Add note as include Add include where renewBefore is mentioned Address patchset 1 review comments Closes-Bug: 2042545 Change-Id: Iad4f58fd2cd4743605089b453ededce1e720c8e9 Signed-off-by: Ron Stone <ronald.stone@windriver.com>
4.0 KiB
Configure Docker Registry Certificate
The local Docker registry provides secure HTTPS access using the registry API.
By default, a self-signed server certificate is generated at installation time for the registry API. For more secure access, an intermediate or Root CA-signed server certificate is strongly recommended.
To configure or update the HTTPS certificate for the local Docker
registry, create a certificate named
system-registry-local-certificate
in the
deployment
namespace. The secretName
attribute
of this certificate's spec must also be named
system-registry-local-certificate
.
See the example procedure below for creating the certificate for the local Docker registry.
Update the following fields:
- The
duration
andrenewBefore
dates for the expiry and renewal times you desire. The system will automatically renew and re-install the certificate. - The
subject
fields to identify your particular system. - The
ipAddresses
with the Floating IP Address and the MGMT Floating IP address for this system which MUST be specified for this certificate. Use thesystem addrpool-list
command to get the floating IP Address and MGMT floating IP Address for your system. - The
dnsNames
withregistry.local
,registry.central
and any names configured for this system's Floating IP Address in an external DNS server.
Create the Docker certificate yaml configuration file.
~(keystone_admin)]$ cat <<EOF > docker-certificate.yaml --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: system-registry-local-certificate namespace: deployment spec: secretName: system-registry-local-certificate issuerRef: name: system-local-ca kind: ClusterIssuer duration: 2160h # 90d renewBefore: 360h # 15d subject: organizationalUnits: - StarlingX-system-registry-local ipAddresses: - <OAM_FLOATING_IP> - <MGMT_FLOATING_IP> dnsNames: - registry.local - registry.central - <external-FQDN-for-OAM-Floating-IP-Address, if applicable>
Apply the configuration.
~(keystone_admin)]$ kubectl apply -f docker-certificate.yaml
Verify the configuration.
~(keystone_admin)]$ kubectl get certificate system-registry-local-certificate -n deployment
If configuration was successful, the certificate's Ready status will be
True
.Update the platform's trusted certificates (i.e.
ssl_ca
) with the Root associated withsystem-registry-local-certificate
.See the example below where a Root
system-local-ca
was used to sign thesystem-registry-local-certificate
, theca.crt
of thesystem-local-ca
SECRET is extracted and added as a trusted for (i.e.system certificate-install -m ssl_ca
).~(keystone_admin)]$ kubectl -n cert-manager get secret system-local-ca -o yaml | fgrep tls.crt | awk '{print $2}' | base64 --decode >> system-local-ca.pem ~(keystone_admin)]$ system certificate-install -m ssl_ca system-local-ca.pem
The Docker registry certificate installation is now complete, and Cert-Manager will handle the lifecycle management of the certificate.