docs: add image factory self-hosted docs

[rothgar]

Basic guide for online and airgapped installation.

[smira]

extensions should never be referenced by tags, in fact this won't work, as they are pinned by their digests

https://github.com/siderolabs/image-factory/#required-source-container-images has a better description and a script to copy properly

[rothgar]

It looks like the example script copies images based on their tags (not digests). https://github.com/siderolabs/image-factory/blob/743fe7f7404defa7a1019b0dd491716c146be053/hack/copy-artifacts.sh#L69

From what I can tell it's doing the same thing I have here because the actual copy command run is

crane cp ${SOURCE_REGISTRY}/${image}:${tag} ${TARGET_REGISTRY}/${image}:${tag}

Which for an example like bnx2-bnx2x would be

crane cp  ghcr.io/siderolabs/bnx2-bnx2x:20250808 myregistry/bnx2-bnx2x:20250808

[smira]

I think it extracts both tag & digest, so the tag is ignored, and digest is used when identifying the image.

Either way, we should pin/copy by digest. The tag is is just for informational purposes.

[smira]

This is how it looks, I think we should use this in the docs:

Processing extension image: siderolabs/amazon-ena 2.15.0-v1.11.0-beta.0@sha256:4a2338044a87928bacce7388bb69819a9c7da8e843bf918ed0e63d863caf4af9
2025/09/19 21:46:04 Copying from ghcr.io/siderolabs/amazon-ena:2.15.0-v1.11.0-beta.0@sha256:4a2338044a87928bacce7388bb69819a9c7da8e843bf918ed0e63d863caf4af9 to 127.0.0.1:5005/siderolabs/amazon-ena:2.15.0-v1.11.0-beta.0@sha256:4a2338044a87928bacce7388bb69819a9c7da8e843bf918ed0e63d863caf4af9
2025/09/19 21:46:05 existing manifest: sha256:4a2338044a87928bacce7388bb69819a9c7da8e843bf918ed0e63d863caf4af9
Copied ghcr.io/siderolabs/amazon-ena:2.15.0-v1.11.0-beta.0@sha256:4a2338044a87928bacce7388bb69819a9c7da8e843bf918ed0e63d863caf4af9 to 127.0.0.1:5005/siderolabs/amazon-ena:2.15.0-v1.11.0-beta.0@sha256:4a2338044a87928bacce7388bb69819a9c7da8e843bf918ed0e63d863caf4af9
2025/09/19 21:46:06 Copying from ghcr.io/siderolabs/amazon-ena:sha256-4a2338044a87928bacce7388bb69819a9c7da8e843bf918ed0e63d863caf4af9.sig to 127.0.0.1:5005/siderolabs/amazon-ena:sha256-4a2338044a87928bacce7388bb69819a9c7da8e843bf918ed0e63d863caf4af9.sig
2025/09/19 21:46:07 existing manifest: sha256-4a2338044a87928bacce7388bb69819a9c7da8e843bf918ed0e63d863caf4af9.sig@sha256:934080d7c3309b9394ad6c3a261f30a60b497acd5ef35a864c906b16ee4500a5
Copied signature of ghcr.io/siderolabs/amazon-ena:2.15.0-v1.11.0-beta.0@sha256:4a2338044a87928bacce7388bb69819a9c7da8e843bf918ed0e63d863caf4af9
Processing extension image: siderolabs/amdgpu 20250708-v1.11.0-beta.0@sha256:40a5fbce9a86b659a3f43af7fb9aeb73bf37785b9c6ccc00e37cf8169b3bd8a8
