starlingx/docs
Code Issues Proposed changes
d466920c10
docs/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate-deprecated.rst
Juanita Balaraj cb0245cfab Added RSA Key length (dsr8) 
Modified the note to include <the certificate file>
Removed trailing spaces and fixed Patchset 7 comments
Updated Patchset 6 comments and removed the word platform
Fixed formatting issues
Updated Patchset 4 comments
Added additional notes in multiple topics listed in the review
Updated the Security / Upgrade Guide with a note
Change-Id: If0a88e88268b2a4540b6abf97bc7b5ca9049747c
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>

Change-Id: I5686cda10f4ac9b184f5ac1e6ceec003b09155d2
2023-06-28 04:44:19 +00:00

4.7 KiB
Raw Blame History

Local Registry Server Certificates

Note

This procedure is deprecated. For up-to-date information, refer to: configure-docker-registry-certificate-after-installation-c519edbfe90a.

For the Local Docker Registry, HTTPS is always enabled. By default, a self-signed server certificate and key is generated and installed for this endpoint. However, it is strongly recommended that you update the server certificate used after installation with an Intermediate or Root -signed server certificate and key. Refer to the documentation for the external Intermediate or Root that you are using, on how to create public certificate and private key pairs, signed by a Root , for HTTPS.

The local Docker registry provides Docker image service that can be accessed using the registry API by secure HTTPS. Standalone system, central cloud and every subcloud of system has their own Docker registry called registry.local.

The Docker registry on the central cloud of system has an alias of registry.central, which is used by subcloud to remotely login or pull images from this central Docker registry.

By default a self-signed certificate is generated at installation time for the registry API. For more secure access, an Intermediate or Root -signed certificate is strongly recommended.

The Intermediate or Root -signed certificate for the registry must have at least the following : DNS:registry.local, DNS:registry.central, IP Address:<oam-floating-ip-address>, IP Address:<mgmt-floating-ip-address>. Use the system addrpool-list command to get the floating IP Address and management floating IP Address for your system. You can add any additional DNS entry(s) that you have set up for your floating IP Address.

Use the following procedure to install an intermediate or Root -signed certificate to either replace the default self-signed certificate or to replace an expired or soon to expire certificate.

Obtain an intermediate or Root -signed certificate and key from a trusted Intermediate or Root . Refer to the documentation for the external Root that you are using, on how to create public certificate and private key pairs, signed by an Intermediate or Root , for HTTPS.

For lab purposes, see Create Certificates Locally using openssl <create-certificates-locally-using-openssl> for how to create a test Intermediate or Root certificate and key, and use it to sign test certificates.

Put the encoded versions of the certificate and key in a single file, and copy the file to the controller host.

Also, obtain the certificate of the Intermediate or Root that signed the above certificate.

  1. In order to enable internal use of the Docker registry certificate, update the trusted list for this system with the Root associated with the Docker registry certificate.

    ~(keystone_admin)]$ system certificate-install --mode ssl_ca
<pathTocertificate>

    where:

    <pathTocertificate>

    is the path to the intermediate or Root certificate associated with the Docker registry's Intermediate or Root -signed certificate.

  2. Update the Docker registry certificate using the certificate-install command.

    Set the mode (-m or --mode) parameter to docker_registry.

    ~(keystone_admin)]$ system certificate-install --mode docker_registry
<pathTocertificateAndKey>

    where:

    <pathTocertificateAndKey>

    is the path to the file containing both the Docker registry's Intermediate or Root CA-signed certificate and private key to install.

    Note

    Ensure the certificates have RSA key length >= 2048 bits. The Release provides a new version of openssl which requires a minimum of 2048-bit keys for RSA for better security / encryption strength.

    You can check the key length by running openssl x509 -in <the certificate file> -noout -text and looking for the "Public-Key" in the output. For more information see Create Certificates Locally using openssl <create-certificates-locally-using-openssl>.

Refer to Install/Update Local Registry Certificates <installing-updating-the-docker-registry-certificate> on how to install/update and renew local registry certificates.