Skip to content

Instantly share code, notes, and snippets.

@mddamato

mddamato/.gitignore

Last active March 4, 2021 22:25
Show Gist options
  • Save mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6 to your computer and use it in GitHub Desktop.
Save mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6 to your computer and use it in GitHub Desktop.
Download ZIP
Offline install RKE2 and Rancher RHEL 8
Raw
.gitignore
RKE_Dependencies**
**.DS_Store
Raw
do_all_the_online_things.sh
#!/bin/bash
set -e
mkdir -p RKE_Dependencies
echo "---> download rke"
docker run --rm \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt centos:8 \
/bin/bash -c \
"curl -sfL https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/download_rke.sh | bash -"
echo "---> generate certs"
docker run --rm \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt centos:8 \
/bin/bash -c \
"yum install -y openssl && curl -sfL https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/registry_self_signed_certs.sh | bash -"
echo "---> download rancher"
docker run --rm \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt centos:8 \
/bin/bash -c \
"curl -sfL https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/download_rancher.sh | bash -"
docker stop temp_registry || true
echo "---> start registry"
docker run -t -d --rm \
--name temp_registry \
-v $(pwd)/RKE_Dependencies/registry_data/certs:/certs \
-v $(pwd)/RKE_Dependencies/registry_data/db:/var/lib/registry \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
-p 5443:5443 \
registry:2
echo "---> sleep 10"
sleep 10;
echo "---> image load"
docker run --privileged --network host --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt \
centos:8 \
/bin/bash -c \
"curl -sfL https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/registry_image_load.sh | bash -"
echo "---> sleep 10"
sleep 10;
echo "---> stop registry"
docker stop temp_registry
echo "---> sleep 10"
sleep 10;
docker run -t --rm \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt centos:8 \
/bin/bash -c \
"yum install -y pigz && cd registry_data; tar -cvf ../registry_data.tar . && cd .. && rm -rf registry_data/ && pigz registry_data.tar"
echo "---> DONE"
Raw
download_rancher.sh
#!/bin/bash
set -e
yum install -y openssl yum-utils
yumdownloader --downloaddir $(pwd) tar
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
curl -LO https://github.com/derailed/k9s/releases/download/v0.24.2/k9s_Linux_x86_64.tar.gz
curl -LO https://get.helm.sh/helm-v3.5.0-linux-amd64.tar.gz
curl -LO https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml
curl -LO https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/registry_manifest.yaml
curl -LO https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/registry_self_signed_certs.sh
helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm fetch rancher-latest/rancher --version=2.5.5
helm fetch jetstack/cert-manager --version v1.0.4
Raw
download_rke.sh
#!/bin/bash
set -e
# set variables
YUM_PACKAGES="unzip container-selinux rke2-server-1.19.7~rke2r1-0.el8 rke2-agent-1.19.7~rke2r1-0.el8 tar"
RKE_IMAGES_DL_URL="https://github.com/rancher/rke2/releases/download/v1.19.7%2Brke2r1/rke2-images.linux-amd64.tar.gz"
RKE_IMAGES_DL_SHASUM="https://github.com/rancher/rke2/releases/download/v1.19.7%2Brke2r1/sha256sum-amd64.txt"
RKE2_VERSION="1.19"
# preflight - check for centos-7 and root user
if ! ( [[ $(awk -F= '/^ID=/{print $2}' /etc/os-release) = "\"centos\"" ]] && [[ $(awk -F= '/^VERSION_ID=/{print $2}' /etc/os-release) = "\"8\"" ]] ) ; then
echo "needs to be run on centos 8";
exit 1;
fi
if [ "$EUID" -ne 0 ] ; then
echo "needs to be run as root";
exit 1;
fi
# create a working directory, install dependency collection dependencies
export workdir=rke-government-deps-$(date +"%s");
mkdir $workdir;
cd $workdir;
yum install -y yum-utils createrepo unzip epel-release pigz;
yum install -y modulemd-tools python3-gobject-base;
# grab and verify rke images
curl -LO ${RKE_IMAGES_DL_URL};
curl -LO ${RKE_IMAGES_DL_SHASUM};
CHECKSUM_EXPECTED=$(grep "rke2-images.linux-amd64.tar.gz" "sha256sum-amd64.txt" | awk '{print $1}');
CHECKSUM_ACTUAL=$(sha256sum "rke2-images.linux-amd64.tar.gz" | awk '{print $1}');
if [ "${CHECKSUM_EXPECTED}" != "${CHECKSUM_ACTUAL}" ]; then echo "FATAL: download sha256 does not match"; exit 1; fi
rm -f sha256sum-amd64.txt
# install rke rpm repo
cat <<-EOF >"/etc/yum.repos.d/rancher-rke2-latest.repo"
[rancher-rke2-common-latest]
name=Rancher RKE2 Common (latest)
baseurl=https://rpm.rancher.io/rke2/latest/common/centos/8/noarch
enabled=0
gpgcheck=1
gpgkey=https://rpm.rancher.io/public.key
[rancher-rke2-latest]
name=Rancher RKE2 ${RKE2_VERSION} (latest)
baseurl=https://rpm.rancher.io/rke2/latest/${RKE2_VERSION}/centos/8/x86_64
enabled=0
gpgcheck=1
gpgkey=https://rpm.rancher.io/public.key
EOF
# download all rpms and their dependencies
mkdir -p rke_rpm_deps/Packages;
cd rke_rpm_deps/Packages;
yum install -y --enablerepo="rancher-rke2-common-latest" --enablerepo="rancher-rke2-latest" --releasever=/ --installroot=$(pwd) --downloadonly --downloaddir $(pwd) ${YUM_PACKAGES};
cd ..
createrepo_c .;
repo2module -s stable -d . modules.yaml;
modifyrepo_c --mdtype=modules ./modules.yaml ./repodata;
cd ..;
tar -cvf rke_rpm_deps.tar rke_rpm_deps;
rm -rf rke_rpm_deps;
pigz rke_rpm_deps.tar
# create tar with everything, delete working directory
tar -cvf ../$workdir.tar .;
cd ..;
rm -rf $workdir;
pigz $workdir.tar
echo "done with download rke2 dependencies: $workdir.tar.gz"
Raw
instructions.md

