diff --git a/examples/reference.yml b/examples/reference.yml index ce741d0..4adec43 100644 --- a/examples/reference.yml +++ b/examples/reference.yml @@ -10,452 +10,452 @@ # autoredirect: false # rootcertbundle: "/path/to/server.pem" -server: # Server settings. - # Address to listen on. - # Can be HOST:PORT for TCP or file path (e.g. /run/docker_auth.sock) for Unix socket. - addr: ":5001" - - # Network, can be "tcp" or "unix" ("tcp" if unspecified). - net: "tcp" - - # URL path prefix to use. - path_prefix: "" - - # TLS options. - # - # Use specific certificate and key. - certificate: "/path/to/server.pem" - key: "/path/to/server.key" - # - # The following optional settings will fine tune TLS configuration to improve security. - # Leaving them unset should be just fine for most installations. - # - # Enable HTTP Strict Transport Security. - # hsts: true - # - # Set minimum TLS version. - # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants - # Either the version name (i.e. TLS11) or its uint16 value can be specified. - # tls_min_version: TLS12 - # - # List of TLS curve preferences. - # Values can be found at https://golang.org/pkg/crypto/tls/#CurveID - # Either CurveID names (i.e. P384) or uint16 values can be specified. - # tls_curve_preferences: - # - P521 - # - 24 - # - P256 - # - # List of enabled TLS cipher suites. - # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants - # Either CipherSuite names (i.e. TLS_RSA_WITH_RC4_128_SHA) or uint16 values can be specified. - # tls_cipher_suites: - # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - # - 0xc014 - # - 0xc00a - - # Use LetsEncrypt (https://letsencrypt.org/) to automatically obtain and maintain a certificate. - # Note that this only applies to server TLS certificate, this certificate will not be used for tokens - letsencrypt: - # Email is required. It will be used to register with LetsEncrypt. - email: webmaster@example.org - # Cache directory, where certificates issued by LE will be stored. Must exist. - # It is recommended to make it a volume mount so it persists across restarts. - cache_dir: /data/sslcache - # Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to. - # With this option, you can limit it to a specific host name. - # host: "docker.example.org" - # If neither certificate+key or letsencrypt are configured, the listener does not use TLS. - - # Take client's address from the specified HTTP header instead of connection. - # May be useful if the server is behind a proxy or load balancer. - # If configured, this header must be present, requests without it will be rejected. - # real_ip_header: "X-Forwarded-For" - # Optional position of client ip in X-Forwarded-For, negative starts from - # end of addresses. - # real_ip_pos: -2 - -token: # Settings for the tokens. - issuer: "Acme auth server" # Must match issuer in the Registry config. - expiration: 900 - # Token must be signed by a certificate that registry trusts, i.e. by a certificate to which a trust chain - # can be constructed from one of the certificates in registry's auth.token.rootcertbundle. - # If not specified, server's TLS certificate and key are used. - # certificate: "..." - # key: "..." - -# Authentication methods. All are tried, any one returning success is sufficient. -# At least one must be configured. If you want an unauthenticated public setup, -# configure static user map with anonymous access. - -# Static user map. -users: - # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate. - "admin": - password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin - "test": - password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya" # 123 - "": {} # Allow anonymous (no "docker login") access. - -# Google authentication. -# ==! NB: DO NOT ENTER YOUR GOOGLE PASSWORD AT "docker login". IT WILL NOT WORK. -# Instead, Auth server maintains a database of Google authentication tokens. -# Go to the server's port as HTTPS with your browser and follow the "Login with Google account" link. -# Once signed in, you will get a throw-away password which you can use for Docker login. -google_auth: - domain: "example.com" # Optional. If set, only logins from this domain are accepted. - # client_id and client_secret for API access. Required. - # Follow instructions here: https://developers.google.com/identity/sign-in/web/devconsole-project - # NB: Make sure JavaScript origins are configured correctly, and that third-party - # cookies are not blocked in the browser being used to login. - client_id: "1223123456-somethingsomething.apps.googleusercontent.com" - # Either