Skip to content

Instantly share code, notes, and snippets.

@pandeybk

pandeybk/Installquay.md

Last active October 7, 2024 01:59
Show Gist options
  • Save pandeybk/b50c22ac285e6638773506a0f865ac05 to your computer and use it in GitHub Desktop.
Save pandeybk/b50c22ac285e6638773506a0f865ac05 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
update_quay_cert.sh
#!/bin/bash
# Set the root install path
QUAY_INSTALL_PATH="/mirror-registry/quay-config"
# Derived paths from QUAY_INSTALL_PATH
QUAY_CONFIG_PATH="$QUAY_INSTALL_PATH/quay-config"
CA_DIR="$QUAY_INSTALL_PATH/quay-rootCA"
SSL_CERT="$QUAY_CONFIG_PATH/ssl.cert"
SSL_KEY="$QUAY_CONFIG_PATH/ssl.key"
SSL_CSR="$QUAY_CONFIG_PATH/ssl.csr"
OPENSSL_CNF="$QUAY_CONFIG_PATH/openssl.cnf"
TIMESTAMP=$(date +%Y%m%d%H%M%S)
# Stop Quay service
echo "Stopping quay-app.service..."
systemctl stop quay-app.service
# Backup current SSL certificate and key with timestamp
echo "Backing up SSL certificate and key..."
cp -f $SSL_CERT "${SSL_CERT}.${TIMESTAMP}.bak"
cp -f $SSL_KEY "${SSL_KEY}.${TIMESTAMP}.bak"
# Backup existing root CA certificate and key with timestamp
echo "Backing up Root CA certificate and key..."
cp -f $CA_DIR/rootCA.pem "$CA_DIR/rootCA.pem.${TIMESTAMP}.bak"
cp -f $CA_DIR/rootCA.key "$CA_DIR/rootCA.key.${TIMESTAMP}.bak"
# Create openssl.cnf file for the Root CA configuration
cat > $CA_DIR/rootCA_openssl.cnf <<EOL
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = VA
localityName = New York
organizationName = Quay
organizationalUnitName = Division
commonName = 192.168.7.52
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOL
# Generate new Root CA
echo "Generating new Root CA..."
openssl genrsa -out $CA_DIR/rootCA.key 2048
openssl req -x509 -new -nodes -key $CA_DIR/rootCA.key -sha256 -days 1024 -out $CA_DIR/rootCA.pem -config $CA_DIR/rootCA_openssl.cnf
# Generate new SSL key
echo "Generating new SSL key..."
openssl genrsa -out $SSL_KEY 2048
# Create openssl.cnf file with configuration for the server certificate
cat > $OPENSSL_CNF <<EOL
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = VA
localityName = New York
organizationName = Quay
organizationalUnitName = Division
commonName = 192.168.7.52
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = quay-registry
IP.1 = 192.168.7.52
# IP.2 = 192.168.1.11
EOL
# Generate CSR (Certificate Signing Request)
echo "Generating CSR..."
openssl req -new -key $SSL_KEY -out $SSL_CSR -reqexts v3_req -config $OPENSSL_CNF
# Review the CSR to ensure the details are correct
echo "Reviewing CSR..."
openssl req -in $SSL_CSR -noout -text
# Sign the CSR with the Root CA to create the certificate
echo "Signing CSR to generate SSL certificate..."
openssl x509 -req -in $SSL_CSR -CA $CA_DIR/rootCA.pem -CAkey $CA_DIR/rootCA.key -CAcreateserial -out $SSL_CERT -days 730 -extensions v3_req -extfile $OPENSSL_CNF
# Verify the new SSL certificate
echo "Verifying the new SSL certificate..."
openssl x509 -in $SSL_CERT -noout -text
# Set the correct ownership for the new certificate and key
echo "Setting ownership for the new SSL certificate and key..."
chown 1001:1001 $SSL_CERT $SSL_KEY
# Restart Quay service
echo "Starting quay-app.service..."
systemctl start quay-app.service
echo "Process completed. New certificate has been installed and Quay service restarted."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment