From d3cc664fa2219d5ac6e7a724dbb755f27b08a2e6 Mon Sep 17 00:00:00 2001 From: Milos Gajdos Date: Sat, 6 Jul 2024 10:13:29 +0100 Subject: [PATCH] Update docs: JWKS credentials and AZ identity Signed-off-by: Milos Gajdos --- docs/content/about/configuration.md | 21 ++++++++++++--------- docs/content/storage-drivers/azure.md | 23 +++++++++++++++++++---- 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/docs/content/about/configuration.md b/docs/content/about/configuration.md index 942940f7..88c4e858 100644 --- a/docs/content/about/configuration.md +++ b/docs/content/about/configuration.md @@ -168,6 +168,7 @@ auth: service: token-service issuer: registry-token-issuer rootcertbundle: /root/certs/bundle + jwks: /path/to/jwks signingalgorithms: - EdDSA - HS256 @@ -584,6 +585,7 @@ auth: service: token-service issuer: registry-token-issuer rootcertbundle: /root/certs/bundle + jwks: /path/to/jwks signingalgorithms: - EdDSA - HS256 @@ -623,15 +625,16 @@ Token-based authentication allows you to decouple the authentication system from the registry. It is an established authentication paradigm with a high degree of security. -| Parameter | Required | Description | -|-----------|----------|-------------------------------------------------------| -| `realm` | yes | The realm in which the registry server authenticates. | -| `service` | yes | The service being authenticated. | -| `issuer` | yes | The name of the token issuer. The issuer inserts this into the token so it must match the value configured for the issuer. | -| `rootcertbundle` | yes | The absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens. | -| `autoredirect` | no | When set to `true`, `realm` will automatically be set using the Host header of the request as the domain and a path of `/auth/token/`(or specified by `autoredirectpath`), the `realm` URL Scheme will use `X-Forwarded-Proto` header if set, otherwise it will be set to `https`. | -| `autoredirectpath` | no | The path to redirect to if `autoredirect` is set to `true`, default: `/auth/token/`. | -| `signingalgorithms` | no | A list of token signing algorithms to use for verifying token signatures. If left empty the default list of signing algorithms is used. Please see below for allowed values and default. | +| Parameter | Required | Description | +|----------------------|----------|-------------------------------------------------------| +| `realm` | yes | The realm in which the registry server authenticates. | +| `service` | yes | The service being authenticated. | +| `issuer` | yes | The name of the token issuer. The issuer inserts this into the token so it must match the value configured for the issuer. | +| `rootcertbundle` | yes | The absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens. | +| `autoredirect` | no | When set to `true`, `realm` will be set to the Host header of the request as the domain and a path of `/auth/token/`(or specified by `autoredirectpath`), the `realm` URL Scheme will use `X-Forwarded-Proto` header if set, otherwise it will be set to `https`. | +| `autoredirectpath` | no | The path to redirect to if `autoredirect` is set to `true`, default: `/auth/token/`. | +| `signingalgorithms` | no | A list of token signing algorithms to use for verifying token signatures. If left empty the default list of signing algorithms is used. Please see below for allowed values and default. | +| `jwks` | no | The absolute path to the JSON Web Key Set (JWKS) file. The JWKS file contains the trusted keys used to verify the signature of authentication tokens. | Available `signingalgorithms`: - EdDSA diff --git a/docs/content/storage-drivers/azure.md b/docs/content/storage-drivers/azure.md index 50f03a2b..d2b6c54c 100644 --- a/docs/content/storage-drivers/azure.md +++ b/docs/content/storage-drivers/azure.md @@ -20,7 +20,22 @@ An implementation of the `storagedriver.StorageDriver` interface which uses [Mic ## Related information -* To get information about -[azure-blob-storage](https://azure.microsoft.com/en-us/services/storage/), visit -the Microsoft website. -* You can use Microsoft's [Blob Service REST API](https://docs.microsoft.com/en-us/rest/api/storageservices/Blob-Service-REST-API) to [create a storage container](https://docs.microsoft.com/en-us/rest/api/storageservices/Create-Container). +* To get information about Azure blob storage [the offical docs](https://azure.microsoft.com/en-us/services/storage/). +* You can use Azure [Blob Service REST API](https://docs.microsoft.com/en-us/rest/api/storageservices/Blob-Service-REST-API) to [create a storage container](https://docs.microsoft.com/en-us/rest/api/storageservices/Create-Container). + +## Azure identity + +In order to use managed identity to access Azure blob storage you can use [Microsoft Bicep](https://learn.microsoft.com/en-us/azure/templates/microsoft.app/managedenvironments/storages?pivots=deployment-language-bicep). + +The following will configure credentials that will be used by the Azure storage driver to construct AZ Identity that will be used to access the blob storage: +``` +properties: { + azure: { + accountname: accountname + container: containername + credentials: { + type: default + } + } +} +```