starlingx/docs
Code Issues Proposed changes
78263d6d95
docs/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst
Ron Stone 3e03a0bc82 Cert-Manager Use for StarlingX Platform Services 
Initial draft procedures.
Resolve merge conflicts.
Incorporate patchset 1 review comments.
Incorporate patchset 2 review comments.
Incorporate patchset 3 review comments.
Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed.
Incorporate patchset 5 review comments.
Made sample url used in overrides generic.
Incorporate patchset 8 review comments.
Added note about issuer_root_ca recommended by J. Sun.
Incorporate patchset 10 review comments.
Fix formatting issue in output.
Incorporate patchset 12 review comments.

Story: 2007361
Task: 42625

Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-12-14 11:30:07 -05:00

3.1 KiB
Raw Blame History

Configure Docker Registry Certificate

The local Docker registry provides secure HTTPS access using the registry API.

By default, a self-signed server certificate is generated at installation time for the registry API. For more secure access, an intermediate or Root CA-signed server certificate is strongly recommended.

To configure or update the HTTPS certificate for the local Docker registry, create a certificate named system-registry-local-certificate in the deployment namespace. The secretName attribute of this certificate's spec must also be named system-registry-local-certificate.

See the example procedure below for creating the certificate for the local Docker registry. This example assumes you have configured a system-local-ca ClusterIssuer as described in starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.

Update the following fields:

  • The duration and renewBefore dates for the expiry and renewal times you desire. The system will automatically renew and re-install the certificate.
  • The subject fields to identify your particular system.
  • The ipAddresses with the Floating IP Address and the MGMT Floating IP address for this system. Use the system addrpool-list command to get the floating IP Address and management floating IP Address for your system.
  • The dnsNames with registry.local, registry.central and any names configured for this system's Floating IP Address in an external DNS server.

  1. Create the Docker certificate yaml configuration file.

    ~(keystone_admin)]$ cat <<EOF > docker-certificate.yaml
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: system-registry-local-certificate
  namespace: deployment
spec:
  secretName: system-registry-local-certificate
  issuerRef:
    name: system-local-ca
    kind: ClusterIssuer
  duration: 2160h    # 90d
  renewBefore: 360h  # 15d
  subject:
    organizations:
      - ABC-Company
    organizationalUnits:
      - StarlingX-system-registry-local
  ipAddresses:
    - <OAM_FLOATING_IP>
    - <MGMT_FLOATING_IP>
  dnsNames:
    - registry.local
    - registry.central
    - <external-FQDN-for-OAM-Floating-IP-Address, if applicable>

  2. Apply the configuration.

    ~(keystone_admin)]$ kubectl apply -f docker-certificate.yaml

  3. Verify the configuration.

    ~(keystone_admin)]$ kubectl get certificate system-registry-local-certificate n deployment

    If configuration was successful, the certificates Ready status will be True.

The Docker registry certificate installation is now complete, and Cert-Manager will handle the lifecycle management of the certificate.