Code Monkey home page Code Monkey logo

Comments (2)

alexanderwolz avatar alexanderwolz commented on May 27, 2024 1

Hi Greg,

I think this seems to be a reverse proxy issue. I personally use NGINX as a gateway and had to enhance the requests with needed headers accordingly (especially CORS headers).

I oriented my settings with this link

Could you check your responses if there is anything related to CORS?

from keycloak-docker-group-role-mapper.

R4F4L3 avatar R4F4L3 commented on May 27, 2024

Hi Alexander,
The responses headers including CORS:

ansible
INFO:registry:Phase 1: Testing Registry Basic Auth
DEBUG:registry:401
DEBUG:registry:{'Access-Control-Allow-Credentials': 'true', 'Access-Control-Allow-Headers': ['Authorization', 'Accept', 'Cache-Control'], 'Access-Control-Allow-Methods': ['HEAD', 'GET', 'OPTIONS', 'DELETE'], 'Access-Control-Allow-Origin': '*', 'Access-Control-Expose-Headers': 'Docker-Content-Digest', 'Access-Control-Origin': '*', 'Content-Length': '150', 'Content-Type': 'application/json; charset=utf-8', 'Date': 'Tue, 26 Mar 2024 11:03:45 GMT', 'Docker-Distribution-Api-Version': 'registry/2.0', 'Www-Authenticate': 'Bearer realm="https://sso.mydomain.com/realms/registry/protocol/docker-v2/auth",service="registry",scope="repository:ansible:pull"', 'X-Content-Type-Options': 'nosniff'}
DEBUG:registry:b'{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"ansible","Action":"pull"}]}]}\n'
{'method': 'Bearer', 'realm': 'https://sso.mydomain.com/realms/registry/protocol/docker-v2/auth', 'service': 'registry', 'scope': 'repository:ansible:pull'}
INFO:registry:Phase 2: Basic Auth failed, fetching IDP with realm, service and scope
DEBUG:registry:200
DEBUG:registry:{'Cache-Control': 'no-store, must-revalidate, max-age=0', 'Content-Length': '946', 'Content-Type': 'application/json', 'Referrer-Policy': 'no-referrer', 'Set-Cookie': ['AUTH_SESSION_ID=[REDACTED];Version=1;Path=/realms/registry/;Secure;HttpOnly;SameSite=None', 'AUTH_SESSION_ID_LEGACY=[REDACTED];Version=1;Path=/realms/registry/;Secure;HttpOnly', 'KC_RESTART=[REDACTED];Version=1;Path=/realms/registry/;Secure;HttpOnly', 'KEYCLOAK_IDENTITY=[REDACTED];Version=1;Path=/realms/registry/;Secure;HttpOnly;SameSite=None', 'KEYCLOAK_IDENTITY_LEGACY=[REDACTED];Version=1;Path=/realms/registry/;Secure;HttpOnly', 'KEYCLOAK_SESSION="registry/[REDACTED]/[REDACTED]";Version=1;Path=/realms/registry/;Max-Age=36000;Secure;SameSite=None', 'KEYCLOAK_SESSION_LEGACY="registry/[REDACTED]/[REDACTED]";Version=1;Path=/realms/registry/;Max-Age=36000;Secure'], 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-Content-Type-Options': 'nosniff', 'X-Frame-Options': 'SAMEORIGIN', 'X-Xss-Protection': '1; mode=block', 'Date': 'Tue, 26 Mar 2024 11:03:46 GMT'}
DEBUG:registry:b'{"token":"[REDACTED]","expires_in":300,"issued_at":"2024-03-26T12:03:46Z"}'
INFO:registry:Phase 3: Connecting to Registry with Credentials
{'method': 'Bearer', 'realm': 'https://sso.mydomain.com/realms/registry/protocol/docker-v2/auth', 'service': 'registry', 'scope': 'registry:catalog:*'}
DEBUG:registry:401
DEBUG:registry:{'Access-Control-Allow-Credentials': 'true', 'Access-Control-Allow-Headers': ['Authorization', 'Accept', 'Cache-Control'], 'Access-Control-Allow-Methods': ['HEAD', 'GET', 'OPTIONS', 'DELETE'], 'Access-Control-Allow-Origin': '*', 'Access-Control-Expose-Headers': 'Docker-Content-Digest', 'Access-Control-Origin': '*', 'Content-Length': '150', 'Content-Type': 'application/json; charset=utf-8', 'Date': 'Tue, 26 Mar 2024 11:03:46 GMT', 'Docker-Distribution-Api-Version': 'registry/2.0', 'Www-Authenticate': 'Bearer realm="https://sso.mydomain.com/realms/registry/protocol/docker-v2/auth",service="registry",scope="repository:ansible:pull",error="insufficient_scope"', 'X-Content-Type-Options': 'nosniff'}
DEBUG:registry:b'{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"ansible","Action":"pull"}]}]}\n'
Traceback (most recent call last):
  File "d:\git\_managers\docker_registry_mydomain\test.py", line 14, in <module>
    print(reg.tag_list(image))
          ^^^^^^^^^^^^^^^^^^^
  File "d:\git\_managers\docker_registry_mydomain\src\docker_registry_mydomain\manager.py", line 272, in tag_list
    self.authenticate()
  File "d:\git\_managers\docker_registry_mydomain\src\docker_registry_mydomain\manager.py", line 150, in authenticate
    self.fetch_registry()
  File "d:\git\_managers\docker_registry_mydomain\src\docker_registry_mydomain\manager.py", line 136, in fetch_registry
    raise HTTP401Exception()
src.docker_registry_mydomain.exc.HTTP401Exception: 401 UNAUTHORIZED

My script is not a http/https endpoint but a simple python script ( like cURL )
The CORS have to match Keycloak Endpoint ?

Registry Compose

version: '3'
services:
  registry:
    image: registry
    container_name: registry
    hostname: registry.${DOMAIN}
    restart: ${RESTART_POLICY}
    pull_policy: ${PULL_POLICY}
    environment:
      TZ: ${TIMEZONE:-UTC}
      # REGISTRY_LOG
      REGISTRY_LOG_ACCESSLOG_DISABLED: "false"
      REGISTRY_LOG_LEVEL: "error"
      REGISTRY_LOG_FIELDS_SERVICE: "registry"
      REGISTRY_LOG_FIELDS_ENVIRONMENT: "production"
      REGISTRY_LOG_HOOKS_MAIL_LEVELS: "error"
      REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_ADDR: "${REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_ADDR}"
      REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_USERNAME: "${REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_USERNAME}"
      REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_PASSWORD: "${REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_PASSWORD}"
      REGISTRY_LOG_HOOKS_MAIL_OPTIONS_SMTP_INSECURE: "false"
      REGISTRY_LOG_HOOKS_MAIL_OPTIONS_FROM: "registry@${DOMAIN}"
      REGISTRY_LOG_HOOKS_MAIL_OPTIONS_TO: "admin@${DOMAIN}"
      # REGISTRY_STORAGE_
      # REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
      REGISTRY_STORAGE: "s3"
      REGISTRY_STORAGE_S3_ACCESSKEY: "${REGISTRY_STORAGE_S3_ACCESSKEY}"
      REGISTRY_STORAGE_S3_SECRETKEY: "${REGISTRY_STORAGE_S3_SECRETKEY}"
      REGISTRY_STORAGE_S3_REGIONENDPOINT: "${REGISTRY_STORAGE_S3_REGIONENDPOINT}"
      REGISTRY_STORAGE_S3_REGION: "minio-dont-care"
      REGISTRY_STORAGE_S3_BUCKET: "docker-registry"
      REGISTRY_STORAGE_S3_SECURE: "false"
      REGISTRY_STORAGE_REDIRECT_DISABLE: "true"
      REGISTRY_STORAGE_DELETE_ENABLED: "true"
      # REGISTRY_STORAGE_CACHE_BLOBDESCRIPTOR: "redis"
      # REGISTRY_HTTP_
      REGISTRY_HTTP_ADDR: ":5000"
      REGISTRY_HTTP_HOST: "https://registry.${DOMAIN}:443"
      REGISTRY_HTTP_SECRET: "${REGISTRY_HTTP_SECRET}"
      REGISTRY_HTTP_DEBUG_ADDR: ":5001"
      REGISTRY_HTTP_DEBUG_PROMETHEUS_ENABLED: "true"
      REGISTRY_HTTP_DEBUG_PROMETHEUS_PATH: "/metrics"
      REGISTRY_HTTP_HEADERS_Access-Control-Origin: "['*']"
      # REGISTRY_HTTP_HEADERS_Access-Control-Origin: "['https://sso.${DOMAIN}']"
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: "['HEAD', 'GET', 'OPTIONS', 'DELETE']"
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: "['true']"
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: "['Authorization', 'Accept', 'Cache-Control']"
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: "['Docker-Content-Digest']"
      REGISTRY_HTTP_HEADERS_X_CONTENT_TYPE_OPTIONS: "['nosniff']"
      REGISTRY_HTTP_HTTP2_DISABLED: "false"
      # REGISTRY_NOTIFICATIONS_
      # REGISTRY_NOTIFICATIONS_EVENTS_INCLUDEREFERENCES: "true"
      REGISTRY_NOTIFICATIONS_ENDPOINTS_DJANGO_DISABLED: "true"
      REGISTRY_NOTIFICATIONS_ENDPOINTS_DJANGO_URL: "https://hub.${DOMAIN}"
      REGISTRY_NOTIFICATIONS_ENDPOINTS_DJANGO_IGNOREDMEDIATYPES: "application/octet-stream"
      REGISTRY_NOTIFICATIONS_ENDPOINTS_DJANGO_IGNORED_MEDIATYPES: "application/octet-stream"
      REGISTRY_NOTIFICATIONS_ENDPOINTS_DJANGO_IGNORED_ACTIONS: "pull"
      # REGISTRY_AUTH_
      REGISTRY_AUTH_TOKEN_REALM: https://sso.${DOMAIN}/realms/registry/protocol/docker-v2/auth
      REGISTRY_AUTH_TOKEN_SERVICE: "registry"
      REGISTRY_AUTH_TOKEN_ISSUER: https://sso.${DOMAIN}/realms/registry
      REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: "/opt/certs/registry_trust_chain.pem"
      REGISTRY_AUTH_TOKEN_AUTOREDIRECT: "false" # Must be off because of external SSO/SAML
      ## Registry OAuth2 with Gitlab JWT
      # REGISTRY_AUTH_TOKEN_REALM: https://gitlab.${DOMAIN}/jwt/auth
      # REGISTRY_AUTH_TOKEN_SERVICE: container_registry
      # REGISTRY_AUTH_TOKEN_ISSUER: gitlab-issuer
      # REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/gitlab-registry.pem
      # REGISTRY_HTTP_TLS_CERTIFICATE: /certs/gitlab-registry.crt
      # REGISTRY_HTTP_TLS_KEY: /certs/gitlab-registry.key
      # REGISTRY_REDIS_
      REGISTRY_REDIS_ADDR: "redis:6379"
      REGISTRY_REDIS_PASSWORD: "${REDIS_PASSWORD}"
      REGISTRY_REDIS_DB: 1
      # REGISTRY_REDIS_TLS_ENABLED: "false"
      # REGISTRY_HEALTH_
      REGISTRY_HEALTH_STORAGEDRIVER_ENABLED: "true"
    ports:
      - "5001:5001"
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "${VOLUME_POINT}registry-new-certs:/opt/certs:Z" # Using Keycloak SSO/SAML with his SSL certificates
      # - "registry-data:/data:Z" # Moved to MinIO S3 Bucket
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      #
      - "traefik.enable=true"
      - "traefik.http.routers.registry.rule=Host(`registry.${DOMAIN}`)"
      - "traefik.http.routers.registry.entrypoints=https"
      - "traefik.http.routers.registry.tls.certresolver=gcloud"
      - "traefik.http.routers.registry.service=registry"
      - "traefik.http.middlewares.registry-headers.headers.accessControlAllowCredentials=true"
      - "traefik.http.middlewares.registry-headers.headers.accessControlAllowHeaders='Authorization', 'Accept', 'Cache-Control'"
      - "traefik.http.middlewares.registry-headers.headers.accessControlAllowMethods='HEAD', 'GET', 'OPTIONS', 'DELETE'"
      - "traefik.http.middlewares.registry-headers.headers.accessControlAllowOriginList=*"
      - "traefik.http.middlewares.registry-headers.headers.accessControlExposeHeaders='Docker-Content-Digest'"
      - "traefik.http.middlewares.registry-headers.headers.customRequestHeaders.X-Content-Type-Options='nosniff'"
      - "traefik.http.routers.registry.middlewares=registry-headers"
      - "traefik.http.services.registry.loadbalancer.server.port=5000"
    networks:
      - traefik
      - backend

volumes:
 ...
networks:
 ...

Keycloak Compose:

version: "3"
services:
  keycloak:
    image: registry.mydomain.com/keycloak:latest
    container_name: keycloak
    hostname: keycloak
    restart: always
    pull_policy: if_not_present
    environment:
      TZ: Europe/Paris
      PUID: 1000
      PGID: 0
      # Keycloak Docker settings
      REGISTRY_CATALOG_AUDIENCE: editor #user|editor
      REGISTRY_NAMESPACE_SCOPE: group #username|group|group,username
      REGISTRY_GROUP_PREFIX: "registry-"
      # Keycloak settings
      KC_LOG_LEVEL: debug #info|debug|trace|warn
      PROXY_ADDRESS_FORWARDING: "true"
      KC_PROXY: edge
      KC_HOSTNAME_URL: "https://sso.${DOMAIN}"
      KC_HOSTNAME_STRICT_HTTPS: "false"
      KC_HTTP_ENABLED: "true"
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.keycloak.rule=Host(`sso.${DOMAIN}`)"
      - "traefik.http.routers.keycloak.entrypoints=https"
      - "traefik.http.routers.keycloak.service=keycloak"
      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
    networks:
      - traefik
      - backend

networks:
...

( sentitive data are in the Dockerfile )

Edit:

It's OK, the error was in my script.
I closed the issue, thanks for your help.

PS D:\git\_managers\docker_registry_mydomain> & d:/git/_managers/docker_registry_mydomain/.venv/Scripts/python.exe d:/git/_managers/docker_registry_mydomain/test.py
INFO:registry:Phase 1: Testing Registry Basic Auth
INFO:registry:Phase 2: Basic Auth failed, fetching IDP with realm, service and scope
INFO:registry:Phase 3: Connecting to Registry with Credentials
{'method': 'Bearer', 'realm': 'https://sso.mydomain.com/realms/registry/protocol/docker-v2/auth', 'service': 'registry', 'scope': 'repository:ansible:pull'}
{'name': 'ansible', 'tags': ['latest']}

from keycloak-docker-group-role-mapper.

Related Issues (4)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.