client_secret or client_secret_file is required. Use client_secret_file if you don't - # want to have sensitive information checked in. - # client_secret: "verysecret" - client_secret_file: "/path/to/client_secret.txt" - # Where to store server tokens. Required. - token_db: "/somewhere/to/put/google_tokens.ldb" - # How long to wait when talking to Google servers. Optional. - http_timeout: 10 - -# GitHub authentication. -# ==! NB: DO NOT ENTER YOUR GITHUB PASSWORD AT "docker login". IT WILL NOT WORK. -# Instead, Auth server maintains a database of GitHub authentication tokens. -# Go to the server's port as HTTPS with your browser and follow the "Login with GitHub account" link. -# Once signed in, you will get a throw-away password which you can use for Docker login. -github_auth: - organization: "acme" # Optional. If set, only logins from this organization are accepted. - # client_id and client_secret for API access. Required. - # You can register a new application here: https://github.com/settings/developers - # NB: Make sure JavaScript origins are configured correctly, and that third-party - # cookies are not blocked in the browser being used to login. - client_id: "1223123456" - # Either client_secret or client_secret_file is required. Use client_secret_file if you don't - # want to have sensitive information checked in. - # client_secret: "verysecret" - client_secret_file: "/path/to/client_secret.txt" - # Either token_db file for storing of server tokens. - token_db: "/somewhere/to/put/github_tokens.ldb" - # or google cloud storage for storing of the sensitive information, - gcs_token_db: - bucket: "tokenBucket" - client_secret_file: "/path/to/client_secret.json" - # or Redis, - redis_token_db: - redis_options: - # with a single instance, - addr: localhost:6379 - redis_cluster_options: - # or in the cluster mode. - addrs: ["localhost:7000"] - # How long to wait when talking to GitHub servers. Optional. - http_timeout: "10s" - # How long to wait before revalidating the GitHub token. Optional. - revalidate_after: "1h" - # The Github Web URI in case you are using Github Enterprise. - # Includes the protocol, without trailing slash. Optional - defaults to: https://github.com - github_web_uri: "https://github.acme.com" - # The Github API URI in case you are using Github Enterprise. - # Includes the protocol, without trailing slash. - defaults to: https://api.github.com - github_api_uri: "https://github.acme.com/api/v3" - # Set an URL to display in the `docker login` command when succesfully authenticated. Optional. - registry_url: localhost:5000 - -# OpenID Connect authentication -# ==! NB: DO NOT ENTER YOUR OIDC PASSWORD AT "docker login". IT WILL NOT WORK. -# Instead, Auth server maintains a database of OIDC authentication tokens. -# Go to the server's port as HTTPS with your browser and follow the "Login with OIDC account" link. -# Once signed in, you will get a throw-away password which you can use for Docker login. -oidc_auth: - # --- required --- - # The issuer URL of your OIDC provider. It has to be extendable with /.well-known/openid-configuration to request all - # OIDC endpoints for token and authorization requests - issuer: "my_issuer_url" - # The redirect URI which is registered for this client at your OIDC provider. It has to end with /oidc_auth. - redirect_url: "my_redirect_uri/oidc_auth" - # The client id and client secret of the client that is registered at your OIDC provider for docker_auth - client_id: "be4ut1fu1-cl13n7-1d" - client_secret: "be4ut1fu1-cl13n7-s3cr37" - # you can also give the client_secret in a file. Either a client_secret or a client_secret_file has to be provided - # client_secret_file: "/path/to/client_secret.txt" - # - # a file in which the tokens should be stored. Does not have to exist, it will be generated in this case - token_db: "/path/to/tokens.ldb" - # --- optional --- - # How long to wait when talking to the OIDC provider. - http_timeout: 10 - # the url of the registry where you want to login. Is used to present the full docker login command. - registry_url: "url_of_my_beautiful_docker_registry" - # The claim to use for the username. - # Default: email - user_claim: email - # String array claims that will be used as labels. - label_claims: - - groups - # Default: [openid, email] - scopes: - - openid - - email - - -# Gitlab authentication. -# ==! NB: DO NOT ENTER YOUR Gitlab PASSWORD AT "docker login". IT WILL NOT WORK. -# Instead, Auth server maintains a database of Gitlab authentication tokens. -# Go to the server's port as HTTPS with your browser and follow the "Login