Securing the OpenShift V3 Registry

In my previous post I described how to manually export/import a Docker image from one system into the Docker registry of OpenShift.

A next step would be to push an image from a non OpenShift system directly into the registry.

The documentation of OpenShift recommends to secure the registry before opening it for external access. This is, what this article is going to document, while another one will show how to do the remote push.

Please run the following steps as a user with cluster-admin privileges.

Step 1

Change into the default project

# oc project default

Step 2

Check the IP-Address and Port of your OpenShift Docker registry

# oc get service docker-registry
NAME LABELS SELECTOR IP(S) PORT(S)
docker-registry docker-registry=default docker-registry=default 172.30.80.73 5000/TCP

Step 3

Change into the directory where you have the certificates of your OpenShift installation and create a new server-certificate for your registry

# cd /etc/openshift/master/

[root@master master]# oadm ca create-server-cert --signer-cert=ca.crt \
 --signer-key=ca.key --signer-serial=ca.serial.txt \
 --hostnames='registry.cloudapps.example.com,172.30.80.73,10.211.55.140' \
 --cert=registry.crt --key=registry.key

Step 4

Create a new OpenShift secret and add the newly created certificate to it

# oc secrets new registry-secret registry.crt registry.key

Step 5

Add the newly created secret to the service-account under which the registry runs

# oc secrets add serviceaccounts/registry secrets/registry-secret

Step 6

Update the registries deployment-configuration to include the new secret and the TLS definition

# oc volume dc/docker-registry --add --type=secret \
  --secret-name=registry-secret -m /etc/secrets

# oc env dc/docker-registry \
  REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt \
  REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key

Step 7

To be able to connect to the registry from outside of OpenShift, we need to create a route to the registry. For this we create a file describing the required route

{
 "kind": "Route",
 "apiVersion": "v1",
 "metadata": {
 "name": "registry",
 "namespace": "default",
 "labels": {
 "docker-registry": "default"
 }
 },
 "spec": {
 "host": "registry.cloudapps.example.com",
 "to": {
 "kind": "Service",
 "name": "docker-registry"
 },
 "tls": {
 "termination": "passthrough"
 }
 },
 "status": {}
}

The ‘host’ section in this definition defines the name under which the registry is supposed to be known from outside. In this case it is ‘registry.cloudapps.example.com’.

Which we then need to add to our OpenShift installation

# oc create -f registry-route.json
routes/registry

Step 8

Last, but not least, we need to make Docker use the correct certificate, when trying to connect to the secured registry. To do this, you will have to copy the ‘ca.crt’ from ‘/etc/openshift/master/’ into the right directory on all systems, which need to communicate with our registry, so the OpenShift Master, all Nodes and potential other systems.

For the OpenShift Master, the commands to do so are as follows:

# mkdir -p /etc/docker/certs.d/registry.cloudapps.example.com
# cp /etc/openshift/master/ca.crt /etc/docker/certs.d/registry.cloudapps.example.com

Don’t forget to restart the Docker service

# sudo systemctl daemon-reload
# sudo systemctl restart docker
, ,
One comment on “Securing the OpenShift V3 Registry
  1. Pingback: Pushing an external and not yet published Docker image into Red Hat OpenShift V3 - Open Sourcerers

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: