Merge branch 'nginx-ldap' into 'master'

LDAP authentication with Docker registry See merge request picasoft/projets/dockerfiles!68

Merge branch 'nginx-ldap' into 'master'
b3d13788 · Quentin Duchemin · ae9d1edf · a238ce24 · ae9d1edf · b3d13788
Commit b3d13788 authored 3 years ago by Quentin Duchemin
--- a/pica-registry/auth.example
+++ b/pica-registry/auth.example
-pica:<encrypted_password>
--- a/pica-registry/docker-compose.yml
+++ b/pica-registry/docker-compose.yml
@@ -3,6 +3,8 @@ version: '3.7'
 networks:
  proxy:
    external: true
+  registry:
+    name: registry

 volumes:
  registry:
@@ -13,18 +15,35 @@ services:
    image: registry:2
    container_name: registry
    environment:
-      REGISTRY_AUTH: htpasswd
-      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
-      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
+      REGISTRY_HTTP_HOST: registry.picasoft.net
    networks:
-      - proxy
+      - registry
    volumes:
      - registry:/var/lib/registry
-      - ./auth.secrets:/auth/htpasswd
+    restart: unless-stopped
+
+  nginx_ldap:
+    image: registry.picasoft.net/pica-nginx-ldap:1.21.4
+    build: ../pica-nginx-ldap
+    container_name: registry_frontend
+    environment:
+      LDAP_URL: ldaps://ldap.picasoft.net:636
+      LDAP_BASE_DN: dc=picasoft,dc=net
+      LDAP_ANSWER_ATTRIBUTES: cn
+      LDAP_SCOPE_SEARCH: sub
+      LDAP_FILTER: (objectClass=posixAccount)
+      LDAP_BIND_DN: cn=nss,dc=picasoft,dc=net
+      SERVER_NAME: registry.picasoft.net
+    env_file: ./secrets/ldap.secrets
+    volumes:
+      - ./proxy.conf:/etc/nginx/site.conf
    labels:
      traefik.http.routers.registry.entrypoints: websecure
      traefik.http.routers.registry.rule: Host(`registry.picasoft.net`)
-      traefik.http.services.registry.loadbalancer.server.port: 5000
+      traefik.http.services.registry.loadbalancer.server.port: 80
      traefik.enable: true
+    networks:
+      - registry
+      - proxy
    restart: unless-stopped
--- a/pica-registry/proxy.conf
+++ b/pica-registry/proxy.conf
+# disable any limits to avoid HTTP 413 for large image uploads
+client_max_body_size 0;
+
+# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+chunked_transfer_encoding on;
+
+location /v2 {
+    add_header 'Docker-Distribution-Api-Version' 'registry/2.0';
+
+    proxy_pass                          http://registry:5000;
+    proxy_set_header  Host              $http_host;   # required for docker client's sake
+    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+    # Forwarding from Traefik, always https
+    proxy_set_header  X-Forwarded-Proto https;
+    proxy_read_timeout                  900;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection keep-alive;
+    proxy_request_buffering off;
+    proxy_cache off;
+    proxy_buffering off;
+}
--- a/pica-registry/secrets/ldap.secrets.example
+++ b/pica-registry/secrets/ldap.secrets.example
+LDAP_BIND_PASSWORD=test