Bug 1415605 - [DOCS] Replace self-signed certificates of registry in Openshift
Summary: [DOCS] Replace self-signed certificates of registry in Openshift
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Kathryn Alexander
QA Contact: Chuan Yu
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-23 08:55 UTC by Jaspreet Kaur
Modified: 2020-03-11 15:38 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-23 12:45:24 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jaspreet Kaur 2017-01-23 08:55:48 UTC
Document URL: https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/installation-and-configuration/#securing-the-registry

Section Number and Name: 3.4.1 Securing the Registry

Describe the issue: With OCP 3.4 registry is secured bydefault with self-signed certs. We need to add a section in this if anyone wants to replace these self-signed certs with their named certificates.

Suggestions for improvement: Below are the steps that can be added :

cd /etc/origin/master/named_certificates/
ln -s cert_without_key.pem registry.crt
ln -s www_sslcertificaten.key registry.key
 
oc secrets unlink default registry-certificates
oc secrets unlink registry registry-certificates

 
oc secrets new registry-secret /etc/origin/master/named_certificates/registry.crt /etc/origin/master/named_certificates/registry.key
oc secrets link registry registry-secret
oc secrets link default  registry-secret
 

Get the name of the volume :
oc describe dc docker-registry | grep volume

oc volume dc/docker-registry --remove --name=volume-r8dfe
oc volume dc/docker-registry --add --type=secret --secret-name=registry-secret -m /etc/secrets

Additional information:

Comment 1 Takayoshi Kimura 2017-02-24 08:56:21 UTC
We don't need to unlink/link, or create new secret under different name.

It's simpler to recreate registry-certificates secret and perform redeploy.

oc delete secret registry-certificates
oc secrets new registry-certificates ......
oc rollout latest docker-registry


Note You need to log in before you can comment on or make changes to this bug.