starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate.rst
egoncalv 5579744656 Editorial updates on Security Guide upstream 
Acted on Greg's comments

Patch 1: Deleted duplicated docs and corrected references to fix build failure

Patch 2: Acted on Greg's and Ron's comments.

Patch 3: Acted on Greg's comment.

Patch 4: Acted on Mary's comments.

Patch 5: Solved merge conflict.

Patch 6: Worked on Mary's comments.

Patch 7: Fixed build conflict.

Patch 8: Worked on Mary's comments.

https://review.opendev.org/c/starlingx/docs/+/792461

Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com>
Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4
2021-06-02 12:28:10 -03:00

85 lines
2.9 KiB
ReStructuredText
Raw Blame History

.. vri1561486014514
.. _security-install-update-the-docker-registry-certificate:
=================================
Local Docker Registry Certificate
=================================
The local Docker registry provides secure HTTPS access using the registry API.
.. rubric:: |context|
By default a self-signed certificate is generated at installation time for the
registry API. For more secure access, an intermediate or Root |CA|-signed
certificate is strongly recommended.
The intermediate or Root |CA|-signed certificate for the registry must have at
least the following |SANs|: DNS:registry.local, DNS:registry.central, IP
Address:<oam-floating-ip-address>, IP Address:<mgmt-floating-ip-address>. Use
the :command:`system addrpool-list` command to get the |OAM| floating IP
Address and management floating IP Address for your system. You can add any
additional DNS entry\(s\) that you have set up for your |OAM| floating IP
Address.
Use the following procedure to install an intermediate or Root |CA|-signed
certificate to either replace the default self-signed certificate or to replace
an expired or soon to expire certificate.
.. rubric:: |prereq|
Obtain an intermediate or Root |CA|-signed certificate and key from a trusted
intermediate or Root |CA|. Refer to the documentation for the external Root
|CA| that you are using, on how to create public certificate and private key
pairs, signed by an intermediate or Root |CA|, for HTTPS.
For lab purposes, see :ref:`Create Certificates Locally using openssl
<create-certificates-locally-using-openssl>` for how to create a test
intermediate or Root |CA| certificate and key, and use it to sign test
certificates.
Put the |PEM| encoded versions of the certificate and key in a single file,
and copy the file to the controller host.
Also, obtain the certificate of the intermediate or Root |CA| that signed the
above certificate.
.. rubric:: |proc|
.. _security-install-update-the-docker-registry-certificate-d527e71:
#. In order to enable internal use of the Docker registry certificate,
update the trusted |CA| list for this system with the Root |CA| associated
with the Docker registry certificate.
.. code-block:: none
~(keystone_admin)]$ system certificate-install --mode ssl_ca
<pathTocertificate>
where:
``<pathTocertificate>``
is the path to the intermediate or Root |CA| certificate associated
with the Docker registry's intermediate or Root |CA|-signed
certificate.
#. Update the Docker registry certificate using the
:command:`certificate-install` command.
Set the ``mode (-m or --mode)`` parameter to ``docker_registry``.
.. code-block:: none
~(keystone_admin)]$ system certificate-install --mode docker_registry
<pathTocertificateAndKey>
where:
``<pathTocertificateAndKey>``
is the path to the file containing both the Docker registry's
intermediate or Root CA-signed certificate and private key to install.
View Git Blame Copy Permalink