docs consolidation
This commit is contained in:
StellaOps Bot
@@ -1,34 +1,31 @@
|
||||
# StellaOps Registry Token Service
|
||||
|
||||
The registry module issues scoped pull tokens for mirrored container registries while enforcing plan and licence constraints.
|
||||
|
||||
## Responsibilities
|
||||
- Validate Authority-issued OpToks and tenant scopes before issuance.
|
||||
- Mint time-bound registry tokens and record issuance ledgers.
|
||||
- Expose revocation and audit endpoints for security teams.
|
||||
- Integrate with Offline Kit for deterministic token manifests.
|
||||
|
||||
## Key components
|
||||
- `StellaOps.Registry.TokenService` minimal API host.
|
||||
- Mongo-backed issuance ledger.
|
||||
- Tests under `src/Registry/__Tests`.
|
||||
|
||||
## Integrations & dependencies
|
||||
- Authority for identity & scope verification.
|
||||
- Export Center/Offline Kit for distribution.
|
||||
- DevOps runbooks for deployment and rotation.
|
||||
|
||||
## Operational notes
|
||||
- Operational guide at ./operations/token-service.md.
|
||||
- Telemetry dashboards pending (see ../../TASKS.md).
|
||||
|
||||
## Related resources
|
||||
- ./operations/token-service.md
|
||||
|
||||
## Backlog references
|
||||
- DEVOPS-REGISTRY items in ../../TASKS.md (future work).
|
||||
- Registry automation stories tracked in src/Registry/TASKS.md if present.
|
||||
|
||||
## Epic alignment
|
||||
- **Epic 10 – Export Center:** provide signed, auditable registry token bundles for mirror distribution.
|
||||
- **Epic 14 – Identity & Tenancy:** enforce tenant-aware scopes, PoE alignment, and revocation policies.
|
||||
# StellaOps Registry Token Service
|
||||
|
||||
Registry Token Service issues short-lived Docker registry bearer tokens for private or mirrored registries.
|
||||
It exchanges an Authority-issued access token for a registry-compatible JWT after enforcing plan/licence constraints.
|
||||
|
||||
## Responsibilities
|
||||
|
||||
- Validate Authority-issued caller identity and required scopes (default `registry.token.issue`).
|
||||
- Authorize requested repository scopes against a local plan catalogue (`stellaops:plan` claim + configured rules).
|
||||
- Block issuance for revoked licences (`stellaops:license` claim + configured deny list).
|
||||
- Mint registry tokens with a bounded lifetime (default 5 minutes) signed by a local RSA key.
|
||||
|
||||
## Key endpoints
|
||||
|
||||
- `GET /token` - Docker registry token exchange endpoint.
|
||||
- `GET /healthz` - liveness probe.
|
||||
|
||||
## Code locations
|
||||
|
||||
- Service: `src/Registry/StellaOps.Registry.TokenService`
|
||||
- Tests: `src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`
|
||||
|
||||
## Configuration
|
||||
|
||||
- File: `etc/registry-token.yaml`
|
||||
- Environment variables: `REGISTRY_TOKEN_*`
|
||||
|
||||
## Related docs
|
||||
|
||||
- Architecture: `docs/modules/registry/architecture.md`
|
||||
- Operations: `docs/modules/registry/operations/token-service.md`
|
||||
|
||||
Reference in New Issue
Block a user