app/registry: allow anonymous pull access and temporary vms/ push access

2019-04-19 14:41:10 +02:00 · 2019-04-19 14:41:10 +02:00 · b245865087
parent 3e59718d3a
commit b245865087
1 changed files with 10 additions and 2 deletions
--- a/app/registry/prod.jsonnet
+++ b/app/registry/prod.jsonnet
@ -144,7 +144,15 @@ local cm = import "../../cluster/kube/lib/cert-manager.libsonnet";
                    token_db: "/data/oauth2_tokens.ldb",
                    registry_url: "https://registry.k0.hswaw.net",
                },
+                users: {
+                    [""]: {}, // '' user are anonymous users.
+                },
                acl: [
+                    {
+                        match: {account: "/(q3k|inf)/", name: "vms/*"},
+                        actions: ["*"],
+                        comment: "q3k and inf can mange 'vms' docker images",
+                    },
                    {
                        match: {account: "/.+/", name: "${account}/*"},
                        actions: ["*"],
@ -156,9 +164,9 @@ local cm = import "../../cluster/kube/lib/cert-manager.libsonnet";
                        comment: "Logged in users can query the catalog.",
                    },
                    {
-                        match: {account: "/.+/"},
+                        match: {account: ""},
                        actions: ["pull"],
-                        comment: "Logged in users can pull all images.",
+                        comment: "Anyone can pull all images.",
                    },
                ],
            }),