jianzzha/gist:379b8c507e503f33a549c19de761ec76

## gistfile1.txt
### update /etc/pki/tls/openssl.cnf and update this section
[ v3_ca ]
subjectAltName=IP:192.168.222.1

### create self cert
sudo mkdir -p /opt/registry/{auth,certs,data}

host_fqdn=192.168.222.1
cert_c="US"
cert_s="Massachussets"
cert_l="Boston"
cert_o="Red Hat, Inc"
cert_ou="Engineering"
cert_cn=192.168.222.1

sudo openssl req \
        -newkey rsa:4096 \
        -nodes \
        -sha256 \
        -keyout /opt/registry/certs/domain.key \
        -x509 \
        -days 365 \
        -out /opt/registry/certs/domain.crt \
        -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"

### trus this self signed cert, so curl will not complain
cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust enable
update-ca-trust extract

### let docker trust this self signed cert
mkdir -p /etc/containers/certs.d/192.168.222.1:5000
cp /opt/registry/certs/domain.crt /etc/containers/certs.d/192.168.222.1:5000/

### create http user: openshift , password: redhat
yum -y install  httpd httpd-tools
mkdir -p /opt/registry/auth/
htpasswd -bBc /opt/registry/auth/htpasswd openshift redhat

### create local volume for registry
mkdir /var/registry_vol

### start registry container
podman run -d  --privileged -p 5000:5000  --name registry \
       -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
       -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
       -v /var/registry_vol:/var/lib/registry -v /opt/registry/auth:/auth -v /opt/registry/certs:/certs \
       -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
       -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
       docker.io/library/registry:2

### list what's in the registry
curl -u openshift:redhat -v -X GET https://192.168.222.1:5000/v2/_catalog

### upload image
podman login -u openshift -p redhat 192.168.222.1:5000
podman push 192.168.222.1:5000/flexran

### make the cert part of the ocp install
echo "additionalTrustBundle: |" >> install-config.yaml
sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yaml

### Or on an existing cluster
oc create configmap registry-cas -n openshift-config --from-file=192.168.222.1..5000=/opt/registry/certs/domain.crt
oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge

### attach the username/password secret to the service account
oc create secret docker-registry local-registry-secret --docker-server=192.168.222.1:5000 --docker-username=openshift --docker-password=redhat
oc secrets link default local-registry-secret --for=pull
	### update /etc/pki/tls/openssl.cnf and update this section
	[ v3_ca ]
	subjectAltName=IP:192.168.222.1

	### create self cert
	sudo mkdir -p /opt/registry/{auth,certs,data}

	host_fqdn=192.168.222.1
	cert_c="US"
	cert_s="Massachussets"
	cert_l="Boston"
	cert_o="Red Hat, Inc"
	cert_ou="Engineering"
	cert_cn=192.168.222.1

	sudo openssl req \
	-newkey rsa:4096 \
	-nodes \
	-sha256 \
	-keyout /opt/registry/certs/domain.key \
	-x509 \
	-days 365 \
	-out /opt/registry/certs/domain.crt \
	-subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"

	### trus this self signed cert, so curl will not complain
	cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
	update-ca-trust enable
	update-ca-trust extract

	### let docker trust this self signed cert
	mkdir -p /etc/containers/certs.d/192.168.222.1:5000
	cp /opt/registry/certs/domain.crt /etc/containers/certs.d/192.168.222.1:5000/

	### create http user: openshift , password: redhat
	yum -y install httpd httpd-tools
	mkdir -p /opt/registry/auth/
	htpasswd -bBc /opt/registry/auth/htpasswd openshift redhat

	### create local volume for registry
	mkdir /var/registry_vol

	### start registry container
	podman run -d --privileged -p 5000:5000 --name registry \
	-e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
	-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
	-v /var/registry_vol:/var/lib/registry -v /opt/registry/auth:/auth -v /opt/registry/certs:/certs \
	-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
	-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
	docker.io/library/registry:2

	### list what's in the registry
	curl -u openshift:redhat -v -X GET https://192.168.222.1:5000/v2/_catalog

	### upload image
	podman login -u openshift -p redhat 192.168.222.1:5000
	podman push 192.168.222.1:5000/flexran

	### make the cert part of the ocp install
	echo "additionalTrustBundle: \|" >> install-config.yaml
	sed -e 's/^/ /' /opt/registry/certs/domain.crt >> install-config.yaml

	### Or on an existing cluster
	oc create configmap registry-cas -n openshift-config --from-file=192.168.222.1..5000=/opt/registry/certs/domain.crt
	oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge

	### attach the username/password secret to the service account
	oc create secret docker-registry local-registry-secret --docker-server=192.168.222.1:5000 --docker-username=openshift --docker-password=redhat
	oc secrets link default local-registry-secret --for=pull