Last active
September 2, 2016 12:20
-
-
Save aweiteka/56de29383cfcaf86ab94acf063bcbfee to your computer and use it in GitHub Desktop.
Automate securing registry route
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # per https://access.redhat.com/documentation/en/openshift-enterprise/3.2/paged/installation-and-configuration/chapter-2-installing#securing-the-registry | |
| # Get route hostname, create self-signed certs, create cert secret, add to deployment, update env vars and patch the probes | |
| ROUTE=$(oc get route docker-registry --template={{.spec.host}}) -n default | |
| SERVICEIP=$(oc get service docker-registry --template={{.spec.clusterIP}}) | |
| oadm ca create-server-cert \ | |
| --signer-cert=/etc/origin/master/ca.crt \ | |
| --signer-key=/etc/origin/master/ca.key \ | |
| --signer-serial=/etc/origin/master/ca.serial.txt \ | |
| --hostnames="${ROUTE},docker-registry.default.svc.cluster.local,${SERVICEIP}" \ | |
| --cert=/etc/secrets/registry.crt \ | |
| --key=/etc/secrets/registry.key | |
| oc secrets new registry-secret \ | |
| /etc/secrets/registry.crt \ | |
| /etc/secrets/registry.key | |
| oc secrets add serviceaccounts/registry secrets/registry-secret | |
| oc secrets add serviceaccounts/default secrets/registry-secret | |
| oc volume dc/docker-registry --add --type=secret \ | |
| --secret-name=registry-secret -m /etc/secrets | |
| oc env dc/docker-registry \ | |
| REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt \ | |
| REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key | |
| oc patch dc/docker-registry --api-version=v1 -p '{"spec": {"template": {"spec": {"containers":[{ | |
| "name":"registry", | |
| "livenessProbe": {"httpGet": {"scheme":"HTTPS"}} | |
| }]}}}}' | |
| oc patch dc/docker-registry --api-version=v1 -p '{"spec": {"template": {"spec": {"containers":[{ | |
| "name":"registry", | |
| "readinessProbe": {"httpGet": {"scheme":"HTTPS"}} | |
| }]}}}}' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Optimized (untested!): create route and certs first, then attach certs when registry is created | |
| ROUTE=$(oc get route docker-registry --template={{.spec.host}}) -n default | |
| SERVICEIP=$(oc get service docker-registry --template={{.spec.clusterIP}}) | |
| oadm ca create-server-cert -n default \ | |
| --signer-cert=/etc/origin/master/ca.crt \ | |
| --signer-key=/etc/origin/master/ca.key \ | |
| --signer-serial=/etc/origin/master/ca.serial.txt \ | |
| --hostnames="${ROUTE},docker-registry.default.svc.cluster.local,${SERVICEIP}" \ | |
| --cert=/etc/secrets/registry.crt \ | |
| --key=/etc/secrets/registry.key | |
| oadm registry -n default \ | |
| --tls-certificate=/etc/secrets/registry.crt \ | |
| --tls-key=/etc/secrets/registry.key |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment