address review comments

- more inline documentation
 - don't explicitly specify audience
 - approver is optional in `generate_key`
 - ADD -> RUN for better caching of jwtproxy

Dockerfile

@@ -35,7 +35,7 @@ RUN curl -O https://storage.googleapis.com/golang/go1.6.linux-amd64.tar.gz && \
     sudo rm -rf /gocode && sudo rm -rf /usr/local/go
 
 # Install jwtproxy
-ADD https://github.com/coreos/jwtproxy/releases/download/v0.0.1/jwtproxy-linux-x64 /usr/local/bin/jwtproxy
+RUN curl -L -o /usr/local/bin/jwtproxy https://github.com/coreos/jwtproxy/releases/download/v0.0.1/jwtproxy-linux-x64
 RUN chmod +x /usr/local/bin/jwtproxy
 
 # Install Grunt

boot.py

@@ -1,23 +1,22 @@
 #!/usr/bin/env python
 
-from datetime import datetime, timedelta
+from datetime import datetime
 from urlparse import urlunparse
-import json
 
-from jwkest.jwk import RSAKey
 from jinja2 import Template
 import release
 
 from app import app
-from data.database import ServiceKeyApprovalType
 from data.model.release import set_region_release
-from data.model.service_keys import generate_service_key, approve_service_key
 from util.config.database import sync_database_with_config
 from util.generatepresharedkey import generate_key
 
 
 def create_quay_service_key():
-  quay_key, key_id = generate_key(None, 'quay', 'quay')
+  """
+  Creates a service key for quay to use in the jwtproxy
+  """
+  quay_key, key_id = generate_key('quay', 'quay')
 
   with open('/conf/quay.pem', mode='w') as f:
     f.truncate(0)
@@ -26,8 +25,33 @@ def create_quay_service_key():
   return key_id
 
 
-def create_jwtproxy_conf(quay_key_id):
+def get_audience():
   audience = app.config.get('JWTPROXY_AUDIENCE')
+
+  if audience:
+    return audience
+
+  scheme = app.config.get('PREFERRED_URL_SCHEME')
+  hostname = app.config.get('SERVER_HOSTNAME')
+
+  # hostname includes port, use that
+  if ':' in hostname:
+    return urlunparse((scheme, hostname, '', '', '', ''))
+
+  # no port, guess based on scheme
+  if scheme == 'https':
+    port = '443'
+  else:
+    port = '80'
+
+  return urlunparse((scheme, hostname + ':' + port, '', '', '', ''))
+
+
+def create_jwtproxy_conf(quay_key_id):
+  """
+  Generates the jwtproxy conf from the jinja template
+  """
+  audience = get_audience()
   registry = audience + '/keys'
 
   with open("/conf/jwtproxy_conf.yaml.jnj") as f:

conf/init/create_certs.sh

@@ -1,7 +1,7 @@
 #! /bin/bash
 set -e
 
-# Create certs
+# Create certs for jwtproxy to mitm outgoing TLS connections
 echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare mitm
 cp mitm-key.pem /conf/mitm.key
 cp mitm.pem /conf/mitm.cert

config.py

@@ -289,8 +289,14 @@ class DefaultConfig(object):
     'API_TIMEOUT_SECONDS': 10,
     'API_TIMEOUT_POST_SECONDS': 480,
   }
+
+  # JWTProxy Settings
+  # The address (sans schema) to proxy outgoing requests through the jwtproxy
+  # to be signed
   JWTPROXY_SIGNER = 'localhost:8080'
-  JWTPROXY_AUDIENCE = 'https://quay.io:443'
+  # The audience that jwtproxy should verify on incoming requests
+  # If None, will be calculated off of the SERVER_HOSTNAME (default)
+  JWTPROXY_AUDIENCE = None
 
   # Torrent management flags
   FEATURE_BITTORRENT = False

util/generatepresharedkey.py

@@ -6,7 +6,7 @@ from timeparse import ParseDatetime
 
 import argparse
 
-def generate_key(approver, service, name, expiration_date=None, notes=None):
+def generate_key(service, name, approver=None, expiration_date=None, notes=None):
   metadata = {
     'created_by': 'CLI tool',
   }