keycloak-scim/docs/documentation/securing_apps/topics/docker/docker-overview.adoc

64 lines
3.8 KiB
Text
Raw Normal View History

2017-03-17 15:42:01 +00:00
== Configuring a Docker registry to use {project_name}
2017-03-17 15:42:01 +00:00
NOTE: Docker authentication is disabled by default. To enable see the https://www.keycloak.org/server/features[Enabling and disabling features] {section}.
2017-06-01 13:05:37 +00:00
2017-08-28 12:50:14 +00:00
This section describes how you can configure a Docker registry to use {project_name} as its authentication server.
2017-03-17 15:42:01 +00:00
For more information on how to set up and configure a Docker registry, see the link:https://distribution.github.io/distribution/about/configuration/[Docker Registry Configuration Guide].
2017-06-01 13:05:37 +00:00
=== Docker registry configuration file installation
2017-06-01 13:05:37 +00:00
2019-01-21 13:32:59 +00:00
For users with more advanced Docker registry configurations, it is generally recommended to provide your own registry configuration file. The {project_name} Docker provider supports this mechanism via the _Registry Config File_ Format Option. Choosing this option will generate output similar to the following:
2017-06-01 13:05:37 +00:00
[source,subs="attributes+"]
----
auth:
token:
realm: http://localhost:8080{kc_realms_path}/master/protocol/docker-v2/auth
service: docker-test
issuer: http://localhost:8080{kc_realms_path}/master
----
2017-06-01 13:05:37 +00:00
This output can then be copied into any existing registry config file. See the link:https://distribution.github.io/distribution/about/configuration/[registry config file specification] for more information on how the file should be set up, or start with link:https://github.com/distribution/distribution/blob/main/cmd/registry/config-example.yml[a basic example].
2017-06-01 13:05:37 +00:00
WARNING: Don't forget to configure the `rootcertbundle` field with the location of the {project_name} realm's public key. The auth configuration will not work without this argument.
2017-06-01 13:05:37 +00:00
=== Docker registry environment variable override installation
2017-06-01 13:05:37 +00:00
Often times it is appropriate to use a simple environment variable override for develop or POC Docker registries. While this approach is usually not recommended for production use, it can be helpful when one requires quick-and-dirty way to stand up a registry. Simply use the _Variable Override_ Format Option from the client details, and an output should appear like the one below:
2017-06-01 13:05:37 +00:00
[source,subs="attributes+"]
----
REGISTRY_AUTH_TOKEN_REALM: http://localhost:8080{kc_realms_path}/master/protocol/docker-v2/auth
REGISTRY_AUTH_TOKEN_SERVICE: docker-test
REGISTRY_AUTH_TOKEN_ISSUER: http://localhost:8080{kc_realms_path}/master
----
2017-06-01 13:05:37 +00:00
WARNING: Don't forget to configure the `REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE` override with the location of the {project_name} realm's public key. The auth configuration will not work without this argument.
2017-06-01 13:05:37 +00:00
=== Docker Compose YAML File
2019-01-21 13:32:59 +00:00
WARNING: This installation method is meant to be an easy way to get a docker registry authenticating against a {project_name} server. It is intended for development purposes only and should never be used in a production or production-like environment.
2017-06-01 13:05:37 +00:00
2019-01-21 13:32:59 +00:00
The zip file installation mechanism provides a quickstart for developers who want to understand how the {project_name} server can interact with the Docker registry. In order to configure:
2017-06-01 13:05:37 +00:00
.Procedure
1. From the desired realm, create a client configuration. At this point you will not have a Docker registry - the quickstart will take care of that part.
2. Choose the "Docker Compose YAML" option from the from _Action_ menu and select the *Download adapter config* option to download the ZIP file.
2017-08-28 12:50:14 +00:00
3. Unzip the archive to the desired location, and open the directory.
2019-01-21 13:32:59 +00:00
4. Start the Docker registry with `docker-compose up`
2017-06-01 13:05:37 +00:00
2019-01-21 13:32:59 +00:00
NOTE: it is recommended that you configure the Docker registry client in a realm other than 'master', since the HTTP Basic auth flow will not present forms.
2017-06-01 13:05:37 +00:00
2019-01-21 13:32:59 +00:00
Once the above configuration has taken place, and the keycloak server and Docker registry are running, docker authentication should be successful:
2017-06-01 13:05:37 +00:00
[user ~]# docker login localhost:5000 -u $username
2017-06-01 13:05:37 +00:00
Password: *******
2018-06-13 06:32:16 +00:00
Login Succeeded