app/registry: abstract away pushers
Another change I lost somewhere in the process of remembering how to
gerrit.
I rewrote it (lost the original commit), and also added the (upcoming)
egressifier service.
Change-Id: I1647bc3b1e504a192150ab76f4c6d1709e608f0a
diff --git a/app/registry/prod.jsonnet b/app/registry/prod.jsonnet
index 4e02d3a..d2ffbc6 100644
--- a/app/registry/prod.jsonnet
+++ b/app/registry/prod.jsonnet
@@ -147,23 +147,16 @@
users: {
[""]: {}, // '' user are anonymous users.
},
+ local data = self,
+ pushers:: [
+ { who: ["q3k", "inf"], what: "vms/*" },
+ { who: ["q3k"], what: "app/radio" },
+ { who: ["q3k"], what: "app/factorio" },
+ { who: ["q3k"], what: "app/gerrit" },
+ { who: ["q3k"], what: "go/svc/egressifier" },
+ ],
acl: [
{
- match: {account: "/(q3k|inf)/", name: "vms/*"},
- actions: ["*"],
- comment: "q3k and inf can mange 'vms' docker images",
- },
- {
- match: {account: "q3k", name: "app/radio"},
- actions: ["*"],
- comment: "q3k can mange 'app/radio' docker images",
- },
- {
- match: {account: "q3k", name: "app/factorio"},
- actions: ["*"],
- comment: "q3k can mange 'app/factorio' docker images",
- },
- {
match: {account: "/.+/", name: "${account}/*"},
actions: ["*"],
comment: "Logged in users have full access to images that are in their 'namespace'",
@@ -178,6 +171,16 @@
actions: ["pull"],
comment: "Anyone can pull all images.",
},
+ ] + [
+ {
+ match: {
+ account: "/(%s)/" % std.join("|", p.who),
+ name: p.what,
+ },
+ actions: ["*"],
+ comment: "%s can push to %s" % [std.join(", ", p.who), p.what],
+ }
+ for p in data.pushers
],
}),
}