app/registry: abstract away pushers Another change I lost somewhere in the process of remembering how to gerrit. I rewrote it (lost the original commit), and also added the (upcoming) egressifier service. Change-Id: I1647bc3b1e504a192150ab76f4c6d1709e608f0a

commit: 1c825949c4662467c3c17837c8a44fcb9bc68eeb [log] [tgz]
author: Sergiusz Bazanski <q3k@hackerspace.pl> Sun Jun 30 00:37:34 2019 +0200
committer: Sergiusz Bazanski <q3k@hackerspace.pl> Sun Jun 30 00:37:34 2019 +0200
tree: a6d5d9d87560d976a8f7026871f180bbb07d1bc4
parent: 09a0f06d2a0a3fdc2c80c0a4630bd976e3bbc966 [diff] [blame]
diff --git a/app/registry/prod.jsonnet b/app/registry/prod.jsonnet
index 4e02d3a..d2ffbc6 100644
--- a/app/registry/prod.jsonnet
+++ b/app/registry/prod.jsonnet

@@ -147,23 +147,16 @@
                 users: {
                     [""]: {}, // '' user are anonymous users.
                 },
+                local data = self,
+                pushers:: [
+                        { who: ["q3k", "inf"], what: "vms/*" },
+                        { who: ["q3k"], what: "app/radio" },
+                        { who: ["q3k"], what: "app/factorio" },
+                        { who: ["q3k"], what: "app/gerrit" },
+                        { who: ["q3k"], what: "go/svc/egressifier" },
+                ],
                 acl: [
                     {
-                        match: {account: "/(q3k|inf)/", name: "vms/*"},
-                        actions: ["*"],
-                        comment: "q3k and inf can mange 'vms' docker images",
-                    },
-                    {
-                        match: {account: "q3k", name: "app/radio"},
-                        actions: ["*"],
-                        comment: "q3k can mange 'app/radio' docker images",
-                    },
-                    {
-                        match: {account: "q3k", name: "app/factorio"},
-                        actions: ["*"],
-                        comment: "q3k can mange 'app/factorio' docker images",
-                    },
-                    {
                         match: {account: "/.+/", name: "${account}/*"},
                         actions: ["*"],
                         comment: "Logged in users have full access to images that are in their 'namespace'",
@@ -178,6 +171,16 @@
                         actions: ["pull"],
                         comment: "Anyone can pull all images.",
                     },
+                ] + [
+                    {
+                        match: {
+                            account: "/(%s)/" % std.join("|", p.who),
+                            name: p.what,
+                        },
+                        actions: ["*"],
+                        comment: "%s can push to %s" % [std.join(", ", p.who), p.what],
+                    }
+                    for p in data.pushers
                 ],
             }),
         }
commit	1c825949c4662467c3c17837c8a44fcb9bc68eeb	[log] [tgz]
author	Sergiusz Bazanski <q3k@hackerspace.pl>	Sun Jun 30 00:37:34 2019 +0200
committer	Sergiusz Bazanski <q3k@hackerspace.pl>	Sun Jun 30 00:37:34 2019 +0200
tree	a6d5d9d87560d976a8f7026871f180bbb07d1bc4
parent	09a0f06d2a0a3fdc2c80c0a4630bd976e3bbc966 [diff] [blame]