Skip to content
Switch branches/tags
Go to file
Latest commit 55ec7b0 Oct 12, 2020 History
* Update helm chart

* Add missing requirements.yaml

* Update to Helm v3, prepare for being a helm repo

* Upload packaged chart

* Readme updated

* Typo fixed

* Migrate from extensions/v1beta1 to (cf.

* Add missing "{{- end - }}" in template

* Updated readme

* Fixed missing helm repo prefix

* Updated configuration example to use the extraVolumes/extraVolumesMount feature of docker-registry.

* Correct URL

* Updated helm repository

* Helm Chart cleanup

* Updated helm repository

Co-authored-by: Dennis Pfisterer <>
8 contributors

Users who have contributed to this file

@rojer @dhrp @Strayer @ozbillwang @techknowlogick @akatrevorjay @pfisterer @adamdecaf
83 lines (59 sloc) 3.54 KB

Docker Registry 2 authentication server

The original Docker Registry server (v1) did not provide any support for authentication or authorization. Access control had to be performed externally, typically by deploying Nginx in the reverse proxy mode with Basic or other type of authentication. While performing simple user authentication is pretty straightforward, performing more fine-grained access control was cumbersome.

Docker Registry 2.0 introduced a new, token-based authentication and authorization protocol, but the server to generate them was not released. Thus, most guides found on the internet still describe a set up with a reverse proxy performing access control.

This server fills the gap and implements the protocol described here.

Supported authentication methods:

Supported authorization methods:

  • Static ACL
  • MongoDB-backed ACL
  • External program

Installation and Examples

Using Helm/Kubernetes

A helm chart is available in the folder chart/docker-auth.


A public Docker image is available on Docker Hub: cesanta/docker_auth.

Tags available:

  • :latest - bleeding edge, usually works but breaking config changes are possible. You probably do not want to use this in production.
  • :1 - the 1.x version, will have fixes, no breaking config changes. Previously known as :stable.
  • :1.x - specific release, see here for the list of current releases.

The binary takes a single argument - path to the config file. If no arguments are given, the Dockerfile defaults to /config/auth_config.yml.

Example command line:

$ docker run \
    --rm -it --name docker_auth -p 5001:5001 \
    -v /path/to/config_dir:/config:ro \
    -v /var/log/docker_auth:/logs \
    cesanta/docker_auth:1 /config/auth_config.yml

See the example config files to get an idea of what is possible.


Run with increased verbosity:

docker run ... cesanta/docker_auth:1 --v=2 --alsologtostderr /config/auth_config.yml


Bug reports, feature requests and pull requests (for small fixes) are welcome. If you require larger changes, please file an issue. We cannot guarantee response but will do our best to address them.


Copyright 2015 Cesanta Software Ltd.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this software except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.