In my previous post I described how to manually export/import a Docker image from one system into the Docker registry of OpenShift.
A next step would be to push an image from a non OpenShift system directly into the registry.
The documentation of OpenShift recommends to secure the registry before opening it for external access. This is, what this article is going to document, while another one will show how to do the remote push.
Please run the following steps as a user with cluster-admin privileges.
Step 1
Change into the default project
# oc project default
Step 2
Check the IP-Address and Port of your OpenShift Docker registry
# oc get service docker-registry NAME LABELS SELECTOR IP(S) PORT(S) docker-registry docker-registry=default docker-registry=default 172.30.80.73 5000/TCP
Step 3
Change into the directory where you have the certificates of your OpenShift installation and create a new server-certificate for your registry
# cd /etc/openshift/master/ [root@master master]# oadm ca create-server-cert --signer-cert=ca.crt \ --signer-key=ca.key --signer-serial=ca.serial.txt \ --hostnames='registry.cloudapps.example.com,172.30.80.73,10.211.55.140' \ --cert=registry.crt --key=registry.key
Step 4
Create a new OpenShift secret and add the newly created certificate to it
# oc secrets new registry-secret registry.crt registry.key
Step 5
Add the newly created secret to the service-account under which the registry runs
# oc secrets add serviceaccounts/registry secrets/registry-secret
Step 6
Update the registries deployment-configuration to include the new secret and the TLS definition
# oc volume dc/docker-registry --add --type=secret \ --secret-name=registry-secret -m /etc/secrets # oc env dc/docker-registry \ REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt \ REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
Step 7
To be able to connect to the registry from outside of OpenShift, we need to create a route to the registry. For this we create a file describing the required route
{
"kind": "Route",
"apiVersion": "v1",
"metadata": {
"name": "registry",
"namespace": "default",
"labels": {
"docker-registry": "default"
}
},
"spec": {
"host": "registry.cloudapps.example.com",
"to": {
"kind": "Service",
"name": "docker-registry"
},
"tls": {
"termination": "passthrough"
}
},
"status": {}
}
The ‘host’ section in this definition defines the name under which the registry is supposed to be known from outside. In this case it is ‘registry.cloudapps.example.com’.
Which we then need to add to our OpenShift installation
# oc create -f registry-route.json routes/registry
Step 8
Last, but not least, we need to make Docker use the correct certificate, when trying to connect to the secured registry. To do this, you will have to copy the ‘ca.crt’ from ‘/etc/openshift/master/’ into the right directory on all systems, which need to communicate with our registry, so the OpenShift Master, all Nodes and potential other systems.
For the OpenShift Master, the commands to do so are as follows:
# mkdir -p /etc/docker/certs.d/registry.cloudapps.example.com # cp /etc/openshift/master/ca.crt /etc/docker/certs.d/registry.cloudapps.example.com
Don’t forget to restart the Docker service
# sudo systemctl daemon-reload # sudo systemctl restart docker
One reply on “Securing the OpenShift V3 Registry”
[…] As it is recommended to only expose a secured OpenShift registry for remote access, we have to secure our registry. […]