Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Only allow containerbuild to push to the registry

Browse source 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
This commit is contained in:
Patrick Uiterwijk 2016-04-12 16:12:44 +00:00
parent 47a87e6e05
commit 5888a3c32b
3 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
roles/fedora-web/registry/files/paswd Normal file
View file

@ -0,0 +1 @@
/C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=containerbuild/emailAddress=buildsys@fedoraproject.org:xxj31ZMTZzkVA

9
roles/fedora-web/registry/tasks/main.yml
View file

@ -6,3 +6,12 @@
tags:
- fedora-web
- fedora-web/registry
- name: Copy over the registry passwd
copy: src=passwd dest=/etc/httpd/conf.d/registry.fedoraproject.org/passwd
owner=root group=root mode=0644
notify:
- reload httpd
tags:
- fedora-web
- fedora-web/registry

21
roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf
View file

@ -9,3 +9,24 @@ ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
SSLVerifyClient optional
SSLVerifyDepth 1
SSLCACertificateFile /etc/pki/httpd/fedora-server-ca.cert
SSLOptions +FakeBasicAuth
AuthUserFile /etc/httpd/conf.d/register.fedoraproject.org/passwd
<Location /v2>
Order deny,allow
Allow from all
AuthName "Registry Authentication"
AuthType Basic
# Anyone can read
<Limit GET HEAD>
Require all granted
</Limit>
# Write access to docker-deployer only
<Limit POST PUT DELETE>
Require valid-user
</Limit>
</Location>