Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								1536709c02 
								
							 
						 
						
							
							
								
								Small fixes  
							
							
							
						 
						
							2016-01-29 20:01:17 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								01a92a66ba 
								
							 
						 
						
							
							
								
								Refresh base image and python dependencies  
							
							
							
						 
						
							2016-01-27 11:36:40 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Matt Jibson 
								
							 
						 
						
							
							
							
							
								
							
							
								01fe548abd 
								
							 
						 
						
							
							
								
								Use env vars to set k8s endpoint URL  
							
							... 
							
							
							
							The old DNS method is optionally enabled in k8s, but the env vars are
always there.
partial solution to #864  
							
						 
						
							2015-11-13 17:05:14 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Silas Sewell 
								
							 
						 
						
							
							
							
							
								
							
							
								5000b1621c 
								
							 
						 
						
							
							
								
								superuser: add storage replication config  
							
							
							
						 
						
							2015-11-09 17:34:22 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								05262125a0 
								
							 
						 
						
							
							
								
								Make the namespace and secret name configurable via env var for the k8s provider  
							
							... 
							
							
							
							Fixes  #695  
						
							2015-10-23 12:18:11 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								6f2271d0ae 
								
							 
						 
						
							
							
								
								Add support for direct download in Swift storage engine  
							
							... 
							
							
							
							Fixes  #483  
						
							2015-09-14 18:00:03 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								fd3a21fba9 
								
							 
						 
						
							
							
								
								Add Kubernetes configuration provider which writes config to a secret  
							
							... 
							
							
							
							Fixes  #145  
						
							2015-09-10 12:19:59 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								88a04441de 
								
							 
						 
						
							
							
								
								Extract the config provider into its own sub-module  
							
							
							
						 
						
							2015-09-10 12:19:59 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								c2fe751d15 
								
							 
						 
						
							
							
								
								Despite being disabled, OAuth config is still read, so switch to .get  
							
							
							
						 
						
							2015-09-10 12:09:01 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								c0286d1ac3 
								
							 
						 
						
							
							
								
								Add support for Dex to Quay  
							
							... 
							
							
							
							Fixes  #306 
- Adds support for Dex as an OAuth external login provider
- Adds support for OIDC in general
- Extract out external logins on the JS side into a service
- Add a feature flag for disabling direct login
- Add support for directing to the single external login service
- Does *not* yet support the config in the superuser tool 
						
							2015-09-04 17:05:06 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								18100be481 
								
							 
						 
						
							
							
								
								Refactor the util directory to use subpackages.  
							
							
							
						 
						
							2015-08-03 16:04:19 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								26ae629189 
								
							 
						 
						
							
							
								
								Prevent local storage setup on non-mounted paths  
							
							... 
							
							
							
							Fixes  #269  
						
							2015-07-27 14:32:02 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								38a6b3621c 
								
							 
						 
						
							
							
								
								Automatically link the superuser account to federated service for auth  
							
							... 
							
							
							
							When the user commits the configuration, if they have chosen a non-DB auth system, we now auto-link the superuser account to that auth system, to ensure they can login again after restart. 
							
						 
						
							2015-07-22 13:37:23 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								33b54218cc 
								
							 
						 
						
							
							
								
								Refactor the users class into their own files, add a common base class for federated users and add a verify_credentials method which only does the verification, without the linking. We use this in the superuser verification pass  
							
							
							
						 
						
							2015-07-20 11:39:59 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								066637f496 
								
							 
						 
						
							
							
								
								Basic Keystone Auth support  
							
							... 
							
							
							
							Note: This has been verified as working by the end customer 
							
						 
						
							2015-07-20 10:55:21 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								bc29561f8f 
								
							 
						 
						
							
							
								
								Fix and templatize the logic for external JWT AuthN and registry v2 Auth.  
							
							... 
							
							
							
							Make it explicit that the registry-v2 stuff is not ready for prime time. 
							
						 
						
							2015-07-17 11:56:15 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								4726559322 
								
							 
						 
						
							
							
								
								The database SSL name needs to be in its own list  
							
							... 
							
							
							
							FIxes  #243  
						
							2015-07-16 00:49:07 +03:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								bb07d0965f 
								
							 
						 
						
							
							
								
								Allow SSL cert for the database to be configured  
							
							... 
							
							
							
							This change adds a field for the SSL cert for the database in the setup tool. Fixes  #89  
							
						 
						
							2015-06-29 08:08:10 +03:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								07439328a4 
								
							 
						 
						
							
							
								
								Remove user_exists endpoint from all auth systems  
							
							
							
						 
						
							2015-06-23 17:33:51 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								331c300893 
								
							 
						 
						
							
							
								
								Refactor JWT auth to not import app locally  
							
							
							
						 
						
							2015-06-17 15:53:21 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								90b4f0a2ed 
								
							 
						 
						
							
							
								
								Fix default log archive location for ER  
							
							... 
							