Online Side - with an internet connection

All of the below steps assume you're on a machine with docker installed and an active internet connection.

Shortcut- run all the steps:

I am currently seeing some stability issues running this and i think it's a matter of rate limiting from quay and docker but i have not tried to stabilize it yet. I might need to just work in some retry logic. If it fails at some point in running this it's best to rerun the individual steps that failed and the remaining steps after that individually. Or run them individually in the substeps below.

Run all the online things:

This can take more than an hour to complete, and needs about 60GiB of disk. End result is about 10GiB.

curl -sfL https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/do_all_the_online_things.sh | bash -

After this finishes copy everything from RKE_Dependencies into the offline host.

Make directory for all your dependencies

All of the below steps assume this folder is created.

mkdir RKE_Dependencies

Download RKE2 Images and RPMs

This follows a similar process from https://rancherfederal.com/blog/installing-rke-government-in-airgap-environments/

docker run --rm \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt centos:8 \
/bin/bash -c \
"curl -sfL https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/download_rke.sh | bash -"

Make some self signed certificates for the registry

docker run -it --rm \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt centos:8 \
/bin/bash -c \
"yum install -y openssl && curl -sfL https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/registry_self_signed_certs.sh | bash -"

Download any other dependencies we might need

Add to the download_rancher.sh script if any additional charts or binaries are needed.

docker run -it --rm \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt centos:8 \
/bin/bash -c \
"curl -sfL https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/download_rancher.sh | bash -"

Start a temporary registry so we can load the database with our image blobs

We will use this registry to build a database of image blobs that we can ship to the airgap and mount to a new registry.

docker run -t -d --rm \
--name temp_registry \
-v $(pwd)/RKE_Dependencies/registry_data/certs:/certs \
-v $(pwd)/RKE_Dependencies/registry_data/db:/var/lib/registry \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
-p 5443:5443 \
registry:2

