1. 获取镜像仓库 cluster ip
oc project default
oc get svc/docker-registry
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
docker-registry ClusterIP 172.30.31.74 <none> 5000/TCP 8d
2.生成证书
hostnames需要把服务的cluster ip、服务域名、路由主机地址填写正确,多个域名用逗号分隔,注意全角半角,不要带引号,官方文档hostnames值有单引号包裹
该oc adm ca create-server-cert命令生成一个有效期为两年的证书。可以通过–expire-days选项修改默认值
oc adm ca create-server-cert \
--signer-cert=/etc/origin/master/ca.crt \
--signer-key=/etc/origin/master/ca.key \
--signer-serial=/etc/origin/master/ca.serial.txt \
--hostnames =172.30.31.74,docker-registry.default.svc.cluster.local,docker-registry.default.svc,docker-registry-default.app.ocp.yourdomain.com \
--cert=/etc/secrets/registry.crt \
--key=/etc/secrets/registry.key
3.根据证书创建secret
- 创建新的secret
oc create secret generic registry-certificates \
--from-file=/etc/secrets/registry.crt \
--from-file=/etc/secrets/registry.key
- 存在则替换
oc create secret generic registry-certificates \
--from-file=/etc/secrets/registry.crt \
--from-file=/etc/secrets/registry.key\
-o json --dry-run | oc replace -f -
4.将secret链接到serviceaccount
oc secrets link registry registry-certificates
oc secrets link default registry-certificates
5.更新dc,添加volume,把新创建的secret挂进去,-m 表示要挂载容器的哪个目录
oc volume dc/docker-registry --add --type=secret \
--name=docker-registry --secret-name=registry-secret -m /etc/secrets
6.更新镜像仓库环境变量
oc set env dc/docker-registry \
REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt \
REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
7.更新健康监测检查 HTTP->HTTPS
oc patch dc/docker-registry -p '{"spec": {"template": {"spec": {"containers":[{
"name":"registry",
"livenessProbe": {"httpGet": {"scheme":"HTTPS"}}
}]}}}}'
oc patch dc/docker-registry -p '{"spec": {"template": {"spec": {"containers":[{
"name":"registry",
"readinessProbe": {"httpGet": {"scheme":"HTTPS"}}
}]}}}}'
8.验证证书是否配置正确
oc logs dc/docker-registry | grep tls
time="2018-09-08T04:08:24.508752009Z" level=info msg="listening on :5000, tls" go.version=go1.9.7 instance.id=252143b6-1514-4146-965c-126c82e8d4a8
9.添加服务路由,类型为passthrough
oc create route passthrough registry --service=docker-registry --hostname=docker-registry-default.app.ocp.yourdomain.com
10.客户端证书下载
docker会实时检测/etc/docker/certs.d目录下以crt结尾的文件,并放入证书池中。该ca.crt文件的副本/etc/origin/master/ca.crt上的主。必须在集群中的所有节点上执行此操作:
# docker 证书目录
export dcertsdir=/etc/docker/certs.d
# 创建目录,根据创建证书时指定的hostname生成对应的目录
export destdir_name1=$dcertsdir/172.30.31.74:5000\/
export destdir_name2=$dcertsdir/docker-registry.default.svc.cluster.local:5000\/
export destdir_name3=$dcertsdir/docker-registry.default.svc:5000\/
export destdir_name3=$dcertsdir/docker-registry-default.app.ocp.yourdomain.com\/
mkdir -p $destdir_name1 $destdir_name2 $destdir_name3 $destdir_name4
cp ca.crt $destdir_name1
cp ca.crt $destdir_name2
cp ca.crt $destdir_name3
cp ca.crt $destdir_name4
执行以下脚本后,将将/etc/docker/certs.d创建域名目录并下载证书,无需重启docker即可使用docker pull/push/login命令
export DOMAIN_NAME=internal-registry.yourdomain.com
export TCP_PORT=443
export dcertsdir=/etc/docker/certs.d
export destdir_name=$dcertsdir/$DOMAIN_NAME\/
mkdir -p $destdir_name
echo ''|openssl s_client -connect $DOMAIN_NAME:$TCP_PORT -servername $DOMAIN_NAME -showcerts 2>/dev/null \
| sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'>$destdir_name/registry.crt
使用身份验证时,某些版本docker还要求您将群集配置为信任操作系统级别的证书,上个步骤的操作不行时再执行再执行以下操作。
cp /etc/origin/master/ca.crt /etc/pki/ca-trust/source/anchors/docker-registry-default.app.ocp.yourdomain.com.crt
update-ca-trust enable
systemctl daemon-reload && systemctl restart docker
11 验证客户端证书配置是否正确
可以使用以下命令测试上一步配置是否正确,密码也可以登录registry-console控制台在首页最下面查看
docker login -u admin -p `oc whoami -t` docker-registry-default.app.ocp.yourdomain.com
参考:
-
https://docs.openshift.com/container-platform/3.10/install_config/registry/securing_and_exposing_registry.html
-
https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
-
https://github.com/xiaoping378/blog/blob/master/posts/openshift%E5%AE%9E%E8%B7%B5-%E9%95%9C%E5%83%8F%E7%AE%A1%E7%90%86.md
-
https://github.com/moby/moby/issues/8849
-
https://github.com/docker/distribution-library-image/issues/35
