32 lines
1.2 KiB
Markdown
32 lines
1.2 KiB
Markdown
# StellaOps Registry Token Service
|
|
|
|
Registry Token Service issues short-lived Docker registry bearer tokens for private or mirrored registries.
|
|
It exchanges an Authority-issued access token for a registry-compatible JWT after enforcing plan/licence constraints.
|
|
|
|
## Responsibilities
|
|
|
|
- Validate Authority-issued caller identity and required scopes (default `registry.token.issue`).
|
|
- Authorize requested repository scopes against a local plan catalogue (`stellaops:plan` claim + configured rules).
|
|
- Block issuance for revoked licences (`stellaops:license` claim + configured deny list).
|
|
- Mint registry tokens with a bounded lifetime (default 5 minutes) signed by a local RSA key.
|
|
|
|
## Key endpoints
|
|
|
|
- `GET /token` - Docker registry token exchange endpoint.
|
|
- `GET /healthz` - liveness probe.
|
|
|
|
## Code locations
|
|
|
|
- Service: `src/Registry/StellaOps.Registry.TokenService`
|
|
- Tests: `src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`
|
|
|
|
## Configuration
|
|
|
|
- File: `etc/registry-token.yaml`
|
|
- Environment variables: `REGISTRY_TOKEN_*`
|
|
|
|
## Related docs
|
|
|
|
- Architecture: `docs/modules/registry/architecture.md`
|
|
- Operations: `docs/modules/registry/operations/token-service.md`
|