Zot: Use OAuth2 for authorization
Change-Id: I2569f4df3ad3eff4d94eaa5b67e1180915eceebc
diff --git a/charts/zot/templates/deployment.yaml b/charts/zot/templates/deployment.yaml
index 8918bc0..68b0342 100644
--- a/charts/zot/templates/deployment.yaml
+++ b/charts/zot/templates/deployment.yaml
@@ -69,41 +69,41 @@
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
- livenessProbe:
- initialDelaySeconds: 5
- httpGet:
- path: /v2/
- port: 5000
- scheme: {{ .Values.httpGet.scheme }}
- {{- if .Values.authHeader }}
- httpHeaders:
- - name: Authorization
- value: Basic {{ .Values.authHeader }}
- {{- end }}
- readinessProbe:
- initialDelaySeconds: 5
- httpGet:
- path: /v2/
- port: 5000
- scheme: {{ .Values.httpGet.scheme }}
- {{- if .Values.authHeader }}
- httpHeaders:
- - name: Authorization
- value: Basic {{ .Values.authHeader }}
- {{- end }}
- startupProbe:
- initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
- periodSeconds: {{ .Values.startupProbe.periodSeconds }}
- failureThreshold: {{ .Values.startupProbe.failureThreshold }}
- httpGet:
- path: /v2/
- port: 5000
- scheme: {{ .Values.httpGet.scheme }}
- {{- if .Values.authHeader }}
- httpHeaders:
- - name: Authorization
- value: Basic {{ .Values.authHeader }}
- {{- end }}
+ # livenessProbe:
+ # initialDelaySeconds: 5
+ # httpGet:
+ # path: /v2/
+ # port: 5000
+ # scheme: {{ .Values.httpGet.scheme }}
+ # {{- if .Values.authHeader }}
+ # httpHeaders:
+ # - name: Authorization
+ # value: Basic {{ .Values.authHeader }}
+ # {{- end }}
+ # readinessProbe:
+ # initialDelaySeconds: 5
+ # httpGet:
+ # path: /v2/
+ # port: 5000
+ # scheme: {{ .Values.httpGet.scheme }}
+ # {{- if .Values.authHeader }}
+ # httpHeaders:
+ # - name: Authorization
+ # value: Basic {{ .Values.authHeader }}
+ # {{- end }}
+ # startupProbe:
+ # initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
+ # periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+ # failureThreshold: {{ .Values.startupProbe.failureThreshold }}
+ # httpGet:
+ # path: /v2/
+ # port: 5000
+ # scheme: {{ .Values.httpGet.scheme }}
+ # {{- if .Values.authHeader }}
+ # httpHeaders:
+ # - name: Authorization
+ # value: Basic {{ .Values.authHeader }}
+ # {{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if or .Values.mountConfig .Values.mountSecret .Values.persistence .Values.externalSecrets (not (empty .Values.extraVolumes))}}
diff --git a/core/installer/values-tmpl/zot.cue b/core/installer/values-tmpl/zot.cue
index cd0feca..6b86890 100644
--- a/core/installer/values-tmpl/zot.cue
+++ b/core/installer/values-tmpl/zot.cue
@@ -1,4 +1,5 @@
import (
+ "encoding/yaml"
"encoding/json"
)
@@ -46,13 +47,91 @@
branch: "main"
path: "charts/zot"
}
+ oauth2Client: {
+ kind: "GitRepository"
+ address: "https://github.com/giolekva/pcloud.git"
+ branch: "main"
+ path: "charts/oauth2-client"
+ }
+ resourceRenderer: {
+ kind: "GitRepository"
+ address: "https://github.com/giolekva/pcloud.git"
+ branch: "main"
+ path: "charts/resource-renderer"
+ }
}
volumes: zot: size: "100Gi"
_httpPort: 80
+_oauth2ClientSecretName: "oauth2-client"
helm: {
+ "oauth2-client": {
+ chart: charts.oauth2Client
+ info: "Creating OAuth2 client"
+ // TODO(gio): remove once hydra maester is installed as part of dodo itself
+ dependsOn: [{
+ name: "auth"
+ namespace: "\(global.namespacePrefix)core-auth"
+ }]
+ values: {
+ name: "\(release.namespace)-zot"
+ secretName: _oauth2ClientSecretName
+ grantTypes: ["authorization_code"]
+ responseTypes: ["code"]
+ scope: "openid profile email groups"
+ redirectUris: ["https://\(_domain)/zot/auth/callback/oidc"]
+ hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
+ }
+ }
+ "config-renderer": {
+ chart: charts.resourceRenderer
+ info: "Generating Zot configuration"
+ values: {
+ name: "config-renderer"
+ secretName: _oauth2ClientSecretName
+ resourceTemplate: yaml.Marshal({
+ apiVersion: "v1"
+ kind: "ConfigMap"
+ metadata: {
+ name: _zotConfigMapName
+ namespace: "\(release.namespace)"
+ }
+ data: {
+ "config.json": json.Marshal({
+ storage: rootDirectory: "/var/lib/registry"
+ http: {
+ address: "0.0.0.0"
+ port: "5000"
+ externalUrl: url
+ auth: openid: providers: oidc: {
+ name: "dodo:"
+ issuer: "https://hydra.\(networks.public.domain)"
+ clientid: "{{ .client_id }}"
+ clientsecret: "{{ .client_secret }}"
+ keypath: ""
+ scopes: ["openid", "profile", "email", "groups"]
+ }
+ accessControl: {
+ repositories: {
+ "**": {
+ defaultPolicy: ["read", "create", "update", "delete"]
+ anonymousPolicy: ["read"]
+ }
+ }
+ }
+ }
+ log: level: "debug"
+ extensions: {
+ ui: enable: true
+ search: enable: true
+ }
+ })
+ }
+ })
+ }
+ }
zot: {
chart: charts.zot
info: "Installing Zot server"
@@ -70,27 +149,33 @@
port: _httpPort
}
ingress: enabled: false
- mountConfig: true
- configFiles: {
- "config.json": json.Marshal({
- storage: rootDirectory: "/var/lib/registry"
- http: {
- address: "0.0.0.0"
- port: "5000"
- }
- log: level: "debug"
- extensions: {
- ui: enable: true
- search: enable: true
- }
- })
- }
+ mountConfig: false
persistence: true
pvc: {
create: false
name: volumes.zot.name
}
+ extraVolumes: [{
+ name: "config"
+ configMap: name: _zotConfigMapName
+ }]
+ extraVolumeMounts: [{
+ name: "config"
+ mountPath: "/etc/zot"
+ }]
startupProbe: {}
}
}
}
+
+_zotConfigMapName: "zot-config"
+
+help: [{
+ title: "Authenticate"
+ contents: """
+ First generate new API key.
+ docker login \\-\\-username=**\\<YOUR-USERNAME\\>**@\(networks.public.domain) \\-\\-password=**\\<YOUR-API-KEY\\>** \(_domain)
+ docker build \\-\\-tag=\(_domain)/**\\<IMAGE-NAME\\>**:**\\<IMAGE-TAG\\>** .
+ docker push \\-\\-tag=\(_domain)/**\\<IMAGE-NAME\\>**:**\\<IMAGE-TAG\\>**
+ """
+}]