Bug 1415605

Summary: [DOCS] Replace self-signed certificates of registry in Openshift
Product: OpenShift Container Platform Reporter: Jaspreet Kaur <jkaur>
Component: DocumentationAssignee: Kathryn Alexander <kalexand>
Status: CLOSED NOTABUG QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.4.0CC: aos-bugs, jokerman, mmccomas, tkimura, vigoyal
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-23 12:45:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jaspreet Kaur 2017-01-23 08:55:48 UTC 
Document URL: https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/installation-and-configuration/#securing-the-registry

Section Number and Name: 3.4.1 Securing the Registry

Describe the issue: With OCP 3.4 registry is secured bydefault with self-signed certs. We need to add a section in this if anyone wants to replace these self-signed certs with their named certificates.

Suggestions for improvement: Below are the steps that can be added :

cd /etc/origin/master/named_certificates/
ln -s cert_without_key.pem registry.crt
ln -s www_sslcertificaten.key registry.key
 
oc secrets unlink default registry-certificates
oc secrets unlink registry registry-certificates

 
oc secrets new registry-secret /etc/origin/master/named_certificates/registry.crt /etc/origin/master/named_certificates/registry.key
oc secrets link registry registry-secret
oc secrets link default  registry-secret
 

Get the name of the volume :
oc describe dc docker-registry | grep volume

oc volume dc/docker-registry --remove --name=volume-r8dfe
oc volume dc/docker-registry --add --type=secret --secret-name=registry-secret -m /etc/secrets

Additional information:
Comment 1 Takayoshi Kimura 2017-02-24 08:56:21 UTC 
We don't need to unlink/link, or create new secret under different name.

It's simpler to recreate registry-certificates secret and perform redeploy.

oc delete secret registry-certificates
oc secrets new registry-certificates ......
oc rollout latest docker-registry
Comment 5 Kathryn Alexander 2018-07-23 12:45:24 UTC 
This information is currently available here: https://docs.openshift.com/container-platform/3.4/install_config/redeploying_certificates.html#redeploying-custom-registry-or-router-certificates