From 1c825949c4662467c3c17837c8a44fcb9bc68eeb Mon Sep 17 00:00:00 2001 From: Sergiusz Bazanski Date: Sun, 30 Jun 2019 00:37:34 +0200 Subject: [PATCH] app/registry: abstract away pushers Another change I lost somewhere in the process of remembering how to gerrit. I rewrote it (lost the original commit), and also added the (upcoming) egressifier service. Change-Id: I1647bc3b1e504a192150ab76f4c6d1709e608f0a --- app/registry/prod.jsonnet | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/app/registry/prod.jsonnet b/app/registry/prod.jsonnet index 4e02d3a6..d2ffbc67 100644 --- a/app/registry/prod.jsonnet +++ b/app/registry/prod.jsonnet @@ -147,22 +147,15 @@ local cm = import "../../cluster/kube/lib/cert-manager.libsonnet"; users: { [""]: {}, // '' user are anonymous users. }, + local data = self, + pushers:: [ + { who: ["q3k", "inf"], what: "vms/*" }, + { who: ["q3k"], what: "app/radio" }, + { who: ["q3k"], what: "app/factorio" }, + { who: ["q3k"], what: "app/gerrit" }, + { who: ["q3k"], what: "go/svc/egressifier" }, + ], acl: [ - { - match: {account: "/(q3k|inf)/", name: "vms/*"}, - actions: ["*"], - comment: "q3k and inf can mange 'vms' docker images", - }, - { - match: {account: "q3k", name: "app/radio"}, - actions: ["*"], - comment: "q3k can mange 'app/radio' docker images", - }, - { - match: {account: "q3k", name: "app/factorio"}, - actions: ["*"], - comment: "q3k can mange 'app/factorio' docker images", - }, { match: {account: "/.+/", name: "${account}/*"}, actions: ["*"], @@ -178,6 +171,16 @@ local cm = import "../../cluster/kube/lib/cert-manager.libsonnet"; actions: ["pull"], comment: "Anyone can pull all images.", }, + ] + [ + { + match: { + account: "/(%s)/" % std.join("|", p.who), + name: p.what, + }, + actions: ["*"], + comment: "%s can push to %s" % [std.join(", ", p.who), p.what], + } + for p in data.pushers ], }), }