app/registry: oauth2 authentication

commit: ac38d5aeb108a117b746bdf76c8a00378eabaf3d [log] [tgz]
author: Piotr Dobrowolski <admin@tastycode.pl> Wed Apr 03 08:41:20 2019 +0200
committer: Piotr Dobrowolski <admin@tastycode.pl> Wed Apr 03 08:41:20 2019 +0200
tree: a426003d0eb834afc67d3fcb86c9072f7aec3c66
parent: 6dc4839d74117c78e588e8c1ac7cdc1e03bdaceb [diff]
diff --git a/app/registry/prod.jsonnet b/app/registry/prod.jsonnet
index 0b7fea5..28d706d 100644
--- a/app/registry/prod.jsonnet
+++ b/app/registry/prod.jsonnet

@@ -1,3 +1,7 @@
+# registry.k0.hswaw.net, a private docker registry
+# This needs an oauth2 secret provisioned, create with:
+#    kubectl -n registry create secret generic auth --from-literal=oauth2_secret=...
+
 local kube = import "../../kube/kube.libsonnet";
 local cm = import "../../cluster/kube/lib/cert-manager.libsonnet";
 
@@ -109,25 +113,32 @@
                     issuer: "registry.%s auth server" % [cfg.domain],
                     expiration: 900,
                 },
-                users: {
-                    # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
-                    "admin": {
-                         password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC",  # badmin
-                    },
-                    "test": {
-                         password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya",  # 123
-                    },
+                oauth2: {
+                    client_id: "registry",
+                    client_secret_file: "/secrets/oauth2_secret",
+                    authorize_url: "https://sso.hackerspace.pl/oauth/authorize",
+                    access_token_url: "https://sso.hackerspace.pl/oauth/token",
+                    profile_url: "https://sso.hackerspace.pl/api/1/profile",
+                    redirect_url: "https://registry.k0.hswaw.net/oauth2",
+                    username_key: "username",
+                    token_db: "/tmp/oauth2_tokens.ldb",
+                    registry_url: "https://registry.k0.hswaw.net",
                 },
                 acl: [
                     {
-                        match: {account: "admin"},
+                        match: {account: "/.+/", name: "${account}/*"},
                         actions: ["*"],
-                        comment: "Admin has full access to everything.",
+                        comment: "Logged in users have full access to images that are in their 'namespace'",
                     },
                     {
-                        match: {account: "user"},
+                        match: {account: "/.+/", type: "registry", name: "catalog"},
+                        actions: ["*"],
+                        comment: "Logged in users can query the catalog.",
+                    },
+                    {
+                        match: {account: "/.+/"},
                         actions: ["pull"],
-                        comment: "User \"user\" can pull stuff.",
+                        comment: "Logged in users can pull all images.",
                     },
                 ],
             }),
@@ -145,13 +156,17 @@
                         certs: {
                             secret: { secretName: app.authCertificate.spec.secretName },
                         },
+                        secrets: {
+                            secret: { secretName: "auth" },
+                        },
                     },
                     containers_: {
                         auth: kube.Container("auth") {
-                            image: "cesanta/docker_auth:1",
+                            image: "informatic/docker_auth:2019040307",
                             volumeMounts_: {
                                 config: { mountPath: "/config" },
                                 certs: { mountPath: "/certs" },
+                                secrets: { mountPath: "/secrets" },
                             },
                         },
                     },
@@ -215,6 +230,7 @@
                 "kubernetes.io/tls-acme": "true",
                 "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
                 "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
+                "nginx.ingress.kubernetes.io/proxy-body-size": "0",
             },
         },
         spec+: {
@@ -230,7 +246,8 @@
                     http: {
                         paths: [
                             { path: "/auth", backend: app.authService.name_port },
-                            { path: "/", backend: app.registryService.name_port },
+                            { path: "/", backend: app.authService.name_port },
+                            { path: "/v2/", backend: app.registryService.name_port },
                         ]
                     },
                 }
commit	ac38d5aeb108a117b746bdf76c8a00378eabaf3d	[log] [tgz]
author	Piotr Dobrowolski <admin@tastycode.pl>	Wed Apr 03 08:41:20 2019 +0200
committer	Piotr Dobrowolski <admin@tastycode.pl>	Wed Apr 03 08:41:20 2019 +0200
tree	a426003d0eb834afc67d3fcb86c9072f7aec3c66
parent	6dc4839d74117c78e588e8c1ac7cdc1e03bdaceb [diff]