Add jwtproxy and configure verifier for /secscan/notify

conf/http-base.conf

@@ -37,6 +37,9 @@ map $http_x_forwarded_proto $proper_scheme {
 upstream web_app_server {
     server unix:/tmp/gunicorn_web.sock fail_timeout=0;
 }
+upstream jwtproxy {
+    server unix:/tmp/jwtproxy.sock fail_timeout=0;
+}
 upstream verbs_app_server {
     server unix:/tmp/gunicorn_verbs.sock fail_timeout=0;
 }

conf/init/service/jwtproxy/log/run

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec logger -i -t jwtproxy 

conf/init/service/jwtproxy/run

@@ -0,0 +1,8 @@
+#! /bin/bash
+
+echo 'Starting jwtproxy'
+
+cd /
+/binary_dependencies/jwtproxy --config conf/jwtproxy_conf.yaml
+
+echo 'Jwtproxy exited'

conf/jwtproxy_conf.yaml

@@ -0,0 +1,13 @@
+jwtproxy:
+  signer_proxy:
+    enabled: false
+  verifier_proxy:
+    enabled: true
+    listen_addr: unix:/tmp/jwtproxy.sock
+    verifier:
+      upstream: unix:/tmp/gunicorn_web.sock 
+      audience: http://quay.io
+      key_server:
+        type: keyregistry
+        options:
+          registry: unix:/tmp/gunicorn_web.sock 

conf/server-base.conf

@@ -49,6 +49,10 @@ location ~ ^/(v1/repositories|v2/auth)/ {
     limit_req zone=repositories burst=10;
 }
 
+location /api/v1/secscan/ {
+    proxy_pass http://jwtproxy;
+}
+
 location ~ ^/v2 {
     # If we're being accessed via v1.quay.io, pretend we don't support v2.
     if ($host = "v1.quay.io") {