Comments (2)
Hi Greg,
I think this seems to be a reverse proxy issue. I personally use NGINX as a gateway and had to enhance the requests with needed headers accordingly (especially CORS headers).
I oriented my settings with this link
Could you check your responses if there is anything related to CORS?
from keycloak-docker-group-role-mapper.
Hi Alexander,
The responses headers including CORS:
ansible
INFO:registry:Phase 1: Testing Registry Basic Auth
DEBUG:registry:401
DEBUG:registry:{'Access-Control-Allow-Credentials': 'true', 'Access-Control-Allow-Headers': ['Authorization', 'Accept', 'Cache-Control'], 'Access-Control-Allow-Methods': ['HEAD', 'GET', 'OPTIONS', 'DELETE'], 'Access-Control-Allow-Origin': '*', 'Access-Control-Expose-Headers': 'Docker-Content-Digest', 'Access-Control-Origin': '*', 'Content-Length': '150', 'Content-Type': 'application/json; charset=utf-8', 'Date': 'Tue, 26 Mar 2024 11:03:45 GMT', 'Docker-Distribution-Api-Version': 'registry/2.0', 'Www-Authenticate': 'Bearer realm="https://sso.mydomain.com/realms/registry/protocol/docker-v2/auth",service="registry",scope="repository:ansible:pull"', 'X-Content-Type-Options': 'nosniff'}
DEBUG:registry:b'{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"ansible","Action":"pull"}]}]}\n'
{'method': 'Bearer', 'realm': 'https://sso.mydomain.com/realms/registry/protocol/docker-v2/auth', 'service': 'registry', 'scope': 'repository:ansible:pull'}
INFO:registry:Phase 2: Basic Auth failed, fetching IDP with realm, service and scope
DEBUG:registry:200
DEBUG:registry:{'Cache-Control': 'no-store, must-revalidate, max-age=0', 'Content-Length': '946', 'Content-Type': 'application/json', 'Referrer-Policy': 'no-referrer', 'Set-Cookie': ['AUTH_SESSION_ID=[REDACTED];Version=1;Path=/realms/registry/;Secure;HttpOnly;SameSite=None', 'AUTH_SESSION_ID_LEGACY=[REDACTED];Version=1;Path=/realms/registry/;Secure;HttpOnly', 'KC_RESTART=[REDACTED];Version=1;Path=/realms/registry/;Secure;HttpOnly', 'KEYCLOAK_IDENTITY=[REDACTED];Version=1;Path=/realms/registry/;Secure;HttpOnly;SameSite=None', 'KEYCLOAK_IDENTITY_LEGACY=[REDACTED];Version=1;Path=/realms/registry/;Secure;HttpOnly', 'KEYCLOAK_SESSION="registry/[REDACTED]/[REDACTED]";Version=1;Path=/realms/registry/;Max-Age=36000;Secure;SameSite=None', 'KEYCLOAK_SESSION_LEGACY="registry/[REDACTED]/[REDACTED]";Version=1;Path=/realms/registry/;Max-Age=36000;Secure'], 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-Content-Type-Options': 'nosniff', 'X-Frame-Options': 'SAMEORIGIN', 'X-Xss-Protection': '1; mode=block', 'Date': 'Tue, 26 Mar 2024 11:03:46 GMT'}
DEBUG:registry:b'{"token":"[REDACTED]","expires_in":300,"issued_at":"2024-03-26T12:03:46Z"}'
INFO:registry:Phase 3: Connecting to Registry with Credentials
{'method': 'Bearer', 'realm': 'https://sso.mydomain.com/realms/registry/protocol/docker-v2/auth', 'service': 'registry', 'scope': 'registry:catalog:*'}
DEBUG:registry:401
DEBUG:registry:{'Access-Control-Allow-Credentials': 'true', 'Access-Control-Allow-Headers': ['Authorization', 'Accept', 'Cache-Control'], 'Access-Control-Allow-Methods': ['HEAD', 'GET', 'OPTIONS', 'DELETE'], 'Access-Control-Allow-Origin': '*', 'Access-Control-Expose-Headers': 'Docker-Content-Digest', 'Access-Control-Origin': '*', 'Content-Length': '150', 'Content-Type': 'application/json; charset=utf-8', 'Date': 'Tue, 26 Mar 2024 11:03:46 GMT', 'Docker-Distribution-Api-Version': 'registry/2.0', 'Www-Authenticate': 'Bearer realm="https://sso.mydomain.com/realms/registry/protocol/docker-v2/auth",service="registry",scope="repository:ansible:pull",error="insufficient_scope"', 'X-Content-Type-Options': 'nosniff'}
DEBUG:registry:b'{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"ansible","Action":"pull"}]}]}\n'
Traceback (most recent call last):
File "d:\git\_managers\docker_registry_mydomain\test.py", line 14, in <module>
print(reg.tag_list(image))
^^^^^^^^^^^^^^^^^^^
File "d:\git\_managers\docker_registry_mydomain\src\docker_registry_mydomain\manager.py", line 272, in tag_list
self.authenticate()
File "d:\git\_managers\docker_registry_mydomain\src\docker_registry_mydomain\manager.py", line 150, in authenticate
self.fetch_registry()
File "d:\git\_managers\docker_registry_mydomain\src\docker_registry_mydomain\manager.py", line 136, in fetch_registry
raise HTTP401Exception()
src.docker_registry_mydomain.exc.HTTP401Exception: 401 UNAUTHORIZED
My script is not a http/https endpoint but a simple python script ( like cURL )
The CORS have to match Keycloak Endpoint ?
