about summary refs log tree commit diff
path: root/tools/nixery/README.md
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@google.com>2019-08-03T00·21+0100
committerVincent Ambo <github@tazj.in>2019-08-03T00·31+0100
commit07ef06dcfadef108cfb43df7610db710568a1c45 (patch)
tree96757e070da155957825268b9ee4e8e19b9d01ef /tools/nixery/README.md
parent3347c38ba7b79f0251ca16c332867d4488976ac5 (diff)
feat(go): Support signed GCS URLs with static keys
Google Cloud Storage supports granting access to protected objects via
time-restricted URLs that are cryptographically signed.

This makes it possible to store private data in buckets and to
distribute it to eligible clients without having to make those clients
aware of GCS authentication methods.

Nixery now uses this feature to sign URLs for GCS buckets when
returning layer URLs to clients on image pulls. This means that a
private Nixery instance can run a bucket with restricted access just
fine.

Under the hood Nixery uses a key provided via environment
variables to sign the URL with a 5 minute expiration time.

This can be set up by adding the following two environment variables:

* GCS_SIGNING_KEY: Path to the PEM file containing the signing key.
* GCS_SIGNING_ACCOUNT: Account ("e-mail" address) to use for signing.

If the variables are not set, the previous behaviour is not modified.
Diffstat (limited to 'tools/nixery/README.md')
0 files changed, 0 insertions, 0 deletions