vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

address review comments

Browse source 
- more inline documentation
 - don't explicitly specify audience
 - approver is optional in `generate_key`
 - ADD -> RUN for better caching of jwtproxy
This commit is contained in:
Evan Cordell 2016-04-28 20:10:28 -05:00 committed by Jimmy Zelinskie
parent 9df650688b
commit c766727d1d
5 changed files with 41 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Dockerfile
View file

@ -35,7 +35,7 @@ RUN curl -O https://storage.googleapis.com/golang/go1.6.linux-amd64.tar.gz && \
sudo rm -rf /gocode && sudo rm -rf /usr/local/go sudo rm -rf /gocode && sudo rm -rf /usr/local/go
# Install jwtproxy # Install jwtproxy
ADD https://github.com/coreos/jwtproxy/releases/download/v0.0.1/jwtproxy-linux-x64 /usr/local/bin/jwtproxy RUN curl -L -o /usr/local/bin/jwtproxy https://github.com/coreos/jwtproxy/releases/download/v0.0.1/jwtproxy-linux-x64
RUN chmod +x /usr/local/bin/jwtproxy RUN chmod +x /usr/local/bin/jwtproxy
# Install Grunt # Install Grunt

38
boot.py
View file

@ -1,23 +1,22 @@
#!/usr/bin/env python #!/usr/bin/env python
from datetime import datetime, timedelta from datetime import datetime
from urlparse import urlunparse from urlparse import urlunparse
import json
from jwkest.jwk import RSAKey
from jinja2 import Template from jinja2 import Template
import release import release
from app import app from app import app
from data.database import ServiceKeyApprovalType
from data.model.release import set_region_release from data.model.release import set_region_release
from data.model.service_keys import generate_service_key, approve_service_key
from util.config.database import sync_database_with_config from util.config.database import sync_database_with_config
from util.generatepresharedkey import generate_key from util.generatepresharedkey import generate_key
def create_quay_service_key(): def create_quay_service_key():
quay_key, key_id = generate_key(None, 'quay', 'quay') """
Creates a service key for quay to use in the jwtproxy
"""
quay_key, key_id = generate_key('quay', 'quay')
with open('/conf/quay.pem', mode='w') as f: with open('/conf/quay.pem', mode='w') as f:
f.truncate(0) f.truncate(0)
@ -26,8 +25,33 @@ def create_quay_service_key():
return key_id return key_id
def create_jwtproxy_conf(quay_key_id): def get_audience():
audience = app.config.get('JWTPROXY_AUDIENCE') audience = app.config.get('JWTPROXY_AUDIENCE')
if audience:
return audience
scheme = app.config.get('PREFERRED_URL_SCHEME')
hostname = app.config.get('SERVER_HOSTNAME')
# hostname includes port, use that
if ':' in hostname:
return urlunparse((scheme, hostname, '', '', '', ''))
# no port, guess based on scheme
if scheme == 'https':
port = '443'
else:
port = '80'
return urlunparse((scheme, hostname + ':' + port, '', '', '', ''))
def create_jwtproxy_conf(quay_key_id):
"""
Generates the jwtproxy conf from the jinja template
"""
audience = get_audience()
registry = audience + '/keys' registry = audience + '/keys'
with open("/conf/jwtproxy_conf.yaml.jnj") as f: with open("/conf/jwtproxy_conf.yaml.jnj") as f:

2
conf/init/create_certs.sh
View file

@ -1,7 +1,7 @@
#! /bin/bash #! /bin/bash
set -e set -e
# Create certs # Create certs for jwtproxy to mitm outgoing TLS connections
echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare mitm echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare mitm
cp mitm-key.pem /conf/mitm.key cp mitm-key.pem /conf/mitm.key
cp mitm.pem /conf/mitm.cert cp mitm.pem /conf/mitm.cert

8
config.py
View file

@ -289,8 +289,14 @@ class DefaultConfig(object):
'API_TIMEOUT_SECONDS': 10, 'API_TIMEOUT_SECONDS': 10,
'API_TIMEOUT_POST_SECONDS': 480, 'API_TIMEOUT_POST_SECONDS': 480,
} }
# JWTProxy Settings
# The address (sans schema) to proxy outgoing requests through the jwtproxy
# to be signed
JWTPROXY_SIGNER = 'localhost:8080' JWTPROXY_SIGNER = 'localhost:8080'
JWTPROXY_AUDIENCE = 'https://quay.io:443' # The audience that jwtproxy should verify on incoming requests
# If None, will be calculated off of the SERVER_HOSTNAME (default)
JWTPROXY_AUDIENCE = None
# Torrent management flags # Torrent management flags
FEATURE_BITTORRENT = False FEATURE_BITTORRENT = False

2
util/generatepresharedkey.py
View file

@ -6,7 +6,7 @@ from timeparse import ParseDatetime
import argparse import argparse
def generate_key(approver, service, name, expiration_date=None, notes=None): def generate_key(service, name, approver=None, expiration_date=None, notes=None):
metadata = { metadata = {
'created_by': 'CLI tool', 'created_by': 'CLI tool',
} }