with Gitlab account" link. -# Once signed in, you will get a throw-away password which you can use for Docker login. -gitlab_auth: - client_id: "1223123456" - # Either client_secret or client_secret_file is required. Use client_secret_file if you don't - # want to have sensitive information checked in. - # client_secret: "verysecret" - client_secret_file: "/path/to/client_secret.txt" - # Either token_db file for storing of server tokens. - token_db: "/somewhere/to/put/gitlab_tokens.ldb" - # or google cloud storage for storing of the sensitive information, - gcs_token_db: - bucket: "tokenBucket" - client_secret_file: "/path/to/client_secret.json" - # or Redis, - redis_token_db: - redis_options: - # with a single instance, - addr: localhost:6379 - redis_cluster_options: - # or in the cluster mode. - addrs: ["localhost:7000"] - # How long to wait when talking to GitLab servers. Optional. - http_timeout: "10s" - # How long to wait before revalidating the Gitlab token. Optional. - revalidate_after: "1h" - # Includes the protocol, without trailing slash. Optional - defaults to: https://gitlab.com - gitlab_web_uri: "https://gitlab.com" - # Includes the protocol, without trailing slash. - defaults to: https://gitlab.com/api/v4 - gitlab_api_uri: "https://gitlab.com/api/v4" - # Set an URL to display in the `docker login` command when successfully authenticated. Optional. - registry_url: localhost:5000 - # grant_type is used for the authentication purpose. Required. - grant_type: "authorization_code" - # Redirect uri is used for the authentication purpose. Must end with '/gitlab_auth' prefix. Required. - redirect_uri: "https://localhost:5001/gitlab_auth" - -# LDAP authentication. -# Authentication is performed by first binding to the server, looking up the user entry -# by using the specified filter, and then re-binding using the matched DN and the password provided. -ldap_auth: - # Addr is the hostname:port or ip:port - addr: ldap.example.com:636 - # Setup tls connection method to be - # "" or "none": the communication won't be encrypted - # "always": setup LDAP over SSL/TLS - # "starttls": sets StartTLS as the encryption method - tls: always - # set to true to allow insecure tls - insecure_tls_skip_verify: false - # set this to specify the ca certificate path - ca_certificate: - # In case bind DN and password is required for querying user information, - # specify them here. Plain text password is read from the file. - bind_dn: - bind_password_file: - # User query settings. ${account} is expanded from auth request - base: o=example.com - filter: (&(uid=${account})(objectClass=person)) - # Labels can be mapped from LDAP attributes - labels: - # Add the user's title to a label called title - title: - attribute: title - # Add the user's memberOf values to a label called groups - groups: - attribute: memberOf - # Special handling to simplify the values to just the common name - parse_cn: true - # lower case the value - lower_case: true - -mongo_auth: - # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo - dial_info: - # The MongoDB hostnames or IPs to connect to. - addrs: ["localhost"] - # The time to wait for a server to respond when first connecting and on - # follow up operations in the session. If timeout is zero, the call may - # block forever waiting for a connection to be established. - # (See https://golang.org/pkg/time/#ParseDuration for a format description.) - timeout: "10s" - # Database name that will be used on the MongoDB server. - database: "docker_auth" - # The username with which to connect to the MongoDB server. - username: "" - # Path to the text file with the password in it. - password_file: "" - # Enable TLS connection to MongoDB (only enable this if your server supports it) - enable_tls: false - # Name of the collection in which ACLs will be stored in MongoDB. - collection: "users" - # Unlike acl_mongo we don't cache the full user set. We just query mongo for - # an exact match for each authorization - -xorm_auth: - # the database type you'd like to connect to - database_type: "mysql" - # the connection string to connect to the database - conn_string: "username:password@/database_name?charset=utf8" - -# External authentication - call an external progam to authenticate user. -# Username and password are passed to command's stdin and exit code is examined. -# 0 - allow, 1 - deny, 2 - no match, other - error. -# In case of success, if any output is returned, it is parsed as a JSON object. -# The "labels" key may contain labels to be passed down to authz, where they can -# be used in matching. See