duck1123
10/14/2017 - 5:21 AM

auth-config.yml

version: '2'
volumes:
  registry-data:
    external: true
    driver: rancher-nfs
  registry-ssl:
    external: true
    driver: rancher-nfs
  registry-certs:
    external: true
    driver: rancher-nfs
  letsencrypt_letsencrypt-data_77077:
    external: true
    driver: rancher-nfs
  registry-config:
    external: true
    driver: rancher-nfs
services:
  registry:
    image: registry:2.6
    environment:
      REGISTRY_HTTP_HOST: https://registry.example.com
      REGISTRY_HTTP_SECRET: httpsecret
      REGISTRY_LOG_LEVEL: debug
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      REGISTRY_AUTH_TOKEN_REALM: https://registry.example.com/auth
      REGISTRY_AUTH_TOKEN_SERVICE: Docker registry
      REGISTRY_AUTH_TOKEN_ISSUER: ACME
      REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /etc/letsencrypt/production/certs/example/fullchain.pem
    stdin_open: true
    volumes:
    - registry-certs:/certs
    - registry-data:/var/lib/registry
    - letsencrypt_letsencrypt-data_77077:/etc/letsencrypt
    tty: true
    labels:
      traefik.path.prefix: /v1,/v2
      traefik.port: '5000'
      traefik.enable: stack
      traefik.domain: example.com
  web:
    image: hyper/docker-registry-web
    environment:
      REGISTRY_URL: http://registry:5000/v2
      REGISTRY_NAME: registry.example.com
      REGISTRY_AUTH_ENABLED: 'false'
      REGISTRY_READONLY: 'false'
    stdin_open: true
    tty: true
    labels:
      traefik.port: '8080'
      traefik.enable: stack
      traefik.domain: example.com
      io.rancher.container.pull_image: always
      traefik.path: ' /{v:[^v].*},/'
  auth:
    image: cesanta/docker_auth:1
    stdin_open: true
    volumes:
    - registry-config:/config
    - letsencrypt_letsencrypt-data_77077:/etc/letsencrypt
    - registry-ssl:/data
    tty: true
    labels:
      traefik.path.prefix: /auth
      traefik.port: '5001'
      traefik.enable: stack
      traefik.domain: example.com
      io.rancher.container.pull_image: always
server:
  addr: ":5001"
  real_ip_header: "X-Forwarded-For"

  letsencrypt:
    # Email is required. It will be used to register with LetsEncrypt.
    email: duck@kronkltd.net
    # Cache directory, where certificates issued by LE will be stored. Must exist.
    # It is recommended to make it a volume mount so it persists across restarts.
    cache_dir: /data/sslcache
    # Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to.
    # With this option, you can limit it to a specific host name.
    # host: "docker.example.org"

token:
  issuer: "KRONK Ltd."
  expiration: 900
  certificate: "/etc/letsencrypt/production/certs/kronkltd/fullchain.pem"
  key: "/etc/letsencrypt/production/certs/kronkltd/privkey.pem"

users:
  "admin":
    password: "$2y$05$sjoQyjQJetleN0ULy3N3remGk9w.OBVgWwczpBW9UUuGWF1jq0mkO"
  "": {}

acl:
  - match: {ip: "127.0.0.0/8"}
    actions: ["*"]
    comment: "Allow everything from localhost (IPv4)"
  - match: {ip: "::1"}
    actions: ["*"]
    comment: "Allow everything from localhost (IPv6)"
  - match: {ip: "172.17.0.1"}
    actions: ["*"]
    comment: "Allow everything from the local Docker bridge address"
  - match: {account: "admin"}
    actions: ["*"]
    comment: "Admin has full access to everything."
  - match: {account: "", type: "registry", name: "catalog"}
    actions: ["*"]
    comment: "Anonymous users can query the catalog."
  - match: {account: ""}
    actions: ["pull"]
    comment: "Anonymous users can pull all images."