/
config_example_clientauth.yaml
145 lines (122 loc) · 6.65 KB
/
config_example_clientauth.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
clientAuth:
acl:
# Intuitively, this access control lits gives only authenticated identity x access
# to modules in github.com/myorg.
# An empty access control list is equivalent to an access control list with a single
# element {"access": "deny"}
- # allow authenticated identity named x access to modules in the "myorg" GitHub organisation.
# identities is a list of names of authenticated identities (as defined below) to which this access control list element
# applies. If this element does not have an entry with key "identities" then this element applies to all
# authenticated identities.
identities: ["x"]
# moduleRegexp is a regular expression. If the module does not match this regular expression then this access
# control lists element does not apply. If this element does not have an entry with key "moduleRegexp" then
# this element applies to all modules.
moduleRegexp: "^github\\.com/myorg/"
access: allow
- # an element in the lists without a key "identities" will apply to any authenticated user.
moduleRegexp: "^github\\.com/myorg/"
access: deny
- # an element in the list without a key moduleRegexp will apply to any module.
access: allow
authenticators:
accessToken:
audience: https://example.com/
secret: asdfasdf
timeToLive: 15m
gceInstanceIdentity:
# The audience expected when verifying GCE instance identity JWT tokens.
audience: https://example.com/
enabled: true
identities:
- name: x
# Identity x has a password, which allows authentication to the Go module proxy
# via POST /auth/userpassword
password: test
- name: y
# Identity y is bound to a Google Service Account, so that Google Compute Engine instances
# with service account my-google-sa@my-google-project.iam.gserviceaccount.com can authenticate
# to the Go module proxy (POST /auth/gce) by passing an instance identity token.
# See https://cloud.google.com/compute/docs/instances/verifying-instance-identity#verifying
# This method of authentication is similar to Vault's GCE auth method:
# https://www.vaultproject.io/docs/auth/gcp.html#gce-login
gceInstanceIdentityBinding:
email: 'my-google-sa@my-google-project.iam.gserviceaccount.com'
gitHub:
- host: github.com
gitHubApps:
- id: 12345
privateKey:
# The contents of file must encode a single PEM block with a private key type (i.e. "-----BEGIN RSA PRIVATE KEY-----")
# that is the GitHub App private key.
file: private-key.txt
# This secret can alternatively be sourced from an environment variable
# by setting the envVar to the name of the environment variable:
# envVar: MY_GITHUB_APP_PRIVATE_KEY
# The value of the environment variable must encode a single PEM block with a private key type (i.e. "-----BEGIN RSA PRIVATE KEY-----")
# that is the GitHub App private key.
# Exactly one of file or envVar must be set to a non-null value.
httpProxy:
# localhost and loopback IP addresses are implicitly added to the HTTP forward proxy bypass list,
# but are included for illustration.
noProxy: 'my-internal-host.example.com,localhost,127.0.0.1'
url: http://my-http-forward-proxy.example.com:3128
# Optional user and password used to encode in the Proxy-Authorization HTTP header using the Basic scheme.
# NOTE: only basic authentication to HTTP proxies is supported.
user: proxyBasicAuthUser
password:
file: http-proxy-password.txt
# This secret can alternatively be sourced from an environment variable
# by setting the envVar to the name of the environment variable:
# envVar: HTTP_PROXY_PASSWORD
# Exactly one of file or envVar must be set to a non-null value.
# Controls the maximum amount of Go child processes that can be running at any one time
maxChildProcesses: 30
parentProxy:
url: "https://proxy.golang.org/"
privateModules:
- pathPrefix: "github.com/my-private-org"
auth:
# ID of the GitHub App to use to authenticate to repositories of my-private-org
gitHubApp: 12345
publicModules:
# The checksum database to use when downloading public modules.
# NOTE: suppose the value's name is set to <x>: if the parent proxy is configured and its GET /sumdb/<x>/supported
# endpoint responds with 200 OK then the sum database proxied by the parent proxy has preference over
# the one configured here.
# Defaults to the Go toolchain's default sum database (https://sum.golang.org/).
# This module proxy server does not support disabling authentication of public modules
# against a sum database.
sumDatabase: &googleSumDatabase
name: sum.golang.org
# The public key is only used by this module proxy server if this sum database is used to authenticate public
# modules but is required nevertheless.
# See also https://golang.org/src/cmd/go/internal/modfetch/key.go?h=sum.golang.org
publicKey: 033de0ae+Ac4zctda0e5eza+HJyk9SxEdh+s3Ux18htTTAD8OuAn8
# URL of the sum database. Required.
url: https://sum.golang.org
storage:
gcs:
bucket: my-gcs-bucket
sumDatabaseProxy:
# Set to true to improve performance of clients in some configurations.
# When the Go toolchain is configured to use a module proxy and sum database <x>, but the module proxy
# does not proxy sum database <x>, then the Go toolchain will attempt to connect to sum database <x>
# directly unless the module proxy does not respond with status 404 or 410 to the GET /sumdb/supported endpoint.
# This module proxy server responds with 410 to the GET /sumdb/supported endpoint if and only if
# discourageClientDirectSumDatabaseConnections is false.
# Defaults to false.
# Performance of clients such as the Go toolchain can improve because clients can be told to skip attempting to connect directly
# to a sum database when that is known to always fail (i.e. because this module proxy server and clients are running in a corporate
# network).
# NOTE: privacy would also improve IF discourageClientDirectSumDatabaseConnections is true and
# this module proxy server were to cache sum database requests (but it does not cache such requests:
# https://github.com/go-mod-proxy/go-mod-proxy/issues/1).
# See also https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md#proxying-a-checksum-database
discourageClientDirectSumDatabaseConnections: true
sumDatabases:
# Configures the set of sum databases proxied by this module proxy server.
# See https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md#proxying-a-checksum-database
- <<: *googleSumDatabase
tls:
minVersion: 'TLS1.3'