I've been running Honeybadger, a web application monitoring service, for over a decade. Recently we've gotten to the point that we can offer a self-hosted option to our customers by having our application containerized and deployed by Terraform. One snag we hit, though, was how we were going to make our Docker containers (hosted in AWS ECR) available to our customers to pull.
I didn't want to give customers IAM accounts to access our ECR, and of course I didn't want to publish public images. What I needed was a private Docker registry with authentication tied to paid contracts so that I could easily grant pull access to customers without the hassle of manually managing and distributing authentication credentials.
The problem is harder than it looks
At first I thought I'd just deploy Harbor, the open-source container registry. But the more I dug in, the more I realized the hard part isn't running a registry. The hard part is everything around it: managing which customers can pull which images, controlling access at the tag level so a customer who paid just for v2 doesn't also get v3, and tracking who's pulling what.
None of the existing tools solved this well. Harbor gives you a registry, but not a licensing layer. ECR and other managed registries are designed for your own deployments and internal use, not for distributing software to external customers. Docker Hub has organizations and teams, but nothing resembling license-aware access control. Other options had tons of features I didn't need, and not the ones I did. I had customers, and I had containers, but I didn't have the thing to easily connect those two.
So I built the thing in between
Breakwater is the layer that connects your container registry to your customers' licenses. You push images to the registry, create products and licenses in the dashboard (or via API), and your customers use standard docker pull with credentials tied to their license. The whole thing works with the Docker CLI your customers already know. No special tooling or proprietary clients are required.
Under the hood, an authenticating proxy sits in front of the registry and enforces license rules on every pull. It checks that the customer's token is valid, that they have an active license for the product they're requesting, and that the tag they're pulling matches what their license allows. Vendor use Docker to make their images available for licensing, using vendor tokens to push to the registry.
The tag-level access control turned out to be one of the features that I think is the most interesting. Licenses can specify tag patterns: wildcards like v1.*, semver ranges like >=1.0,<2.0, or exact tags. This allows you to sell access to a major version and have the customer automatically get patches without giving them the next major release for free.
Who this is for
If you're a software vendor and any of this sounds familiar, Breakwater was built for you:
- You ship software as Docker containers and need to control who can pull them
- You want customers to use
docker pullwith their own credentials, not share your registry access - You need to enforce license terms at the image level, specifying which customers get which products, which versions, and for how long
- You'd rather not build and maintain all of this infrastructure yourself
Breakwater provides the registry, the authentication, the license enforcement, usage tracking, and billing so you can focus on your actual product. And of course Breakwater is offered in both SaaS and self-hosted options.
If you're curious, sign up for a free trial or check out the docs to see how it works.