starlingx/docs
Code Issues Proposed changes
Files
e43238ac9bc8488618720f74dcadc4a2f6e5607c
docs/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate.rst
Keane Lim 3c5fa979a4 Security guide update 
Re-organized topic hierarchy

Tiny edit to restart review workflow.

Squashed with Resolved index.rst conflict commit

Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5
Signed-off-by: Keane Lim <keane.lim@windriver.com>
Signed-off-by: MCamp859 <maryx.camp@intel.com>
2021-03-12 15:10:40 -05:00

2.7 KiB
Raw Blame History

Install/Update the Docker Registry Certificate

The local docker registry provides secure HTTPS access using the registry API.

By default a self-signed certificate is generated at installation time for the registry API. For more secure access, a Root -signed certificate is strongly recommended.

The Root -signed certificate for the registry must have at least the following : DNS:registry.local, DNS:registry.central, IP Address:<oam-floating-ip-address>, IP Address:<mgmt-floating-ip-address>. Use the system addrpool-list command to get the floating IP Address and management floating IP Address for your system. You can add any additional DNS entry(s) that you have set up for your floating IP Address.

Use the following procedure to install a Root -signed certificate to either replace the default self-signed certificate or to replace an expired or soon to expire certificate.

Obtain a Root -signed certificate and key from a trusted Root . Refer to the documentation for the external Root that you are using, on how to create public certificate and private key pairs, signed by a Root , for HTTPS.

For lab purposes, see Appendix A for how to create a test Root certificate and key, and use it to sign test certificates.

Put the encoded versions of the certificate and key in a single file, and copy the file to the controller host.

Also, obtain the certificate of the Root that signed the above certificate.

  1. In order to enable internal use of the docker registry certificate, update the trusted list for this system with the Root associated with the docker registry certificate.

    ~(keystone_admin)$ system certificate-install --mode ssl_ca
<pathTocertificate>

    where:

    <pathTocertificate>

    is the path to the Root certificate associated with the docker registry Root -signed certificate.

  2. Update the docker registry certificate using the certificate-install command.

    Set the mode (-m or --mode) parameter to docker_registry.

    ~(keystone_admin)$ system certificate-install --mode docker_registry
<pathTocertificateAndKey>

    where:

    <pathTocertificateAndKey>

    is the path to the file containing both the docker registry certificate and private key to install.