docker.proxy.only_auth_for_admin breaks admin authentication

[clbeeson]

After adding docker.proxy.only_auth_for_admin true to our 3.3.1 deployment (the deployment previously had basic auth enabled and allowed push and pull operations with credentials) , I am able to pull images without providing credentials but am unable to push an image even with appropriate credentials. This seems connected with the differences between v1 and v2 protocols for pull and push as referenced here: https://github.com/docker/distribution/issues/1230

[jhunt]

Do we just need to update the version of docker/distribution?

[clbeeson]

From the research I've done it doesn't look like a basic auth with a limit_except Get in nginx will provide the unauthenticated pull and authenticated push/admin functions. Doesn't look like there is much support for this type of solution in the Docker community either. The options to resolve shown in the Docker community are: 1.) Use JWT support for finer grained access controls. 2.) Use 2 URLs and separate the access controls in the nginx config by the endpoints. 3.) Basically the same as #2 except use different ports for segregation.

[kinjelom]

Please look at this PR: https://github.com/cloudfoundry-community/docker-registry-boshrelease/pull/36 it solves this issue by using "ports for segregation" mentioned by @clbeeson

Tested:

• docker login/logout/push/pull on port 5000 with authentication
• docker pull on port 443 without authentication

---

The registry is available for administrative and reading purposes on different rules:

• administration and reading:
  • default port: 5000
  • default authentication: basic

• readonly:

  • default port: 443
  • default authentication: none

  You can change it by setting docker.proxy.only_auth_for_admin=false, it disables access on port 443.

[jhunt]

Merged #36