kadel · April 5, 2016 11:51
diff --git a/expose_secure_registry.sh b/expose_secure_registry.sh
 # Directory with master files (confs, certs etc.)
 MASTER_DIR=/var/lib/openshift/openshift.local.config/master

 # KUBECONFIG for cluster admin
 export KUBECONFIG=$MASTER_DIR/admin.kubeconfig

 # Public name for the registry (default for ADB 1.7.1 is hub.openshift.10.1.2.2.xip.io)
 REGISTRY_ROUTE=$(oc get route docker-registry -o template --template='{{ .spec.host }}')

 # Get IP of the registry service
 REGISTRY_SERVICE_IP=$(oc get svc/docker-registry -o template --template='{{ .spec.clusterIP }}')
 REGISTRY_SERVICE_PORT=$(oc get svc/docker-registry -o template --template='{{ (index .spec.ports 0).port }}')

 # Create certificates for registry
 oadm ca create-server-cert --signer-cert=$MASTER_DIR/ca.crt \
    --signer-key=$MASTER_DIR/ca.key --signer-serial=$MASTER_DIR/ca.serial.txt \
    --hostnames="$REGISTRY_ROUTE,$REGISTRY_SERVICE_IP" \
    --cert=$MASTER_DIR/registry.crt --key=$MASTER_DIR/registry.key
    
 # Create the secret for the registry certificates
 oc secrets new registry-secret $MASTER_DIR/registry.crt $MASTER_DIR/registry.key

 # Add the secret volume to the registry deployment configuration:
 oc volume dc/docker-registry --add --type=secret \
    --secret-name=registry-secret -m /etc/secrets

 # Enable TLS by adding the following environment variables to the registry deployment configuration:
 oc env dc/docker-registry \
    REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt \
    REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key

 # Update the scheme used for the registry’s liveness probe from HTTP to HTTPS:
 oc get dc/docker-registry -o yaml \
    | sed -e 's/scheme: HTTP/scheme: HTTPS/g' \
    | oc replace -f -
    
 # Copy the CA certificate to the Docker certificates directory.
 mkdir -p /etc/docker/certs.d/$REGISTRY_SERVICE_IP:$REGISTRY_SERVICE_PORT
 cp $MASTER_DIR/ca.crt /etc/docker/certs.d/$REGISTRY_SERVICE_IP:$REGISTRY_SERVICE_PORT

 mkdir -p /etc/docker/certs.d/$REGISTRY_ROUTE
 cp $MASTER_DIR/ca.crt /etc/docker/certs.d/$REGISTRY_ROUTE


 # add "tls termination: passthroug" to already existing docker registry route
 oc get route docker-registry -o json  | sed -e 's/\("spec": {\)/\1 "tls": {"termination": "passthrough"},/g' | oc replace -f -

 # resulting docker-registry route (`oc get route docker-registry -o json`) should look like this:  
 #{
 #    "kind": "Route",
 #    "apiVersion": "v1",
 #    "metadata": {
 #        "name": "docker-registry",
 #        "namespace": "default",
 #        "selfLink": "/oapi/v1/namespaces/default/routes/docker-registry",
 #        "uid": "d5e59654-e9d3-11e5-ab50-525400f883d9",
 #        "resourceVersion": "522",
 #        "creationTimestamp": "2016-03-14T10:59:34Z",
 #        "labels": {
 #            "docker-registry": "default"
 #        }
 #    },
 #    "spec": {
 #        "host": "hub.openshift.10.1.2.2.xip.io",
 #        "to": {
 #            "kind": "Service",
 #            "name": "docker-registry"
 #        },
 #        "port": {
 #            "targetPort": "5000-tcp"
 #        },
 #        "tls": {
 #            "termination": "passthrough"
 #        }
 #    },
 #    "status": {}
 #}
	# Directory with master files (confs, certs etc.)
	MASTER_DIR=/var/lib/openshift/openshift.local.config/master

	# KUBECONFIG for cluster admin
	export KUBECONFIG=$MASTER_DIR/admin.kubeconfig

	# Public name for the registry (default for ADB 1.7.1 is hub.openshift.10.1.2.2.xip.io)
	REGISTRY_ROUTE=$(oc get route docker-registry -o template --template='{{ .spec.host }}')

	# Get IP of the registry service
	REGISTRY_SERVICE_IP=$(oc get svc/docker-registry -o template --template='{{ .spec.clusterIP }}')
	REGISTRY_SERVICE_PORT=$(oc get svc/docker-registry -o template --template='{{ (index .spec.ports 0).port }}')

	# Create certificates for registry
	oadm ca create-server-cert --signer-cert=$MASTER_DIR/ca.crt \
	--signer-key=$MASTER_DIR/ca.key --signer-serial=$MASTER_DIR/ca.serial.txt \
	--hostnames="$REGISTRY_ROUTE,$REGISTRY_SERVICE_IP" \
	--cert=$MASTER_DIR/registry.crt --key=$MASTER_DIR/registry.key

	# Create the secret for the registry certificates
	oc secrets new registry-secret $MASTER_DIR/registry.crt $MASTER_DIR/registry.key

	# Add the secret volume to the registry deployment configuration:
	oc volume dc/docker-registry --add --type=secret \
	--secret-name=registry-secret -m /etc/secrets

	# Enable TLS by adding the following environment variables to the registry deployment configuration:
	oc env dc/docker-registry \
	REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt \
	REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key

	# Update the scheme used for the registry’s liveness probe from HTTP to HTTPS:
	oc get dc/docker-registry -o yaml \
	\| sed -e 's/scheme: HTTP/scheme: HTTPS/g' \
	\| oc replace -f -

	# Copy the CA certificate to the Docker certificates directory.
	mkdir -p /etc/docker/certs.d/$REGISTRY_SERVICE_IP:$REGISTRY_SERVICE_PORT
	cp $MASTER_DIR/ca.crt /etc/docker/certs.d/$REGISTRY_SERVICE_IP:$REGISTRY_SERVICE_PORT

	mkdir -p /etc/docker/certs.d/$REGISTRY_ROUTE
	cp $MASTER_DIR/ca.crt /etc/docker/certs.d/$REGISTRY_ROUTE


	# add "tls termination: passthroug" to already existing docker registry route
	oc get route docker-registry -o json \| sed -e 's/\("spec": {\)/\1 "tls": {"termination": "passthrough"},/g' \| oc replace -f -

	# resulting docker-registry route (`oc get route docker-registry -o json`) should look like this:
	#{
	# "kind": "Route",
	# "apiVersion": "v1",
	# "metadata": {
	# "name": "docker-registry",
	# "namespace": "default",
	# "selfLink": "/oapi/v1/namespaces/default/routes/docker-registry",
	# "uid": "d5e59654-e9d3-11e5-ab50-525400f883d9",
	# "resourceVersion": "522",
	# "creationTimestamp": "2016-03-14T10:59:34Z",
	# "labels": {
	# "docker-registry": "default"
	# }
	# },
	# "spec": {
	# "host": "hub.openshift.10.1.2.2.xip.io",
	# "to": {
	# "kind": "Service",
	# "name": "docker-registry"
	# },
	# "port": {
	# "targetPort": "5000-tcp"
	# },
	# "tls": {
	# "termination": "passthrough"
	# }
	# },
	# "status": {}
	#}
No results found