How I Deployed and Configured a Private NPM Registry for a Micro Services Project
If you are building micro services, you really would want to share common utility code between them. While copy pasting is not a solution, you can create private npm packages and use them into your services. As you know theoretical micro services concepts are not quiet possible to implement and often comes with unnecessary overhead. I create isolated utility libraries as npm packages and make them available across micro services. Let’s see how I create them and configure the npmrc/yarnrc files to use private packages through a private registry together with public packages.
I am going to use Verdaccio for the private registry server, note that this article is NOT on how to use verdaccio but to share my configurations which work well across my development team and all the services in the project.
Table of Contents
- Setup Config file
- Generate Credentials
- Setup package to use private registry
- Setup Project to use private package
- Disable new user registration
- Easy, Read only package sharing across the development team
- Integration with CI/CD pipelines
- Developers in the team can make PR for changes in the packages
- Single Admin access to the registry server (can be multiple users as needed)
We will install the Verdaccio server on a VM and configure the server and later modify the configurations for the security. You can setup the registry server on an EC2 instance or a free Azure App Service Plan. I tried modifying the Verdaccio source to run on AWS Lambda, but it looks impossible because of the Lambda limitations, I will leave this topic for may be another article. Let me know in the comments below if you are able to deploy Verdaccio to Lambda.
On any server with SSH connection. Let’s install the server first.
After the installation, create a directory where you are willing to store the registry config, models and db files which are generated by Verdaccio.
Create a config.yml file in this folder with the below config, this config file contains the details on the auth plugin, the group of users which will be able to access the server and read or write permissions to the packages. More on Verdaccio config.
Paste the below content into the file. Verdaccio server considers usernames registered as group names as well. This config file provides read and write access to the group/username admin and read permission to the user dev. We will generate credentials for these users in the next steps.
We can now start the server to generate the credentials. Follow the below steps to create credentials for admin and dev user.
Verdaccio server can be started using the command line option to use the config file we just created.
The server now should be available on the port 80 on the server IP, you can visit the server IP and see the Verdaccio application with 0 packages available.
Run below command from a new terminal session to register a new user and generate the credentials.
Enter the username as admin when prompted and enter a password. The user will be generated on the server and credentials will be available in .npmrc file in the home directory. We will copy this credential and keep it safe for the admin user.
Run this command to print the content of npmrc file
The content of the file will look like the one bellow. Copy the authToken value from the below file prefixed with the corresponding SERVER_HOST of the Verdaccio server. Keep this token safe, we will use this later for pushing npm packages to the server.
Run below command from a new terminal session to register another user.
Enter username as Dev when prompted and enter the password. The previous token will be replaced with a new token. Follow the same steps as above to get the auth token for the username Dev and keep it safe for later use.
We will use the admin auth token to push the packages to the Verdaccio server we just setup. Note that only admin user can push the packages as per our configuration. Keep the admin auth token handy for the next steps.
Create a .npmrc file at the root of the package which needs to be pushed to the server. Paste in the below line in the file.
The package.json file should be updated with the package name to use the private package naming convention - scoped naming, eg. @commpany/package-name. Now run the below command to publish the the package to the private registry we just created. This file should not be committed to the source to avoid sharing the token with other team members, as this token can be used to override the packages and allows to publish any new packages to the server.
We need to now add the .npmrc file or .yarnrc file which to the root of the project. We will use the Dev user token in this file to provide read access to the packages for installation. This file can be committed to the source as it only provides the read access. It is just like sharing the source code with the team members hence nothing to worry about sharing the Dev token.
Add below content to the .npmrc file to have project install the scoped packages.
Our Setup is now completed and we can now disable the new registration to the Verdaccio server to restrict others from using the server. Update the htpasswd section to disable new user registration as below.
We are done with the setup now, you can follow the Verdaccio config to setup https/SSL for secure connection. Let me know your thoughts about this and share your setup as well that I should consider trying. Thanks for reading!