1382599 – [DOCS] Documentation inaccurate for docker-registry-console certificate security

Bug 1382599 - [DOCS] Documentation inaccurate for docker-registry-console certificate security

Summary: [DOCS] Documentation inaccurate for docker-registry-console certificate security

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	3.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	brice
QA Contact:	Yadan Pei
Docs Contact:	Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-07 06:58 UTC by Jaspreet Kaur
Modified:	2020-03-11 15:17 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-09 01:16:18 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jaspreet Kaur 2016-10-07 06:58:46 UTC

Document URL: https://access.redhat.com/documentation/en/openshift-container-platform/3.3/single/installation-and-configuration/#registry-console

Section Number and Name:  3.2.6.2. Securing the Registry Console

Describe the issue: 	

What problem/issue/behavior are you having trouble with?  What do you expect to see?

when following https://docs.openshift.com/container-platform/3.3/install_config/registry/deploy_registry_existing_clusters.html#registry-console to secure the registry console, it tells me to :

oc secrets new console-secret \
    /path/to/console.crt \
    /path/to/console.key

however, once you've configured that secret as a volume in the deploymentconfig for the registry-console, and the pod is running, it will not load those certificates, because as your documentation clearly states (and is copy/pasted from the cockpit documentation itself) :


The registry console loads a certificate from the /etc/cockpit/ws-certs.d directory. It uses the last file with a .cert extension in alphabetical order. The .cert file should contain at least two OpenSSL style PEM blocks:

so, the .crt and .key files are not read and it continues to generate a self signed certificate and run with that.


Suggestions for improvement: The fix, is to combine SSL key and signed certificate into a .cert file, and create the secrets as follows :

oc secrets new console-secret /path/to/your.cert


Additional information:

Comment 1 brice 2017-01-23 05:23:51 UTC

Jaspreet,

I've created a PR from this:

https://github.com/openshift/openshift-docs/pull/3555

I was confused by what you meant above, but the customer case made it clearer. But because of that, can I ask if what Iv'e done fulfills this BZ?

I've put the info from the troubleshooting topic into the steps when securing the registry, and because the .cert and .key info is in the same file, I've got rid of the option adding the .key to the registry secret.

Please let me know if this is not what you intended.

Thanks.

Comment 2 Jaspreet Kaur 2017-01-23 05:51:17 UTC

Brice, 

Yes this looks correct.

Thanks

Comment 3 openshift-github-bot 2017-01-25 00:47:58 UTC

Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/7d32bf2b349e618b9e959adf9518d3b8cddf55c5
Merge pull request #3555 from bfallonf/certs_1382599

Bug 1382599 arranged section on certs and the registry console

Comment 4 brice 2017-01-25 00:56:25 UTC

Thanks, Jaspreet. Putting this to Release_pending

Comment 5 brice 2017-02-09 01:16:18 UTC

Link to released docs:

https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/installation-and-configuration/#registry-console

Note You need to log in before you can comment on or make changes to this bug.