ext_auth.sh for an example. -ext_auth: - command: "/usr/local/bin/my_auth" # Can be a relative path too; $PATH works. - args: ["--flag", "--more", "--flags"] - -# User written authentication plugin - call a user written program to authenticate user. -# Username of type string and password of authn.PasswordString is passed to the plugin -# Expects a boolean value whether the user is authenticate or not, authn.Labels, error -# The "labels" key may contain labels to be passed down to authz, where they can -# be used in matching. -plugin_authn: - plugin_path: "" - -# Authorization methods. All are tried, any one returning success is sufficient. -# At least one must be configured. - -# ACL specifies who can do what. If the match section of an entry matches the -# request, the set of allowed actions will be applied to the token request -# and a ticket will be issued only for those of the requested actions that are -# allowed by the rule. -# * It is possible to match on user's name ("account"), subject type ("type") -# and name ("name"; for type=repository this is the image name). -# * Matches are evaluated as shell file name patterns ("globs") by default, -# so "foobar", "f??bar", "f*bar" are all valid. For even more flexibility -# match patterns can be evaluated as regexes by enclosing them in //, e.g. -# "/(foo|bar)/". -# * IP match can be single IP address or a subnet in the "prefix/mask" notation. -# * ACL is evaluated in the order it is defined until a match is found. -# Rules below the first match are not evaluated, so you'll need to put more -# specific rules above more broad ones. -# * Empty match clause matches anything, it only makes sense at the end of the -# list and can be used as a way of specifying default permissions. -# * Empty actions set means "deny everything". Thus, a rule with `actions: []` -# is in effect a "deny" rule. -# * A special set consisting of a single "*" action means "allow everything". -# * If no match is found the default is to deny the request. +#server: # Server settings. +# # Address to listen on. +# # Can be HOST:PORT for TCP or file path (e.g. /run/docker_auth.sock) for Unix socket. +# addr: ":5001" +# +# # Network, can be "tcp" or "unix" ("tcp" if unspecified). +# net: "tcp" +# +# # URL path prefix to use. +# path_prefix: "" +# +# # TLS options. +# # +# # Use specific certificate and key. +# certificate: "/path/to/server.pem" +# key: "/path/to/server.key" +# # +# # The following optional settings will fine tune TLS configuration to improve security. +# # Leaving them unset should be just fine for most installations. +# # +# # Enable HTTP Strict Transport Security. +# # hsts: true +# # +# # Set minimum TLS version. +# # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants +# # Either the version name (i.e. TLS11) or its uint16 value can be specified. +# # tls_min_version: TLS12 +# # +# # List of TLS curve preferences. +# # Values can be found at https://golang.org/pkg/crypto/tls/#CurveID +# # Either CurveID names (i.e. P384) or uint16 values can be specified. +# # tls_curve_preferences: +# # - P521 +# # - 24 +# # - P256 +# # +# # List of enabled TLS cipher suites. +# # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants +# # Either CipherSuite names (i.e. TLS_RSA_WITH_RC4_128_SHA) or uint16 values can be specified. +# # tls_cipher_suites: +# # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +# # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +# # - 0xc014 +# # - 0xc00a +# +# # Use LetsEncrypt (https://letsencrypt.org/) to automatically obtain and maintain a certificate. +# # Note that this only applies to server TLS certificate, this certificate will not be used for tokens +# letsencrypt: +# # Email is required. It will be used to register with LetsEncrypt. +# email: webmaster@example.org +# # Cache directory, where certificates issued by LE will be stored. Must exist. +# # It is recommended to make it a volume mount so it persists across restarts. +# cache_dir: /data/sslcache +# # Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to. +# # With this option, you can limit it to a specific host name. +# # host: "docker.example.org" +# # If neither certificate+key or letsencrypt are configured, the listener does not use TLS. +# +# # Take client's address from the specified HTTP header instead of connection. +# # May be useful if the server is behind a proxy or load balancer. +# # If configured, this header must be present, requests without it will be rejected. +# # real_ip_header: "X-Forwarded-For" +# # Optional position of client ip in X-Forwarded-For, negative