e2e: add private registry pull/push regression test

[lohitkolluri]

This adds an e2e regression test for authenticated pull/push against a private registry, covering the auth regression reported in #5963.

---

What's included

• New privateregistry service in the e2e Compose stack that runs a Docker registry with htpasswd authentication on port 5001, and a --insecure-registry flag for it in the engine container.

• TestPullPushPrivateRepository test that:

  • Tags the test alpine image for the private registry
  • Verifies that an unauthenticated push is rejected (no auth credentials configured)
  • Verifies that an authenticated push succeeds
  • Removes the local image, then verifies that an unauthenticated pull is rejected
  • Verifies that an authenticated pull succeeds

• Auth config entries for privateregistry:5001 in the e2e fixture config, with test credentials stored in a new e2e/testdata/registry/auth/htpasswd file.

• 90-second retry loop in the test that re-runs docker commands when the registry or DNS is not yet ready (covers the container startup race in CI). Transient errors are detected by matching known DNS/network failure strings; all other failures are returned immediately.

• Service health wait loop in scripts/test/e2e/run that polls docker compose ps for all three services (registry, privateregistry, engine) before connecting the test runner to the Compose network. If any service fails to start within 120 seconds, it prints service logs and exits with a clear error instead of letting tests hang on DNS timeouts.

---

About the earlier attempt (#6940)

The earlier version of this test failed in CI because the htpasswd volume mount in compose-env.yaml used a path resolved relative to the project root (./e2e/testdata/registry/auth), but Compose resolves volume paths relative to the compose file's directory (e2e/). The auth file never mounted, the registry started without authentication, and every registry operation either succeeded unauthenticated (giving false negatives) or timed out with a DNS error when the registry failed to start entirely. This version uses ./testdata/registry/auth so the mount resolves correctly.

---

Closes #5965.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 6 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
e2e/internal/fixtures/fixtures.go	0.00%	6 Missing ⚠️

📢 Thoughts on this report? Let us know!

[lohitkolluri]

@vvoland @thaJeztah Codecov is reporting 0% patch coverage for e2e/internal/fixtures because the unit-test coverage job does not include the e2e/ tree. The added lines are exercised by TestPullPushPrivateRepository in the e2e suite, and the related e2e jobs are passing.

Is this acceptable as-is, or would you prefer additional coverage changes here?

[lohitkolluri]

I pushed two more commits to address the CI failures:

• Connhelper-ssh variant: The connhelper-ssh Dockerfile was missing the CA certificate trust setup that the main Dockerfile already had — all 8 tests (connhelper-ssh) jobs failed with x509: certificate signed by unknown authority on the TLS registry test. Fixed by adding COPY registry/certs/ca.crt and RUN update-ca-certificates to Dockerfile.connhelper-ssh.

• Cert generation guard: The cert existence check in scripts/test/e2e/run only verified ca.crt, so if any of the other three generated files was missing, gen-certs.sh wouldn't re-run. Changed it to loop through all four files before deciding to generate.

[lohitkolluri]

Should i squash all commits into one?

[vvoland]

Yes

[vvoland]

/review

[lohitkolluri]

Once the CI run finishes, I'll squash the commits and push the changes.

[docker-agent]

⏱️ PR Review Timed Out — The review agent hit the 1800 s time limit before completing. This usually happens on large or complex diffs. You can re-trigger with /review — if it times out again, consider splitting the PR into smaller pieces.

[lohitkolluri]

I did a quick RCA on both failures.

For [e2e / tests (connhelper-ssh, debian, 25)], I believe the failure is related to TestProcessTermination using a 10s timeout. The test sends a TERM signal and expects the container to exit within that window, but on the Debian + Engine 25 combination the attach stream appears to close more slowly than on Alpine/Engine 27. Increasing the WaitOnCmd timeout in e2e/container/run_test.go from 10s to 20s consistently addresses the failure in my testing.

For [test / ctn (test-coverage)], my understanding is that this is unrelated to the changes in this PR. The coverage job excludes the e2e package (grep -vE '/e2e/'), so an e2e-only change should not affect it. It looks like a pre-existing unit test issue that would need to be fixed independently.

Could you take a quick look and let me know if my assessment seems reasonable? If you think the coverage failure is worth investigating, I'm happy to dig into it and open a separate PR if needed.