docs/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst
Ron Stone b7e75df19b Recommended "renewBefore" value for a certificate (r8, r7, r5, r5, dsR8, dsR7, dsR6, dsR5)
Add note as include
Add include where renewBefore is mentioned
Address patchset 1 review comments

Closes-Bug: 2042545

Change-Id: Iad4f58fd2cd4743605089b453ededce1e720c8e9
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
2023-11-07 15:03:24 +00:00

4.0 KiB

Configure Docker Registry Certificate

The local Docker registry provides secure HTTPS access using the registry API.

By default, a self-signed server certificate is generated at installation time for the registry API. For more secure access, an intermediate or Root CA-signed server certificate is strongly recommended.

To configure or update the HTTPS certificate for the local Docker registry, create a certificate named system-registry-local-certificate in the deployment namespace. The secretName attribute of this certificate's spec must also be named system-registry-local-certificate.

See the example procedure below for creating the certificate for the local Docker registry.

Update the following fields:

  • The duration and renewBefore dates for the expiry and renewal times you desire. The system will automatically renew and re-install the certificate.
  • The subject fields to identify your particular system.
  • The ipAddresses with the Floating IP Address and the MGMT Floating IP address for this system which MUST be specified for this certificate. Use the system addrpool-list command to get the floating IP Address and MGMT floating IP Address for your system.
  • The dnsNames with registry.local, registry.central and any names configured for this system's Floating IP Address in an external DNS server.

  1. Create the Docker certificate yaml configuration file.

    ~(keystone_admin)]$ cat <<EOF > docker-certificate.yaml
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: system-registry-local-certificate
      namespace: deployment
    spec:
      secretName: system-registry-local-certificate
      issuerRef:
        name: system-local-ca
        kind: ClusterIssuer
      duration: 2160h    # 90d
      renewBefore: 360h  # 15d
      subject:
        organizationalUnits:
          - StarlingX-system-registry-local
      ipAddresses:
        - <OAM_FLOATING_IP>
        - <MGMT_FLOATING_IP>
      dnsNames:
        - registry.local
        - registry.central
        - <external-FQDN-for-OAM-Floating-IP-Address, if applicable>
  2. Apply the configuration.

    ~(keystone_admin)]$ kubectl apply -f docker-certificate.yaml
  3. Verify the configuration.

    ~(keystone_admin)]$ kubectl get certificate system-registry-local-certificate -n deployment

    If configuration was successful, the certificate's Ready status will be True.

  4. Update the platform's trusted certificates (i.e. ssl_ca) with the Root associated with system-registry-local-certificate.

    See the example below where a Root system-local-ca was used to sign the system-registry-local-certificate, the ca.crt of the system-local-ca SECRET is extracted and added as a trusted for (i.e. system certificate-install -m ssl_ca).

    ~(keystone_admin)]$ kubectl -n cert-manager get secret system-local-ca -o yaml | fgrep tls.crt | awk '{print $2}' | base64 --decode >> system-local-ca.pem
    ~(keystone_admin)]$ system certificate-install -m ssl_ca system-local-ca.pem

The Docker registry certificate installation is now complete, and Cert-Manager will handle the lifecycle management of the certificate.