Use the instance service key for registry JWT signing

config.py

@@ -260,10 +260,7 @@ class DefaultConfig(object):
   SIGNED_GRANT_EXPIRATION_SEC = 60 * 60 * 24  # One day to complete a push/pull
 
   # Registry v2 JWT Auth config
-  JWT_AUTH_MAX_FRESH_S = 60 * 60 + 60  # At most signed for one hour, accounting for clock skew
-  JWT_AUTH_TOKEN_ISSUER = 'quay-test-issuer'
-  JWT_AUTH_CERTIFICATE_PATH = None
-  JWT_AUTH_PRIVATE_KEY_PATH = None
+  REGISTRY_JWT_AUTH_MAX_FRESH_S = 60 * 60 + 60  # At most signed one hour, accounting for clock skew
 
   # The URL endpoint to which we redirect OAuth when generating a token locally.
   LOCAL_OAUTH_HANDLER = '/oauth/localapp'
@@ -340,14 +337,23 @@ class DefaultConfig(object):
   # lowest user in the database will be used.
   SERVICE_LOG_ACCOUNT_ID = None
 
-  # The location of the private key generated for this instance
+  # The service key ID for the instance service.
+  # NOTE: If changed, jwtproxy_conf.yaml.jnj must also be updated.
+  INSTANCE_SERVICE_KEY_SERVICE = 'quay'
+
+  # The location of the key ID file generated for this instance.
+  INSTANCE_SERVICE_KEY_KID_LOCATION = 'conf/quay.kid'
+
+  # The location of the private key generated for this instance.
+  # NOTE: If changed, jwtproxy_conf.yaml.jnj must also be updated.
   INSTANCE_SERVICE_KEY_LOCATION = 'conf/quay.pem'
 
-  # This instance's service key expiration in minutes
+  # This instance's service key expiration in minutes.
   INSTANCE_SERVICE_KEY_EXPIRATION = 120
 
-  # Number of minutes between expiration refresh in minutes
-  INSTANCE_SERVICE_KEY_REFRESH = 60
+  # Number of minutes between expiration refresh in minutes. Should be the expiration / 2 minus
+  # some additional window time.
+  INSTANCE_SERVICE_KEY_REFRESH = 55
 
   # The whitelist of client IDs for OAuth applications that allow for direct login.
   DIRECT_OAUTH_CLIENTID_WHITELIST = []