forked from TrueCloudLab/distribution
Update docs: JWKS credentials and AZ identity
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
This commit is contained in:
parent
4dd0ac977e
commit
d3cc664fa2
2 changed files with 31 additions and 13 deletions
|
@ -168,6 +168,7 @@ auth:
|
|||
service: token-service
|
||||
issuer: registry-token-issuer
|
||||
rootcertbundle: /root/certs/bundle
|
||||
jwks: /path/to/jwks
|
||||
signingalgorithms:
|
||||
- EdDSA
|
||||
- HS256
|
||||
|
@ -584,6 +585,7 @@ auth:
|
|||
service: token-service
|
||||
issuer: registry-token-issuer
|
||||
rootcertbundle: /root/certs/bundle
|
||||
jwks: /path/to/jwks
|
||||
signingalgorithms:
|
||||
- EdDSA
|
||||
- HS256
|
||||
|
@ -623,15 +625,16 @@ Token-based authentication allows you to decouple the authentication system from
|
|||
the registry. It is an established authentication paradigm with a high degree of
|
||||
security.
|
||||
|
||||
| Parameter | Required | Description |
|
||||
|-----------|----------|-------------------------------------------------------|
|
||||
| `realm` | yes | The realm in which the registry server authenticates. |
|
||||
| `service` | yes | The service being authenticated. |
|
||||
| `issuer` | yes | The name of the token issuer. The issuer inserts this into the token so it must match the value configured for the issuer. |
|
||||
| `rootcertbundle` | yes | The absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens. |
|
||||
| `autoredirect` | no | When set to `true`, `realm` will automatically be set using the Host header of the request as the domain and a path of `/auth/token/`(or specified by `autoredirectpath`), the `realm` URL Scheme will use `X-Forwarded-Proto` header if set, otherwise it will be set to `https`. |
|
||||
| `autoredirectpath` | no | The path to redirect to if `autoredirect` is set to `true`, default: `/auth/token/`. |
|
||||
| `signingalgorithms` | no | A list of token signing algorithms to use for verifying token signatures. If left empty the default list of signing algorithms is used. Please see below for allowed values and default. |
|
||||
| Parameter | Required | Description |
|
||||
|----------------------|----------|-------------------------------------------------------|
|
||||
| `realm` | yes | The realm in which the registry server authenticates. |
|
||||
| `service` | yes | The service being authenticated. |
|
||||
| `issuer` | yes | The name of the token issuer. The issuer inserts this into the token so it must match the value configured for the issuer. |
|
||||
| `rootcertbundle` | yes | The absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens. |
|
||||
| `autoredirect` | no | When set to `true`, `realm` will be set to the Host header of the request as the domain and a path of `/auth/token/`(or specified by `autoredirectpath`), the `realm` URL Scheme will use `X-Forwarded-Proto` header if set, otherwise it will be set to `https`. |
|
||||
| `autoredirectpath` | no | The path to redirect to if `autoredirect` is set to `true`, default: `/auth/token/`. |
|
||||
| `signingalgorithms` | no | A list of token signing algorithms to use for verifying token signatures. If left empty the default list of signing algorithms is used. Please see below for allowed values and default. |
|
||||
| `jwks` | no | The absolute path to the JSON Web Key Set (JWKS) file. The JWKS file contains the trusted keys used to verify the signature of authentication tokens. |
|
||||
|
||||
Available `signingalgorithms`:
|
||||
- EdDSA
|
||||
|
|
|
@ -20,7 +20,22 @@ An implementation of the `storagedriver.StorageDriver` interface which uses [Mic
|
|||
|
||||
## Related information
|
||||
|
||||
* To get information about
|
||||
[azure-blob-storage](https://azure.microsoft.com/en-us/services/storage/), visit
|
||||
the Microsoft website.
|
||||
* You can use Microsoft's [Blob Service REST API](https://docs.microsoft.com/en-us/rest/api/storageservices/Blob-Service-REST-API) to [create a storage container](https://docs.microsoft.com/en-us/rest/api/storageservices/Create-Container).
|
||||
* To get information about Azure blob storage [the offical docs](https://azure.microsoft.com/en-us/services/storage/).
|
||||
* You can use Azure [Blob Service REST API](https://docs.microsoft.com/en-us/rest/api/storageservices/Blob-Service-REST-API) to [create a storage container](https://docs.microsoft.com/en-us/rest/api/storageservices/Create-Container).
|
||||
|
||||
## Azure identity
|
||||
|
||||
In order to use managed identity to access Azure blob storage you can use [Microsoft Bicep](https://learn.microsoft.com/en-us/azure/templates/microsoft.app/managedenvironments/storages?pivots=deployment-language-bicep).
|
||||
|
||||
The following will configure credentials that will be used by the Azure storage driver to construct AZ Identity that will be used to access the blob storage:
|
||||
```
|
||||
properties: {
|
||||
azure: {
|
||||
accountname: accountname
|
||||
container: containername
|
||||
credentials: {
|
||||
type: default
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
|
Loading…
Reference in a new issue