47c5410fb1
(Already Cherry picked in the following reviews: https://review.opendev.org/c/starlingx/docs/+/857061 https://review.opendev.org/c/starlingx/docs/+/857060 - Reword the "The ``ipAddresses``" sentence. - Removed the "By default after deployment" note. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Id013cd2b64d22e1bdc5bb22f36d2b4b47523a873
3.8 KiB
Configure Docker Registry Certificate
The local Docker registry provides secure HTTPS access using the registry API.
By default, a self-signed server certificate is generated at installation time for the registry API. For more secure access, an intermediate or Root CA-signed server certificate is strongly recommended.
To configure or update the HTTPS certificate for the local Docker
registry, create a certificate named
system-registry-local-certificate in the
deployment namespace. The secretName attribute
of this certificate's spec must also be named
system-registry-local-certificate.
See the example procedure below for creating the certificate for the
local Docker registry. This example assumes you have configured a
system-local-ca ClusterIssuer as described in starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.
Update the following fields:
- The
durationandrenewBeforedates for the expiry and renewal times you desire. The system will automatically renew and re-install the certificate. - The
subjectfields to identify your particular system. - The
ipAddresseswith the Floating IP Address and the MGMT Floating IP address for this system which MUST be specified for this certificate. Use thesystem addrpool-listcommand to get the floating IP Address and MGMT floating IP Address for your system. - The
dnsNameswithregistry.local,registry.centraland any names configured for this system's Floating IP Address in an external DNS server.
Create the Docker certificate yaml configuration file.
~(keystone_admin)]$ cat <<EOF > docker-certificate.yaml --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: system-registry-local-certificate namespace: deployment spec: secretName: system-registry-local-certificate issuerRef: name: system-local-ca kind: ClusterIssuer duration: 2160h # 90d renewBefore: 360h # 15d subject: organizationalUnits: - StarlingX-system-registry-local ipAddresses: - <OAM_FLOATING_IP> - <MGMT_FLOATING_IP> dnsNames: - registry.local - registry.central - <external-FQDN-for-OAM-Floating-IP-Address, if applicable>Apply the configuration.
~(keystone_admin)]$ kubectl apply -f docker-certificate.yamlVerify the configuration.
~(keystone_admin)]$ kubectl get certificate system-registry-local-certificate –n deploymentIf configuration was successful, the certificate’s Ready status will be
True.Update the platform's trusted certificates (i.e.
ssl_ca) with the Root associated withsystem-registry-local-certificate.See the example below where a Root
system-local-cawas used to sign thesystem-registry-local-certificate, theca.crtof thesystem-local-caSECRET is extracted and added as a trusted for (i.e.system certificate-install -m ssl_ca).~(keystone_admin)]$ kubectl -n cert-manager get secret system-local-ca -o yaml | fgrep tls.crt | awk '{print $2}' | base64 --decode >> system-local-ca.pem ~(keystone_admin)]$ system certificate-install -m ssl_ca system-local-ca.pem
The Docker registry certificate installation is now complete, and Cert-Manager will handle the lifecycle management of the certificate.