Bug 1382599

Summary: [DOCS] Documentation inaccurate for docker-registry-console certificate security
Product: OpenShift Container Platform Reporter: Jaspreet Kaur <jkaur>
Component: DocumentationAssignee: brice <bfallonf>
Status: CLOSED CURRENTRELEASE QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.3.0CC: aos-bugs, jkaur, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-09 01:16:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jaspreet Kaur 2016-10-07 06:58:46 UTC 
Document URL: https://access.redhat.com/documentation/en/openshift-container-platform/3.3/single/installation-and-configuration/#registry-console

Section Number and Name:  3.2.6.2. Securing the Registry Console

Describe the issue: 	

What problem/issue/behavior are you having trouble with?  What do you expect to see?

when following https://docs.openshift.com/container-platform/3.3/install_config/registry/deploy_registry_existing_clusters.html#registry-console to secure the registry console, it tells me to :

oc secrets new console-secret \
    /path/to/console.crt \
    /path/to/console.key

however, once you've configured that secret as a volume in the deploymentconfig for the registry-console, and the pod is running, it will not load those certificates, because as your documentation clearly states (and is copy/pasted from the cockpit documentation itself) :


The registry console loads a certificate from the /etc/cockpit/ws-certs.d directory. It uses the last file with a .cert extension in alphabetical order. The .cert file should contain at least two OpenSSL style PEM blocks:

so, the .crt and .key files are not read and it continues to generate a self signed certificate and run with that.


Suggestions for improvement: The fix, is to combine SSL key and signed certificate into a .cert file, and create the secrets as follows :

oc secrets new console-secret /path/to/your.cert


Additional information:
Comment 1 brice 2017-01-23 05:23:51 UTC 
Jaspreet,

I've created a PR from this:

https://github.com/openshift/openshift-docs/pull/3555

I was confused by what you meant above, but the customer case made it clearer. But because of that, can I ask if what Iv'e done fulfills this BZ?

I've put the info from the troubleshooting topic into the steps when securing the registry, and because the .cert and .key info is in the same file, I've got rid of the option adding the .key to the registry secret.

Please let me know if this is not what you intended.

Thanks.
Comment 2 Jaspreet Kaur 2017-01-23 05:51:17 UTC 
Brice, 

Yes this looks correct.

Thanks
Comment 3 openshift-github-bot 2017-01-25 00:47:58 UTC 
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/7d32bf2b349e618b9e959adf9518d3b8cddf55c5
Merge pull request #3555 from bfallonf/certs_1382599

Bug 1382599 arranged section on certs and the registry console
Comment 4 brice 2017-01-25 00:56:25 UTC 
Thanks, Jaspreet. Putting this to Release_pending
Comment 5 brice 2017-02-09 01:16:18 UTC 
Link to released docs:

https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/installation-and-configuration/#registry-console