starts from +# # end of addresses. +# # real_ip_pos: -2 +# +#token: # Settings for the tokens. +# issuer: "Acme auth server" # Must match issuer in the Registry config. +# expiration: 900 +# # Token must be signed by a certificate that registry trusts, i.e. by a certificate to which a trust chain +# # can be constructed from one of the certificates in registry's auth.token.rootcertbundle. +# # If not specified, server's TLS certificate and key are used. +# # certificate: "..." +# # key: "..." +# +## Authentication methods. All are tried, any one returning success is sufficient. +## At least one must be configured. If you want an unauthenticated public setup, +## configure static user map with anonymous access. +# +## Static user map. +#users: +# # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate. +# "admin": +# password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin +# "test": +# password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya" # 123 +# "": {} # Allow anonymous (no "docker login") access. +# +## Google authentication. +## ==! NB: DO NOT ENTER YOUR GOOGLE PASSWORD AT "docker login". IT WILL NOT WORK. +## Instead, Auth server maintains a database of Google authentication tokens. +## Go to the server's port as HTTPS with your browser and follow the "Login with Google account" link. +## Once signed in, you will get a throw-away password which you can use for Docker login. +#google_auth: +# domain: "example.com" # Optional. If set, only logins from this domain are accepted. +# # client_id and client_secret for API access. Required. +# # Follow instructions here: https://developers.google.com/identity/sign-in/web/devconsole-project +# # NB: Make sure JavaScript origins are configured correctly, and that third-party +# # cookies are not blocked in the browser being used to login. +# client_id: "1223123456-somethingsomething.apps.googleusercontent.com" +# # Either client_secret or client_secret_file is required. Use client_secret_file if you don't +# # want to have sensitive information checked in. +# # client_secret: "verysecret" +# client_secret_file: "/path/to/client_secret.txt" +# # Where to store server tokens. Required. +# token_db: "/somewhere/to/put/google_tokens.ldb" +# # How long to wait when talking to Google servers. Optional. +# http_timeout: 10 +# +## GitHub authentication. +## ==! NB: DO NOT ENTER YOUR GITHUB PASSWORD AT "docker login". IT WILL NOT WORK. +## Instead, Auth server maintains a database of GitHub authentication tokens. +## Go to the server's port as HTTPS with your browser and follow the "Login with GitHub account" link. +## Once signed in, you will get a throw-away password which you can use for Docker login. +#github_auth: +# organization: "acme" # Optional. If set, only logins from this organization are accepted. +# # client_id and client_secret for API access. Required. +# # You can register a new application here: https://github.com/settings/developers +# # NB: Make sure JavaScript origins are configured correctly, and that third-party +# # cookies are not blocked in the browser being used to login. +# client_id: "1223123456" +# # Either client_secret or client_secret_file is required. Use client_secret_file if you don't +# # want to have sensitive information checked in. +# # client_secret: "verysecret" +# client_secret_file: "/path/to/client_secret.txt" +# # Either token_db file for storing of server tokens. +# token_db: "/somewhere/to/put/github_tokens.ldb" +# # or google cloud storage for storing of the sensitive information, +# gcs_token_db: +# bucket: "tokenBucket" +# client_secret_file: "/path/to/client_secret.json" +# # or Redis, +# redis_token_db: +# redis_options: +# # with a single instance, +# addr: localhost:6379 +# redis_cluster_options: +# # or in the cluster mode. +# addrs: ["localhost:7000"] +# # How long to wait when talking to GitHub servers. Optional. +# http_timeout: "10s" +# # How long to wait before revalidating the GitHub token. Optional. +# revalidate_after: "1h" +# # The Github Web URI in case you are using Github Enterprise. +# # Includes the protocol, without trailing slash. Optional - defaults to: https://github.com +# github_web_uri: "https://github.acme.com" +# # The Github API URI in case you are using Github Enterprise. +# # Includes the protocol, without trailing slash. - defaults to: https://api.github.com +# github_api_uri: "https://github.acme.com/api/v3" +# # Set an URL to display in the `docker login` command when succesfully authenticated. Optional. +# registry_url: localhost:5000 +# +## OpenID Connect