feat: allow namespace override per image (#4725)

[ffabss]

What kind of change does this PR introduce?

Feature

What is the current behavior?

There is currently no support for overriding the namespace used when resolving container image references.
This makes it impossible to pull certain images (e.g. kong) via the GitLab CI Dependency Proxy, which only supports images from docker.io.

Related issue: #4725

What is the new behavior?

This PR introduces support for per-image namespace configuration via environment variables such as SUPABASE_INTERNAL_IMAGE_NAMESPACE_KONG=library.

With this change, users can explicitly control the resolved image namespace, enabling images like kong to be pulled through the GitLab CI Dependency Proxy.

Additional context

The image resolution logic was updated to apply the configured namespace when constructing the full image reference, and tests were added to cover the new behavior.

[sweatybridge]

The env var you are looking for is SUPABASE_INTERNAL_IMAGE_REGISTRY=docker.io

append this before supabase start and it will pull images from dockerhub

[ffabss]

The issue is not that I can’t set the registry.

The issue is that the method I changed explicitly checks for docker.io and then adjusts the Docker image namespace differently.

This behavior is inherently necessary because Supabase does not re-publish all images under the supabase/* namespace (for example: kong is not published as supabase/kong).

For the Kong image on docker.io, there is no image under the namespace supabase/kong.
On docker.io, the correct namespace would be either:

• library/kong, or
• kong

So if someone is using a custom pull-through cache (still using docker.io) or the GitLab Dependency Proxy, the method GetRegistryImageUrl currently returns a URL for an image that does not exist.

What my changes add

My changes introduce the possibility to override the namespace per image, so users can configure the correct namespace for cases like GitLab Dependency Proxy.

For example, Kong can be fixed by setting:

SUPABASE_INTERNAL_IMAGE_NAMESPACE_KONG=library

Example

The method GetRegistryImageUrl receives the input:

library/kong:2.8.1

• If SUPABASE_INTERNAL_IMAGE_REGISTRY is set to docker.io, the method returns:

docker.io/library/kong:2.8.1

• For any other value of SUPABASE_INTERNAL_IMAGE_REGISTRY, the method returns basically:

$SUPABASE_INTERNAL_IMAGE_REGISTRY/supabase/kong:2.8.1

With the new namespace override, users can ensure the method returns valid image URLs even when images are not available under supabase/*.

[coveralls]

Pull Request Test Coverage Report for Build 21512622686

Details

• 25 of 26 (96.15%) changed or added relevant lines in 1 file are covered.
• 8 unchanged lines in 3 files lost coverage.
• Overall coverage increased (+0.03%) to 55.514%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
internal/utils/docker.go	25	26	96.15%

Files with Coverage Reduction	New Missed Lines	%
internal/utils/docker.go	1	77.33%
internal/storage/rm/rm.go	2	80.61%
internal/gen/keys/keys.go	5	12.9%

Totals
Change from base Build 21508511524:	0.03%
Covered Lines:	7128
Relevant Lines:	12840

---

💛 - Coveralls

[sweatybridge]

This behavior is inherently necessary because Supabase does not re-publish all images under the supabase/* namespace (for example: kong is not published as supabase/kong).

Could you let me know which registry are you using? We have kong published under supabase namespace for GHCR and ECR. These are the only ones we support officially right now.

We are only making an exception for docker.io because we don't control some of the namespaces there.