app/registry: oauth2 authentication
diff --git a/app/registry/prod.jsonnet b/app/registry/prod.jsonnet
index 0b7fea5..28d706d 100644
--- a/app/registry/prod.jsonnet
+++ b/app/registry/prod.jsonnet
@@ -1,3 +1,7 @@
+# registry.k0.hswaw.net, a private docker registry
+# This needs an oauth2 secret provisioned, create with:
+# kubectl -n registry create secret generic auth --from-literal=oauth2_secret=...
+
local kube = import "../../kube/kube.libsonnet";
local cm = import "../../cluster/kube/lib/cert-manager.libsonnet";
@@ -109,25 +113,32 @@
issuer: "registry.%s auth server" % [cfg.domain],
expiration: 900,
},
- users: {
- # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
- "admin": {
- password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC", # badmin
- },
- "test": {
- password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya", # 123
- },
+ oauth2: {
+ client_id: "registry",
+ client_secret_file: "/secrets/oauth2_secret",
+ authorize_url: "https://sso.hackerspace.pl/oauth/authorize",
+ access_token_url: "https://sso.hackerspace.pl/oauth/token",
+ profile_url: "https://sso.hackerspace.pl/api/1/profile",
+ redirect_url: "https://registry.k0.hswaw.net/oauth2",
+ username_key: "username",
+ token_db: "/tmp/oauth2_tokens.ldb",
+ registry_url: "https://registry.k0.hswaw.net",
},
acl: [
{
- match: {account: "admin"},
+ match: {account: "/.+/", name: "${account}/*"},
actions: ["*"],
- comment: "Admin has full access to everything.",
+ comment: "Logged in users have full access to images that are in their 'namespace'",
},
{
- match: {account: "user"},
+ match: {account: "/.+/", type: "registry", name: "catalog"},
+ actions: ["*"],
+ comment: "Logged in users can query the catalog.",
+ },
+ {
+ match: {account: "/.+/"},
actions: ["pull"],
- comment: "User \"user\" can pull stuff.",
+ comment: "Logged in users can pull all images.",
},
],
}),
@@ -145,13 +156,17 @@
certs: {
secret: { secretName: app.authCertificate.spec.secretName },
},
+ secrets: {
+ secret: { secretName: "auth" },
+ },
},
containers_: {
auth: kube.Container("auth") {
- image: "cesanta/docker_auth:1",
+ image: "informatic/docker_auth:2019040307",
volumeMounts_: {
config: { mountPath: "/config" },
certs: { mountPath: "/certs" },
+ secrets: { mountPath: "/secrets" },
},
},
},
@@ -215,6 +230,7 @@
"kubernetes.io/tls-acme": "true",
"certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
+ "nginx.ingress.kubernetes.io/proxy-body-size": "0",
},
},
spec+: {
@@ -230,7 +246,8 @@
http: {
paths: [
{ path: "/auth", backend: app.authService.name_port },
- { path: "/", backend: app.registryService.name_port },
+ { path: "/", backend: app.authService.name_port },
+ { path: "/v2/", backend: app.registryService.name_port },
]
},
}