authentication +## ==! NB: DO NOT ENTER YOUR OIDC PASSWORD AT "docker login". IT WILL NOT WORK. +## Instead, Auth server maintains a database of OIDC authentication tokens. +## Go to the server's port as HTTPS with your browser and follow the "Login with OIDC account" link. +## Once signed in, you will get a throw-away password which you can use for Docker login. +#oidc_auth: +# # --- required --- +# # The issuer URL of your OIDC provider. It has to be extendable with /.well-known/openid-configuration to request all +# # OIDC endpoints for token and authorization requests +# issuer: "my_issuer_url" +# # The redirect URI which is registered for this client at your OIDC provider. It has to end with /oidc_auth. +# redirect_url: "my_redirect_uri/oidc_auth" +# # The client id and client secret of the client that is registered at your OIDC provider for docker_auth +# client_id: "be4ut1fu1-cl13n7-1d" +# client_secret: "be4ut1fu1-cl13n7-s3cr37" +# # you can also give the client_secret in a file. Either a client_secret or a client_secret_file has to be provided +# # client_secret_file: "/path/to/client_secret.txt" +# # +# # a file in which the tokens should be stored. Does not have to exist, it will be generated in this case +# token_db: "/path/to/tokens.ldb" +# # --- optional --- +# # How long to wait when talking to the OIDC provider. +# http_timeout: 10 +# # the url of the registry where you want to login. Is used to present the full docker login command. +# registry_url: "url_of_my_beautiful_docker_registry" +# # The claim to use for the username. +# # Default: email +# user_claim: email +# # String array claims that will be used as labels. +# label_claims: +# - groups +# # Default: [openid, email] +# scopes: +# - openid +# - email +# +# +## Gitlab authentication. +## ==! NB: DO NOT ENTER YOUR Gitlab PASSWORD AT "docker login". IT WILL NOT WORK. +## Instead, Auth server maintains a database of Gitlab authentication tokens. +## Go to the server's port as HTTPS with your browser and follow the "Login with Gitlab account" link. +## Once signed in, you will get a throw-away password which you can use for Docker login. +#gitlab_auth: +# client_id: "1223123456" +# # Either client_secret or client_secret_file is required. Use client_secret_file if you don't +# # want to have sensitive information checked in. +# # client_secret: "verysecret" +# client_secret_file: "/path/to/client_secret.txt" +# # Either token_db file for storing of server tokens. +# token_db: "/somewhere/to/put/gitlab_tokens.ldb" +# # or google cloud storage for storing of the sensitive information, +# gcs_token_db: +# bucket: "tokenBucket" +# client_secret_file: "/path/to/client_secret.json" +# # or Redis, +# redis_token_db: +# redis_options: +# # with a single instance, +# addr: localhost:6379 +# redis_cluster_options: +# # or in the cluster mode. +# addrs: ["localhost:7000"] +# # How long to wait when talking to GitLab servers. Optional. +# http_timeout: "10s" +# # How long to wait before revalidating the Gitlab token. Optional. +# revalidate_after: "1h" +# # Includes the protocol, without trailing slash. Optional - defaults to: https://gitlab.com +# gitlab_web_uri: "https://gitlab.com" +# # Includes the protocol, without trailing slash. - defaults to: https://gitlab.com/api/v4 +# gitlab_api_uri: "https://gitlab.com/api/v4" +# # Set an URL to display in the `docker login` command when successfully authenticated. Optional. +# registry_url: localhost:5000 +# # grant_type is used for the authentication purpose. Required. +# grant_type: "authorization_code" +# # Redirect uri is used for the authentication purpose. Must end with '/gitlab_auth' prefix. Required. +# redirect_uri: "https://localhost:5001/gitlab_auth" +# +## LDAP authentication. +## Authentication is performed by first binding to the server, looking up the user entry +## by using the specified filter, and then re-binding using the matched DN and the password provided. +#ldap_auth: +# # Addr is the hostname:port or ip:port +# addr: ldap.example.com:636 +# # Setup tls connection method to be +# # "" or "none": the communication won't be encrypted +# # "always": setup LDAP over SSL/TLS +# # "starttls": sets StartTLS as the encryption method +# tls: always +# # set to true to allow insecure tls +# insecure_tls_skip_verify: false +# # set this to specify the ca certificate path +# ca_certificate: +# # In case bind DN and password is required for querying user information, +# # specify them here. Plain text password is read from the file. +# bind_dn: +# bind_password_file: +# # User query