Do not expose private project names, robot credentials, or cluster node names.

3Do not mix public registry members with SaaS runtime namespaces by default.

4Do keep Harbor as the source of truth for OCI operations.

OCI path stays boring

The happy path remains the standard container workflow:

docker login registry.re8ch.com
docker pull registry.re8ch.com/functions-shared/alpine:3.23.4
cosign verify --key cosign.pub registry.re8ch.com/<project>/<repo>@sha256:<digest>