							
							
							Before this change, the ER was using the default of 'local_us' from the base config, which is incorrect, and caused no logs to be archived. 
							
						 
						
							2015-06-11 13:43:29 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								457ee7306e 
								
							 
						 
						
							
							
								
								Parenthesis fix on the JWT auth error message  
							
							
							
						 
						
							2015-06-10 16:00:25 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								2a2414d6af 
								
							 
						 
						
							
							
								
								Merge pull request  #60  from coreos-inc/jwtauthentication  
							
							... 
							
							
							
							Add support for an external JWT-based authentication system 
							
						 
						
							2015-06-05 13:37:42 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								8aac3fd86e 
								
							 
						 
						
							
							
								
								Add support for an external JWT-based authentication system  
							
							... 
							
							
							
							This authentication system hits two HTTP endpoints to check and verify the existence of users:
Existance endpoint:
GET http://endpoint/  with Authorization: Basic (username:) =>
    Returns 200 if the username/email exists, 4** otherwise
Verification endpoint:
GET http://endpoint/  with Authorization: Basic (username:password) =>
    Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message
The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory. 
							
						 
						
							2015-06-05 13:20:10 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								54992c23b7 
								
							 
						 
						
							
							
								
								Add a feature flag for disabling unauthenticated access to the registry in its entirety.  
							
							
							
						 
						
							2015-05-19 17:52:44 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								4f2a1b3734 
								
							 
						 
						
							
							
								
								Add setup UI for the new trigger types (bitbucket and gitlab) and add validation  
							
							
							
						 
						
							2015-05-03 11:50:26 -07:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								036c8e56e0 
								
							 
						 
						
							
							
								
								Add proper error handling when the config volume is mounted in a read-only state.  
							
							
							
						 
						
							2015-04-02 18:54:09 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								85d6500daa 
								
							 
						 
						
							
							
								
								Merge resistanceisfutile into master  
							
							
							
						 
						
							2015-03-23 15:39:08 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								360aa69d92 
								
							 
						 
						
							
							
								
								Fix LDAP error and url handling to be more clear for the end user  
							
							
							
						 
						
							2015-03-16 14:33:53 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								4ca5d9b04b 
								
							 
						 
						
							
							
								
								Add support for filtering github login by org  
							
							
							
						 
						
							2015-03-03 19:58:42 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								2c662b7861 
								
							 
						 
						
							
							
								
								Make sure to specify a default mail sender when validating emails. Unfortunately for us, flask-mail by default uses the sender from the *global* app instance, rather than the one specified in the Mail(...) call. This was breaking validation.  
							
							
							
						 
						
							2015-03-03 13:56:32 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								7a199f63eb 
								
							 
						 
						
							
							
								
								Various small fixes and add support for subjectAltName to the SSL cert check  
							
							
							
						 
						
							2015-02-12 14:00:26 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								400ffa73e6 
								
							 
						 
						
							
							
								
								Add SSL cert and key validation  
							
							
							
						 
						
							2015-02-05 13:06:56 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								c8229b9c8a 
								
							 
						 
						
							
							
								
								Implement new step-by-step setup  
							
							
							
						 
						
							2015-01-23 17:19:15 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								28d319ad26 
								
							 
						 
						
							
							
								
								Add an in-memory superusermanager, which stores the current list of superusers in a process-shared Value. We do this because in the ER, when we add a new superuser, we need to ensure that ALL workers have their lists updated (otherwise we get the behavior that some workers validate the new permission and others do not).  
							
							
							
						 
						
							2015-01-20 12:43:11 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								53e5fc6265 
								
							 
						 
						
							
							
								
								Have the config setup tool automatically prepare the S3 or GCS storage with CORS config  
							
							
							
						 
						
							2015-01-16 16:10:40 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								0d2c42ad03 
								
							 
						 
						
							
							
								
								Fix tests  
							
							
							
						 
						
							2015-01-09 17:11:51 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								6d604a656a 
								
							 
						 
						
							
							
								
								Move config handling into a provider class to make testing much easier  
							
							
							
						 
						
							2015-01-09 16:23:31 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								bfd273d16f 
								
							 
						 
						
							
							
								
								- Make validation a bit nicer:  
							
							... 
							
							
							
							- Add timeout to the DB validation
  - Make DB validation exception handling a bit nicer
  - Move the DB validation error message
- Fix bug around RADOS config default for Is Secure
- Allow hiding of the validation box 
							
						 
						
							2015-01-08 15:27:49 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								5ac2c4970a 
								
							 
						 
						
							
							
								
								Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth  
							
							
							
						 
						
							2015-01-08 13:56:17 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								5e0ce4eea9 
								
							 
						 
						
							
							
								
								Add validation of github to the config tool  
							
							
							
						 
						
							2015-01-08 13:26:24 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								63504c87fb 
								
							 
						 
						
							
							
								
								Get end-to-end configuration setup working, including verification (except for Github, which is in progress)  
							
							
							
						 
						
							2015-01-07 16:20:51 -05:00