Update docs: JWKS credentials and AZ identity (#4397)
This commit is contained in:
commit
948a39d358
2 changed files with 31 additions and 13 deletions
|
@ -168,6 +168,7 @@ auth:
|
||||||
service: token-service
|
service: token-service
|
||||||
issuer: registry-token-issuer
|
issuer: registry-token-issuer
|
||||||
rootcertbundle: /root/certs/bundle
|
rootcertbundle: /root/certs/bundle
|
||||||
|
jwks: /path/to/jwks
|
||||||
signingalgorithms:
|
signingalgorithms:
|
||||||
- EdDSA
|
- EdDSA
|
||||||
- HS256
|
- HS256
|
||||||
|
@ -584,6 +585,7 @@ auth:
|
||||||
service: token-service
|
service: token-service
|
||||||
issuer: registry-token-issuer
|
issuer: registry-token-issuer
|
||||||
rootcertbundle: /root/certs/bundle
|
rootcertbundle: /root/certs/bundle
|
||||||
|
jwks: /path/to/jwks
|
||||||
signingalgorithms:
|
signingalgorithms:
|
||||||
- EdDSA
|
- EdDSA
|
||||||
- HS256
|
- HS256
|
||||||
|
@ -623,15 +625,16 @@ Token-based authentication allows you to decouple the authentication system from
|
||||||
the registry. It is an established authentication paradigm with a high degree of
|
the registry. It is an established authentication paradigm with a high degree of
|
||||||
security.
|
security.
|
||||||
|
|
||||||
| Parameter | Required | Description |
|
| Parameter | Required | Description |
|
||||||
|-----------|----------|-------------------------------------------------------|
|
|----------------------|----------|-------------------------------------------------------|
|
||||||
| `realm` | yes | The realm in which the registry server authenticates. |
|
| `realm` | yes | The realm in which the registry server authenticates. |
|
||||||
| `service` | yes | The service being authenticated. |
|
| `service` | yes | The service being authenticated. |
|
||||||
| `issuer` | yes | The name of the token issuer. The issuer inserts this into the token so it must match the value configured for the issuer. |
|
| `issuer` | yes | The name of the token issuer. The issuer inserts this into the token so it must match the value configured for the issuer. |
|
||||||
| `rootcertbundle` | yes | The absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens. |
|
| `rootcertbundle` | yes | The absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens. |
|
||||||
| `autoredirect` | no | When set to `true`, `realm` will automatically be set using the Host header of the request as the domain and a path of `/auth/token/`(or specified by `autoredirectpath`), the `realm` URL Scheme will use `X-Forwarded-Proto` header if set, otherwise it will be set to `https`. |
|
| `autoredirect` | no | When set to `true`, `realm` will be set to the Host header of the request as the domain and a path of `/auth/token/`(or specified by `autoredirectpath`), the `realm` URL Scheme will use `X-Forwarded-Proto` header if set, otherwise it will be set to `https`. |
|
||||||
| `autoredirectpath` | no | The path to redirect to if `autoredirect` is set to `true`, default: `/auth/token/`. |
|
| `autoredirectpath` | no | The path to redirect to if `autoredirect` is set to `true`, default: `/auth/token/`. |
|
||||||
| `signingalgorithms` | no | A list of token signing algorithms to use for verifying token signatures. If left empty the default list of signing algorithms is used. Please see below for allowed values and default. |
|
| `signingalgorithms` | no | A list of token signing algorithms to use for verifying token signatures. If left empty the default list of signing algorithms is used. Please see below for allowed values and default. |
|
||||||
|
| `jwks` | no | The absolute path to the JSON Web Key Set (JWKS) file. The JWKS file contains the trusted keys used to verify the signature of authentication tokens. |
|
||||||
|
|
||||||
Available `signingalgorithms`:
|
Available `signingalgorithms`:
|
||||||
- EdDSA
|
- EdDSA
|
||||||
|
|
|
@ -20,7 +20,22 @@ An implementation of the `storagedriver.StorageDriver` interface which uses [Mic
|
||||||
|
|
||||||
## Related information
|
## Related information
|
||||||
|
|
||||||
* To get information about
|
* To get information about Azure blob storage [the offical docs](https://azure.microsoft.com/en-us/services/storage/).
|
||||||
[azure-blob-storage](https://azure.microsoft.com/en-us/services/storage/), visit
|
* You can use Azure [Blob Service REST API](https://docs.microsoft.com/en-us/rest/api/storageservices/Blob-Service-REST-API) to [create a storage container](https://docs.microsoft.com/en-us/rest/api/storageservices/Create-Container).
|
||||||
the Microsoft website.
|
|
||||||
* You can use Microsoft's [Blob Service REST API](https://docs.microsoft.com/en-us/rest/api/storageservices/Blob-Service-REST-API) to [create a storage container](https://docs.microsoft.com/en-us/rest/api/storageservices/Create-Container).
|
## Azure identity
|
||||||
|
|
||||||
|
In order to use managed identity to access Azure blob storage you can use [Microsoft Bicep](https://learn.microsoft.com/en-us/azure/templates/microsoft.app/managedenvironments/storages?pivots=deployment-language-bicep).
|
||||||
|
|
||||||
|
The following will configure credentials that will be used by the Azure storage driver to construct AZ Identity that will be used to access the blob storage:
|
||||||
|
```
|
||||||
|
properties: {
|
||||||
|
azure: {
|
||||||
|
accountname: accountname
|
||||||
|
container: containername
|
||||||
|
credentials: {
|
||||||
|
type: default
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in a new issue