-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Docker registry v2 has a nice API authenticate against external auth providers. But for now there is no (public?) provider implementation using a Redmine installation as source.
- a server certificate with a public and private key pair
- a working redmine service installation or gitlab. You don't need access as administrator to this!
- if not running from prebuild docker container a working rails4 environment.
- If authenticating against redmine, you may use username/password.
- If authenticating against gitlab, you must use a private token with api-access. The given username is ignored or may be empty (the docker-repository wants a username and send it to the authenticator)
Username/Password auth with gitlab isn't possible anymore.
- Clone the repository
- I prefer using RVM, in this case copy
.ruby-version.example
to.ruby-version
and ensure RVM loads the correct environment. Of course you may set it to a ruby version you prefer as long it is ruby 2.x - Run
bundle install
- Copy
config/settings.yml.example
toconfig/settings.yml
and edit settings. Very important: Use correctdocker_issuer
value! It must match issuer in ssl-certificate and issuer entry in docker-registry config file. Ensure you use the correct ssl-certificate and keys. Key must contain both public and private part! - Run
RAILS_ENV=production bundle exec rake db:migrate
- Start with
RAILS_ENV=production rails s
.
You should access this service via ssl only! Even with builtin ssl-support or via reverse-proxy setting of nginx or apache (or with Phusion Passenger.
Take a look into the docker-compose.yml
or download it and modify it for your needs. Ensure you mount the ssl-certifcate, ssl-key and settings.yml
from and to the correct place! Start with docker-compose up
Connect with a RESTfull client (for instance Advanced restclient
in google chrome) to https://example.org/auth
or https://example.org/auth.json
. (replace example.org with your own servername) Simple webbrowser will work, too. Now you're asked for a credentials - use your redmine server login of the server you configured. Login may be your redmine API token, too. In this case use the Redmine-API-Token as username and some characters as password.
If login successfull you should get a result like
{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiI .... aMW9aphXNKhtg","expires_in":30,"issuer":"dockerauth"}
Base is always the namespace part of dockerimage. This part must match a project on authentication source. For avoiding problems the search is always case-sensitive!
You want clone the docker path localhost:5000/serveme/servimage
Now we search in redmine for the project with the shortname serveme
(the identifier). The credentials must match a user who
- is member of this project
- has at least read access
Read access is identified by the access "Browse repository", write access by "Commit repository"
Most cases gitlab projects have a more deeper path. You want to clone path localhost:5000/mygroup/serveme/servimage
Now this service looks up for a gitlab project with the path with namespace, eg. for mygroup/serveme. If want using the Name of project, the name must url-safe written in docker.
Due the deeper path of gitlab projects it will never overlap with redmine project names. Eg. mygroup/serveme
will never match to mygroup