stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
82a49f6743202b4828f46f369474f26ec0a0edf9
git.stella-ops.org/docs/modules/registry/README.md
StellaOps Bot 82a49f6743 docs consolidation work
2025-12-25 18:50:33 +02:00

59 lines
2.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# StellaOps Registry Token Service
Registry Token Service issues short-lived Docker registry bearer tokens for private or mirrored registries.
It exchanges an Authority-issued access token for a registry-compatible JWT after enforcing plan/licence constraints.
## Responsibilities
- Validate Authority-issued caller identity and required scopes (default `registry.token.issue`).
- Authorize requested repository scopes against a local plan catalogue (`stellaops:plan` claim + configured rules).
- Block issuance for revoked licences (`stellaops:license` claim + configured deny list).
- Mint registry tokens with a bounded lifetime (default 5 minutes) signed by a local RSA key.
## Key endpoints
- `GET /token` - Docker registry token exchange endpoint.
- `GET /healthz` - liveness probe.
## Code locations
- Service: `src/Registry/StellaOps.Registry.TokenService`
- Tests: `src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`
## Configuration
- File: `etc/registry-token.yaml`
- Environment variables: `REGISTRY_TOKEN_*`
## Implementation Status
### Current Objectives
- Maintain deterministic behaviour and offline parity across releases
- Keep documentation, telemetry, and runbooks aligned with latest sprint outcomes
### Epic Milestones
- Epic 10 Export Center: signed registry token bundles for mirror/Offline Kit workflows (planned)
- Epic 14 Identity & Tenancy: tenant-aware scope validation, revocation, audit trails (planned)
### Core Capabilities
- Docker registry token exchange with Authority validation
- Plan/license constraint enforcement via claims inspection
- Short-lived JWT tokens (default 5 minutes) signed by local RSA key
- Revocation support via deny list and stellaops:license claim
### Technical Decisions
- Token lifetime bounded to 5 minutes to minimize exposure window
- Local RSA key signing avoids external dependencies
- Plan catalogue enforcement ensures license compliance
- Integration with Authority for caller identity and scope validation
### Coordination Approach
- Review AGENTS.md before starting new work
- Sync with cross-cutting teams via docs/implplan/SPRINT_*.md
- Track follow-ups in ../../TASKS.md and src/Registry/TASKS.md
## Related docs
- Architecture: `docs/modules/registry/architecture.md`
- Operations: `docs/modules/registry/operations/token-service.md`
Reference in New Issue View Git Blame Copy Permalink