starlingx/docs
Code Issues Proposed changes
docs/doc/source/admintasks/installing-updating-the-docker-registry-certificate.rst
Juanita-Balaraj 0c4aa91ca4 Updated Patch Set 5 to include review comments 
Changed name of file to:
admin-application-commands-and-helm-overrides.rst

Updated Strings.txt

Updated formatting issues:
installing-and-running-cpu-manager-for-kubernetes.rst

Updated Patch Set 4 to include review comments

Admin Tasks Updated

Changed name of include file to:
isolating-cpu-cores-to-enhance-application-performance.rest

Change-Id: I0b354dda3c7f66da3a5d430839b5007a6a19cfad
Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
Signed-off-by: Stone <ronald.stone@windriver.com>
Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
2021-01-11 23:40:36 -05:00

2.7 KiB
Raw Blame History

Install/Update the Docker Registry Certificate

The local Docker registry provides secure HTTPS access using the registry API.

By default a self-signed certificate is generated at installation time for the registry API. For more secure access, a Root CA-signed certificate is strongly recommended.

The Root CA-signed certificate for the registry must have at least the following : DNS:registry.local,DNS:registry.central, IP Address:<oam-floating-ip-address>, IP Address:<mgmt-floating-ip-address>. Use the system addrpool-list command to get the floating IP Address and management floating IP Address for your system. You can add any additional DNS entry(s) that you have set up for your OAM floating IP Address.

Use the following procedure to install a Root CA-signed certificate to either replace the default self-signed certificate or to replace an expired or soon to expire certificate.

Obtain a Root CA-signed certificate and key from a trusted Root Certificate Authority (CA). Refer to the documentation for the external Root CA that you are using, on how to create public certificate and private key pairs, signed by a Root CA, for HTTPS.

Put the Privacy Enhanced Mail (PEM) encoded versions of the certificate and key in a single file, and copy the file to the controller host.

Also obtain the certificate of the Root CA that signed the above certificate.

  1. In order to enable internal use of the Docker registry certificate, update the trusted CA list for this system with the Root CA associated with the Docker registry certificate.

    ~(keystone_admin)$ system certificate-install --mode ssl_ca <pathTocertificate>

    where:

    <pathTocertificate>

    is the path to the Root CA certificate associated with the Docker registry Root CA-signed certificate.

  2. Update the Docker registry certificate using the certificate-install command.

    Set the mode (-m or --mode) parameter to docker_registry.

    ~(keystone_admin)$ system certificate-install --mode docker_registry <pathTocertificateAndKey>

    where:

    <pathTocertificateAndKey>

    is the path to the file containing both the Docker registry certificate and private key to install.