Bug 1547826 - TLS Configuration for Undercloud should make docker-distribution (registry) serve its registry over HTTPS
Summary: TLS Configuration for Undercloud should make docker-distribution (registry) s...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-tripleoclient
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Douglas Mendizábal
QA Contact: Gurenko Alex
URL:
Whiteboard:
Depends On:
Blocks: 1664423 1664424
TreeView+ depends on / blocked
 
Reported: 2018-02-22 03:36 UTC by david.costakos
Modified: 2020-10-05 04:07 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1664423 (view as bug list)
Environment:
Last Closed: 2020-09-30 19:10:31 UTC
Target Upstream Version:
Embargoed:
david.costakos: needinfo-


Attachments (Terms of Use)

Description david.costakos 2018-02-22 03:36:14 UTC
Description of problem:
If I configure OSP12 for TLS, or TLS everywhere, docker-distribution serves the docker registry over an unencrypted port by default on the provisioning network.  This network is (mostly) routable in production instances.

Version-Release number of selected component (if applicable):
python-tripleoclient-7.3.3-7.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. deploy OSP12 with TLS enabled, or do TLS everywhere config and add TLS after deployment
2. Create a local container registry
3. registry is served on a (usually) routable network over HTTP

Actual results:
registry is served over https

Expected results:
encrypted registry as there is transit across wires between nodes on encrypted protocol

Additional info:
Adding these lines to /etc/docker-distribution/registry would fix the issue (assuming your ssl cert is in /etc/pki/instack-certs/undercloud.pem
---
    tls:
        certificate: /etc/pki/instack-certs/undercloud.pem
        key: /etc/pki/instack-certs/undercloud.pem
---

Comment 3 stchen 2020-09-30 19:10:31 UTC
Closing EOL, OSP 15 has been retired as of Sept 19


Note You need to log in before you can comment on or make changes to this bug.