2025/09/19 21:46:07 Copying from ghcr.io/siderolabs/amdgpu:20250708-v1.11.0-beta.0@sha256:40a5fbce9a86b659a3f43af7fb9aeb73bf37785b9c6ccc00e37cf8169b3bd8a8 to 127.0.0.1:5005/siderolabs/amdgpu:20250708-v1.11.0-beta.0@sha256:40a5fbce9a86b659a3f43af7fb9aeb73bf37785b9c6ccc00e37cf8169b3bd8a8
2025/09/19 21:46:07 existing manifest: sha256:40a5fbce9a86b659a3f43af7fb9aeb73bf37785b9c6ccc00e37cf8169b3bd8a8
Copied ghcr.io/siderolabs/amdgpu:20250708-v1.11.0-beta.0@sha256:40a5fbce9a86b659a3f43af7fb9aeb73bf37785b9c6ccc00e37cf8169b3bd8a8 to 127.0.0.1:5005/siderolabs/amdgpu:20250708-v1.11.0-beta.0@sha256:40a5fbce9a86b659a3f43af7fb9aeb73bf37785b9c6ccc00e37cf8169b3bd8a8
2025/09/19 21:46:08 Copying from ghcr.io/siderolabs/amdgpu:sha256-40a5fbce9a86b659a3f43af7fb9aeb73bf37785b9c6ccc00e37cf8169b3bd8a8.sig to 127.0.0.1:5005/siderolabs/amdgpu:sha256-40a5fbce9a86b659a3f43af7fb9aeb73bf37785b9c6ccc00e37cf8169b3bd8a8.sig
2025/09/19 21:46:09 existing manifest: sha256-40a5fbce9a86b659a3f43af7fb9aeb73bf37785b9c6ccc00e37cf8169b3bd8a8.sig@sha256:f3d1ebec2832a823b9d5f87bfc5902bbe25774ad0a66f94eb50f75cad31201b1
Copied signature of ghcr.io/siderolabs/amdgpu:20250708-v1.11.0-beta.0@sha256:40a5fbce9a86b659a3f43af7fb9aeb73bf37785b9c6ccc00e37cf8169b3bd8a8
Processing extension image: siderolabs/amd-ucode 20250708@sha256:7f16a0ec5084e3dd006a1bfed39f2a790b8a76d0f3b1aa083d4b0511ad4f8b05
2025/09/19 21:46:09 Copying from ghcr.io/siderolabs/amd-ucode:20250708@sha256:7f16a0ec5084e3dd006a1bfed39f2a790b8a76d0f3b1aa083d4b0511ad4f8b05 to 127.0.0.1:5005/siderolabs/amd-ucode:20250708@sha256:7f16a0ec5084e3dd006a1bfed39f2a790b8a76d0f3b1aa083d4b0511ad4f8b05
2025/09/19 21:46:09 existing manifest: sha256:7f16a0ec5084e3dd006a1bfed39f2a790b8a76d0f3b1aa083d4b0511ad4f8b05
Copied ghcr.io/siderolabs/amd-ucode:20250708@sha256:7f16a0ec5084e3dd006a1bfed39f2a790b8a76d0f3b1aa083d4b0511ad4f8b05 to 127.0.0.1:5005/siderolabs/amd-ucode:20250708@sha256:7f16a0ec5084e3dd006a1bfed39f2a790b8a76d0f3b1aa083d4b0511ad4f8b05

And add re-sign step on top of it (if needed in air-gapped).

[rothgar]

It looks like the --preserve-digests flag automatically will deference digests from the tags and copy those, but the man page says it doesn't change what would be copied. It also looks like --all will be helpful to get alternative architectures and signatures.

I should also be able to use --sign-by-sigstore-private-key but I might have something configured incorrectly on my local registry

Writing manifest to image destination
Creating signature: Signing image using a sigstore signature
Storing signatures
FATA[0002] Error copying ref "docker://ghcr.io/siderolabs/installer-base:v1.11.0": copying image 1/4 from manifest list: writing signatures: writing sigstore attachments is disabled by configuration

[rothgar]

@Iheanacho-ai does mintlify have a native Note box we're using? I'm assuming one of these callouts https://www.mintlify.com/docs/components/callouts