stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
82a49f6743202b4828f46f369474f26ec0a0edf9
git.stella-ops.org/docs/modules/registry/README.md
StellaOps Bot 82a49f6743 docs consolidation work
2025-12-25 18:50:33 +02:00

2.3 KiB
Raw Blame History

StellaOps Registry Token Service

Registry Token Service issues short-lived Docker registry bearer tokens for private or mirrored registries. It exchanges an Authority-issued access token for a registry-compatible JWT after enforcing plan/licence constraints.

Responsibilities

  • Validate Authority-issued caller identity and required scopes (default registry.token.issue).
  • Authorize requested repository scopes against a local plan catalogue (stellaops:plan claim + configured rules).
  • Block issuance for revoked licences (stellaops:license claim + configured deny list).
  • Mint registry tokens with a bounded lifetime (default 5 minutes) signed by a local RSA key.

Key endpoints

  • GET /token - Docker registry token exchange endpoint.
  • GET /healthz - liveness probe.

Code locations

  • Service: src/Registry/StellaOps.Registry.TokenService
  • Tests: src/Registry/__Tests/StellaOps.Registry.TokenService.Tests

Configuration

  • File: etc/registry-token.yaml
  • Environment variables: REGISTRY_TOKEN_*

Implementation Status

Current Objectives

  • Maintain deterministic behaviour and offline parity across releases
  • Keep documentation, telemetry, and runbooks aligned with latest sprint outcomes

Epic Milestones

  • Epic 10 Export Center: signed registry token bundles for mirror/Offline Kit workflows (planned)
  • Epic 14 Identity & Tenancy: tenant-aware scope validation, revocation, audit trails (planned)

Core Capabilities

  • Docker registry token exchange with Authority validation
  • Plan/license constraint enforcement via claims inspection
  • Short-lived JWT tokens (default 5 minutes) signed by local RSA key
  • Revocation support via deny list and stellaops:license claim

Technical Decisions

  • Token lifetime bounded to 5 minutes to minimize exposure window
  • Local RSA key signing avoids external dependencies
  • Plan catalogue enforcement ensures license compliance
  • Integration with Authority for caller identity and scope validation

Coordination Approach

  • Review AGENTS.md before starting new work
  • Sync with cross-cutting teams via docs/implplan/SPRINT_*.md
  • Track follow-ups in ../../TASKS.md and src/Registry/TASKS.md

Related docs

  • Architecture: docs/modules/registry/architecture.md
  • Operations: docs/modules/registry/operations/token-service.md