Commit 03cd67ed authored by BAIRE Anthony's avatar BAIRE Anthony

store the token singing certificate in the read-only volume

(and have it  generated by the container_init script)
parent 9b2b0ac5
......@@ -32,12 +32,17 @@ EOF
fi
}
# generate the certificate & key for signing the tokens
generate_secrets()
# install the tokens certificate into the registry external volume
install_secrets()
{
mkdir -p certs
if [ ! -f cert/server.key ] & [ ! -f certs/server.crt ]; then
openssl req -subj '/CN=localhost/O=Registry Demo/C=US' -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout certs/server.key -out certs/server.crt
src=data/django/ro/certs/tokens.crt
dst=data/registry
if [ -f "$src" ] && [ -d "$dst" ] ; then
echo "Install tokens certificate as $dst/ro/tokens.crt"
mkdir -p "$dst/ro"
cp "$src" "$dst/ro/"
fig restart dev-registry
fi
}
......@@ -167,8 +172,6 @@ done
generate_env_file
generate_secrets
if [ -z "$NOBUILD" ] ; then
# build base image (if not present)
(set -x ; make base-debian)
......@@ -188,5 +191,7 @@ if [ -z "$NOBUILD" ] && echo "$TODO" | grep -q dev-rails ; then
build_factories
fi
install_secrets
# display running containers
docker-compose ps
......@@ -174,9 +174,8 @@ with env_loader.EnvironmentVarLoader(__name__, "ALLGO_",
# allgo authentication tokens
#
# TODO: decide a default location in the container
env_var("ALLGO_TOKEN_SIGNING_KEY_PATH",
default="/certs/server.key",
default="/vol/ro/certs/tokens.key",
help="path of the secret key (PEM file) for signing authentication tokens")
env_var("ALLGO_TOKEN_SIGNING_KEY_TYPE", protected=True,
......
#!/bin/sh
set -e -x
# generate the tokens certificate
gen-cert
# wait until the mysql server is ready
wait-mysql
......@@ -10,4 +13,3 @@ mkdir -p /vol/cache/allgo
/bin/bash /opt/allgo/tools/migration.sh -e allgo allgo "$ENV-mysql" allgo
/bin/bash /opt/allgo/tools/migration.sh -d allgo allgo "$ENV-mysql" allgo
/bin/bash /opt/allgo/tools/migration.sh -m allgo allgo "$ENV-mysql" allgo
#!/bin/sh
set -e
DIR=/vol/ro/certs
mkdir -p "$DIR"
cd "$DIR"
echo "Generating the certificate for signing tokens"
openssl req -subj "/CN=allgo-$ENV" -new -newkey rsa -days 365 -nodes -x509 -keyout tokens.key -out tokens.crt
......@@ -26,7 +26,6 @@ services:
volumes:
- "/data/dev/django:/vol"
- "./django:/opt/allgo"
- "./certs:/certs"
networks: [dev]
tty: true
stdin_open: true
......@@ -41,7 +40,6 @@ services:
ALLGO_JUPYTER_URL: "http://0.0.0.0:8000/hub/login"
ALLGO_HTTP_SERVER: "django"
ALLGO_EMAIL_BACKEND: "django.core.mail.backends.console.EmailBackend"
ALLGO_TOKEN_SIGNING_KEY_PATH: "/certs/server.key"
# REDIS
......@@ -64,14 +62,14 @@ services:
ports:
- "5000:5000"
volumes:
- "./certs:/certs"
- "/data/dev/registry:/vol"
environment:
REGISTRY_LOG_LEVEL: "debug"
REGISTRY_AUTH: "token"
REGISTRY_AUTH_TOKEN_REALM: "http://0.0.0.0:8008/jwt/auth"
REGISTRY_AUTH_TOKEN_SERVICE: "allgo_registry"
REGISTRY_AUTH_TOKEN_ISSUER: "allgo_oauth"
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: "/certs/server.crt"
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: "/vol/ro/tokens.crt"
networks: [dev]
# CONTROLLER
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment