Docker-registry/jwt-authorizer

The Docker registry also accepts authorization using JSON Web Tokens. This option was introduced to allow Trusted GitLab Runners to push images to the registry during CI builds (T308501). nginx on the registry is configured to accept jwt from a list of allowed IPs (profile::docker_registry_ha::registry::jwt_allowed_ips).

Furthermore a dedicated daemon is executed to handle the jwt validation. This daemon is a go application hosted under https://gitlab.wikimedia.org/repos/releng/jwt-authorizer.

Building a new version

Building jwt-authorizer mostly follows the standard Debian Packaging workflow. jwt-authorizer needs golang >=1.16, so currently DIST=bullseye-backports is used and the import on apt needs a additional ignore parameter:

• checkout the git repo on the build host as your user (see Debian Packaging for current buildhost, build2001.codfw.wmnet as of today)
• change to the jwt-authorizer folder:

# on build2001
cd jwt-authorizer

• build the package as your user:

# on build2001
DIST=bullseye-backports pdebuild

Publish a new version

The newly build version has to be synced to apt host (apt1001.wikimedia.org as of today):

# on apt1001
rsync -vaz build2001.codfw.wmnet::pbuilder-result/bullseye-amd64/*<PACKAGE VERSION>* .

Next the package has to be loaded with reprepro:

# on apt1001
sudo -i reprepro -C main --ignore=wrongdistribution include bullseye-wikimedia /path/to/<PACKAGE>.changes
# on apt1001 (for hosts still on buster)
sudo -i reprepro -C main --ignore=wrongdistribution include buster-wikimedia /path/to/<PACKAGE>.changes

Now check if the new version is available:

# on apt1001
sudo -i reprepro lsbycomponent jwt-authorizer

Log the change to SAL

!log "Imported jwt-authorizer <PACKAGE VERSION>"