Registry Compose
version: '3'
services:
registry:
image: registry
container_name: registry
hostname: registry.${DOMAIN}
restart: ${RESTART_POLICY}
pull_policy: ${PULL_POLICY}
environment:
TZ: ${TIMEZONE:-UTC}
# REGISTRY_LOG
REGISTRY_LOG_ACCESSLOG_DISABLED: "false"
REGISTRY_LOG_LEVEL: "error"
REGISTRY_LOG_FIELDS_SERVICE: "registry"
REGISTRY_LOG_FIELDS_ENVIRONMENT: "production"
REGISTRY_LOG_HOOKS_MAIL_LEVELS: "error"
REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_ADDR: "${REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_ADDR}"
REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_USERNAME: "${REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_USERNAME}"
REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_PASSWORD: "${REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_PASSWORD}"
REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_INSECURE: "false"
REGISTRY_LOG_HOOKS_MAIL_OPTIONS_FROM: "registry@${DOMAIN}"
REGISTRY_LOG_HOOKS_MAIL_OPTIONS_TO: "admin@${DOMAIN}"
# REGISTRY_STORAGE_
# REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
REGISTRY_STORAGE: "s3"
REGISTRY_STORAGE_S3_ACCESSKEY: "${REGISTRY_STORAGE_S3_ACCESSKEY}"
REGISTRY_STORAGE_S3_SECRETKEY: "${REGISTRY_STORAGE_S3_SECRETKEY}"
REGISTRY_STORAGE_S3_REGIONENDPOINT: "${REGISTRY_STORAGE_S3_REGIONENDPOINT}"
REGISTRY_STORAGE_S3_REGION: "minio-dont-care"
REGISTRY_STORAGE_S3_BUCKET: "docker-registry"
REGISTRY_STORAGE_S3_SECURE: "false"
REGISTRY_STORAGE_REDIRECT_DISABLE: "true"
REGISTRY_STORAGE_DELETE_ENABLED: "true"
# REGISTRY_STORAGE_CACHE_BLOBDESCRIPTOR: "redis"
# REGISTRY_HTTP_
REGISTRY_HTTP_ADDR: ":5000"
REGISTRY_HTTP_HOST: "https://registry.${DOMAIN}:443"
REGISTRY_HTTP_SECRET: "${REGISTRY_HTTP_SECRET}"
REGISTRY_HTTP_DEBUG_ADDR: ":5001"
REGISTRY_HTTP_DEBUG_PROMETHEUS_ENABLED: "true"
REGISTRY_HTTP_DEBUG_PROMETHEUS_PATH: "/metrics"
REGISTRY_HTTP_HEADERS_Access-Control-Origin: "['*']"
# REGISTRY_HTTP_HEADERS_Access-Control-Origin: "['https://sso.${DOMAIN}']"
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: "['HEAD', 'GET', 'OPTIONS', 'DELETE']"
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: "['true']"
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: "['Authorization', 'Accept', 'Cache-Control']"
REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: "['Docker-Content-Digest']"
REGISTRY_HTTP_HEADERS_X_CONTENT_TYPE_OPTIONS: "['nosniff']"
REGISTRY_HTTP_HTTP2_DISABLED: "false"
# REGISTRY_NOTIFICATIONS_
# REGISTRY_NOTIFICATIONS_EVENTS_INCLUDEREFERENCES: "true"
REGISTRY_NOTIFICATIONS_ENDPOINTS_DJANGO_DISABLED: "true"
REGISTRY_NOTIFICATIONS_ENDPOINTS_DJANGO_URL: "https://hub.${DOMAIN}"
REGISTRY_NOTIFICATIONS_ENDPOINTS_DJANGO_IGNOREDMEDIATYPES: "application/octet-stream"
REGISTRY_NOTIFICATIONS_ENDPOINTS_DJANGO_IGNORED_MEDIATYPES: "application/octet-stream"
REGISTRY_NOTIFICATIONS_ENDPOINTS_DJANGO_IGNORED_ACTIONS: "pull"
# REGISTRY_AUTH_
REGISTRY_AUTH_TOKEN_REALM: https://sso.${DOMAIN}/realms/registry/protocol/docker-v2/auth
REGISTRY_AUTH_TOKEN_SERVICE: "registry"
REGISTRY_AUTH_TOKEN_ISSUER: https://sso.${DOMAIN}/realms/registry
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: "/opt/certs/registry_trust_chain.pem"
REGISTRY_AUTH_TOKEN_AUTOREDIRECT: "false" # Must be off because of external SSO/SAML
## Registry OAuth2 with Gitlab JWT
# REGISTRY_AUTH_TOKEN_REALM: https://gitlab.${DOMAIN}/jwt/auth
# REGISTRY_AUTH_TOKEN_SERVICE: container_registry
# REGISTRY_AUTH_TOKEN_ISSUER: gitlab-issuer
# REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/gitlab-registry.pem
# REGISTRY_HTTP_TLS_CERTIFICATE: /certs/gitlab-registry.crt
# REGISTRY_HTTP_TLS_KEY: /certs/gitlab-registry.key
# REGISTRY_REDIS_
REGISTRY_REDIS_ADDR: "redis:6379"
REGISTRY_REDIS_PASSWORD: "${REDIS_PASSWORD}"
REGISTRY_REDIS_DB: 1
# REGISTRY_REDIS_TLS_ENABLED: "false"
# REGISTRY_HEALTH_
REGISTRY_HEALTH_STORAGEDRIVER_ENABLED: "true"
ports:
- "5001:5001"
volumes:
- "/etc/localtime:/etc/localtime:ro"
- "${VOLUME_POINT}registry-new-certs:/opt/certs:Z" # Using Keycloak SSO/SAML with his SSL certificates
# - "registry-data:/data:Z" # Moved to MinIO S3 Bucket
labels:
- "com.centurylinklabs.watchtower.enable=true"
#
- "traefik.enable=true"
- "traefik.http.routers.registry.rule=Host(`registry.${DOMAIN}`)"
- "traefik.http.routers.registry.entrypoints=https"
- "traefik.http.routers.registry.tls.certresolver=gcloud"
- "traefik.http.routers.registry.service=registry"
- "traefik.http.middlewares.registry-headers.headers.accessControlAllowCredentials=true"
- "traefik.http.middlewares.registry-headers.headers.accessControlAllowHeaders='Authorization', 'Accept', 'Cache-Control'"
- "traefik.http.middlewares.registry-headers.headers.accessControlAllowMethods='HEAD', 'GET', 'OPTIONS', 'DELETE'"
- "traefik.http.middlewares.registry-headers.headers.accessControlAllowOriginList=*"
- "traefik.http.middlewares.registry-headers.headers.accessControlExposeHeaders='Docker-Content-Digest'"
- "traefik.http.middlewares.registry-headers.headers.customRequestHeaders.X-Content-Type-Options='nosniff'"
- "traefik.http.routers.registry.middlewares=registry-headers"
- "traefik.http.services.registry.loadbalancer.server.port=5000"
networks:
- traefik
- backend
volumes:
...
networks:
...
Keycloak Compose:
version: "3"
services:
keycloak:
image: registry.mydomain.com/keycloak:latest
container_name: keycloak
hostname: keycloak
restart: always
pull_policy: if_not_present
environment:
TZ: Europe/Paris
PUID: 1000
PGID: 0
# Keycloak Docker settings
REGISTRY_CATALOG_AUDIENCE: editor #user|editor
REGISTRY_NAMESPACE_SCOPE: group #username|group|group,username
REGISTRY_GROUP_PREFIX: "registry-"
# Keycloak settings
KC_LOG_LEVEL: debug #info|debug|trace|warn
PROXY_ADDRESS_FORWARDING: "true"
KC_PROXY: edge
KC_HOSTNAME_URL: "https://sso.${DOMAIN}"
KC_HOSTNAME_STRICT_HTTPS: "false"
KC_HTTP_ENABLED: "true"
volumes:
- "/etc/localtime:/etc/localtime:ro"
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(`sso.${DOMAIN}`)"
- "traefik.http.routers.keycloak.entrypoints=https"
- "traefik.http.routers.keycloak.service=keycloak"
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
networks:
- traefik
- backend
networks:
...
( sentitive data are in the Dockerfile )
Edit:
It's OK, the error was in my script.
I closed the issue, thanks for your help.
PS D:\git\_managers\docker_registry_mydomain> & d:/git/_managers/docker_registry_mydomain/.venv/Scripts/python.exe d:/git/_managers/docker_registry_mydomain/test.py
INFO:registry:Phase 1: Testing Registry Basic Auth
INFO:registry:Phase 2: Basic Auth failed, fetching IDP with realm, service and scope
INFO:registry:Phase 3: Connecting to Registry with Credentials
{'method': 'Bearer', 'realm': 'https://sso.mydomain.com/realms/registry/protocol/docker-v2/auth', 'service': 'registry', 'scope': 'repository:ansible:pull'}
{'name': 'ansible', 'tags': ['latest']}
from keycloak-docker-group-role-mapper.
Related Issues (4)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keycloak-docker-group-role-mapper.