settings. ${account} is expanded from auth request +# base: o=example.com +# filter: (&(uid=${account})(objectClass=person)) +# # Labels can be mapped from LDAP attributes +# labels: +# # Add the user's title to a label called title +# title: +# attribute: title +# # Add the user's memberOf values to a label called groups +# groups: +# attribute: memberOf +# # Special handling to simplify the values to just the common name +# parse_cn: true +# # lower case the value +# lower_case: true +# +#mongo_auth: +# # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo +# dial_info: +# # The MongoDB hostnames or IPs to connect to. +# addrs: ["localhost"] +# # The time to wait for a server to respond when first connecting and on +# # follow up operations in the session. If timeout is zero, the call may +# # block forever waiting for a connection to be established. +# # (See https://golang.org/pkg/time/#ParseDuration for a format description.) +# timeout: "10s" +# # Database name that will be used on the MongoDB server. +# database: "docker_auth" +# # The username with which to connect to the MongoDB server. +# username: "" +# # Path to the text file with the password in it. +# password_file: "" +# # Enable TLS connection to MongoDB (only enable this if your server supports it) +# enable_tls: false +# # Name of the collection in which ACLs will be stored in MongoDB. +# collection: "users" +# # Unlike acl_mongo we don't cache the full user set. We just query mongo for +# # an exact match for each authorization +# +#xorm_auth: +# # the database type you'd like to connect to +# database_type: "mysql" +# # the connection string to connect to the database +# conn_string: "username:password@/database_name?charset=utf8" +# +## External authentication - call an external progam to authenticate user. +## Username and password are passed to command's stdin and exit code is examined. +## 0 - allow, 1 - deny, 2 - no match, other - error. +## In case of success, if any output is returned, it is parsed as a JSON object. +## The "labels" key may contain labels to be passed down to authz, where they can +## be used in matching. See ext_auth.sh for an example. +#ext_auth: +# command: "/usr/local/bin/my_auth" # Can be a relative path too; $PATH works. +# args: ["--flag", "--more", "--flags"] +# +## User written authentication plugin - call a user written program to authenticate user. +## Username of type string and password of authn.PasswordString is passed to the plugin +## Expects a boolean value whether the user is authenticate or not, authn.Labels, error +## The "labels" key may contain labels to be passed down to authz, where they can +## be used in matching. +#plugin_authn: +# plugin_path: "" +# +## Authorization methods. All are tried, any one returning success is sufficient. +## At least one must be configured. +# +## ACL specifies who can do what. If the match section of an entry matches the +## request, the set of allowed actions will be applied to the token request +## and a ticket will be issued only for those of the requested actions that are +## allowed by the rule. +## * It is possible to match on user's name ("account"), subject type ("type") +## and name ("name"; for type=repository this is the image name). +## * Matches are evaluated as shell file name patterns ("globs") by default, +## so "foobar", "f??bar", "f*bar" are all valid. For even more flexibility +## match patterns can be evaluated as regexes by enclosing them in //, e.g. +## "/(foo|bar)/". +## * IP match can be single IP address or a subnet in the "prefix/mask" notation. +## * ACL is evaluated in the order it is defined until a match is found. +## Rules below the first match are not evaluated, so you'll need to put more +## specific rules above more broad ones. +## * Empty match clause matches anything, it only makes sense at the end of the +## list and can be used as a way of specifying default permissions. +## * Empty actions set means "deny everything". Thus, a rule with `actions: []` +## is in effect a "deny" rule. +## * A special set consisting of a single "*" action means "allow everything". +## * If no match is found the default is to deny the request. +## +## You can use the following variables from the ticket request in any field: +## * ${account} - the account name, currently the same as authenticated user's name. +## * ${service} - the service name, specified by auth.token.service in the registry config. +## * ${type} - the type of the entity, normally "repository". +## * ${name} - the name of the repository (i.e. image), e.g. centos. +## * ${labels: