starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst
Juanita Balaraj 98f8b72701 Updated Limitation for IPv6 addresses (r8, dsr8) 
Updated the title in the rest file
Shorten filename. Link with very long file name is broken in some URL contexts
such as local builds This change corrects it in local testing but needs
further verification from other contributors.

Linked to: https://review.opendev.org/c/starlingx/docs/+/891913
Change-Id: I3ad7ac655ef46190efa0f4bb88345195333d4030
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
2023-08-31 18:32:41 +00:00

3.9 KiB
Raw Blame History

Configure Docker Registry Certificate

The local Docker registry provides secure HTTPS access using the registry API.

By default, a self-signed server certificate is generated at installation time for the registry API. For more secure access, an intermediate or Root CA-signed server certificate is strongly recommended.

To configure or update the HTTPS certificate for the local Docker registry, create a certificate named system-registry-local-certificate in the deployment namespace. The secretName attribute of this certificate's spec must also be named system-registry-local-certificate.

See the example procedure below for creating the certificate for the local Docker registry.

Update the following fields:

  • The duration and renewBefore dates for the expiry and renewal times you desire. The system will automatically renew and re-install the certificate.
  • The subject fields to identify your particular system.
  • The ipAddresses with the Floating IP Address and the MGMT Floating IP address for this system which MUST be specified for this certificate. Use the system addrpool-list command to get the floating IP Address and MGMT floating IP Address for your system.
  • The dnsNames with registry.local, registry.central and any names configured for this system's Floating IP Address in an external DNS server.

  1. Create the Docker certificate yaml configuration file.

    ~(keystone_admin)]$ cat <<EOF > docker-certificate.yaml
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: system-registry-local-certificate
  namespace: deployment
spec:
  secretName: system-registry-local-certificate
  issuerRef:
    name: system-local-ca
    kind: ClusterIssuer
  duration: 2160h    # 90d
  renewBefore: 360h  # 15d
  subject:
    organizationalUnits:
      - StarlingX-system-registry-local
  ipAddresses:
    - <OAM_FLOATING_IP>
    - <MGMT_FLOATING_IP>
  dnsNames:
    - registry.local
    - registry.central
    - <external-FQDN-for-OAM-Floating-IP-Address, if applicable>

  2. Apply the configuration.

    ~(keystone_admin)]$ kubectl apply -f docker-certificate.yaml

  3. Verify the configuration.

    ~(keystone_admin)]$ kubectl get certificate system-registry-local-certificate -n deployment

    If configuration was successful, the certificate's Ready status will be True.

  4. Update the platform's trusted certificates (i.e. ssl_ca) with the Root associated with system-registry-local-certificate.

    See the example below where a Root system-local-ca was used to sign the system-registry-local-certificate, the ca.crt of the system-local-ca SECRET is extracted and added as a trusted for (i.e. system certificate-install -m ssl_ca).

    ~(keystone_admin)]$ kubectl -n cert-manager get secret system-local-ca -o yaml | fgrep tls.crt | awk '{print $2}' | base64 --decode >> system-local-ca.pem
~(keystone_admin)]$ system certificate-install -m ssl_ca system-local-ca.pem

The Docker registry certificate installation is now complete, and Cert-Manager will handle the lifecycle management of the certificate.

Limitations for using IPv6 addresses related to management and OAM networks