Download and push all needed images to the registry

This process takes a long time and uses a lot of disk space. Add to the registry_image_load.sh script if any additional images are needed.

docker run --privileged -it --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt \
centos:8 \
/bin/bash -c \
"curl -sfL https://gist.githubusercontent.com/mddamato/fe8ca3337b8ceae93d8f6ca02d9c02b6/raw/registry_image_load.sh | bash -"

Stop the registry

docker stop temp_registry

docker run -t --rm \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt centos:8 \
/bin/bash -c \
"yum install -y pigz && cd registry_data; tar -cvf ../registry_data.tar . && cd .. && rm -rf registry_data/ && pigz registry_data.tar"

Zip everything up, and send to airgap

scp RKE_Dependencies/* user@rke2-server.com:/home/user

clean everything by removing RKE_Dependencies rm -rf RKE_Dependencies. You might also want to docker prune to clean up local copies of images.

Offline side - no internet connection

These steps assume you're running on a RHEL/Centos 8 machine.

disable firewalld

if [ "$(id -u)" -ne 0 ] ; then sudo -s; fi
systemctl stop firewalld && systemctl disable firewalld

disable selinux

sed -i 's/=enforcing/=permissive/g' /etc/selinux/config
setenforce 0

Set variables

cat >> ~/.bashrc <<EOF
export RANCHER_INGRESS_HOSTNAME="$(hostname)"
export FIRST_SERVER_NODE_HOSTNAME="$(hostname)"
export FIRST_SERVER_NODE_IP="$(hostname -i)"
export REGISTRY_IP="$(hostname -i)"
export REGISTRY_HOST="$(hostname)"
export REGISTRY_PORT="30500"
export INSECURE_REGISTRY_PORT="30501"
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
export PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
alias ku=kubectl
EOF
source ~/.bashrc

These can be set in your bash profile so you don't need to re-enter them if you close your session

The registry ports are hard coded in the registry_manifest.yaml

create rke2 config file

mkdir -p /etc/rancher/rke2
cat > /etc/rancher/rke2/config.yaml <<EOF
selinux: true
write-kubeconfig-mode: "0640"
tls-san:
- centos-8-0.tomatodamato.com
- centos-8-1.tomatodamato.com
- centos-8-2.tomatodamato.com
EOF

create registry config

cat > /etc/rancher/rke2/registries.yaml <<EOF
mirrors:
  "$REGISTRY_HOST:$REGISTRY_PORT":
    endpoint:
      - "https://$REGISTRY_HOST:$REGISTRY_PORT"
  docker.io:
    endpoint:
      - "https://$REGISTRY_HOST:$REGISTRY_PORT"
configs:
  "$REGISTRY_HOST:$REGISTRY_PORT":
    tls:
      cert_file: /var/lib/rancher/hostPaths/registry/certs/server.crt
      key_file: /var/lib/rancher/hostPaths/registry/certs/server.key
      ca_file: /var/lib/rancher/hostPaths/registry/certs/ca.pem
      insecure_skip_verify: true
EOF

install rke2

rpm -i ./tar-1.30-5.el8.x86_64.rpm
tar xzvf rke-government-deps-*.tar.gz
rm -f rke-government-deps-*.tar.gz

mkdir -p /var/lib/rancher/rke2/agent/images/ && \
zcat rke2-images.linux-amd64.tar.gz > /var/lib/rancher/rke2/agent/images/rke2-images.linux-amd64.tar

cp registry.tar /var/lib/rancher/rke2/agent/images/

mkdir -p /var/lib/rancher/yum_repos
tar xzf rke_rpm_deps.tar.gz -C /var/lib/rancher/yum_repos
cat > /etc/yum.repos.d/rke_rpm_deps.repo <<EOF
[rke_rpm_deps]
name=rke_rpm_deps
baseurl=file:///var/lib/rancher/yum_repos/rke_rpm_deps
enabled=0
gpgcheck=0
EOF

yum install -y --disablerepo=* --enablerepo="rke_rpm_deps" rke2-server

Start rke2-server

systemctl start rke2-server
systemctl enable rke2-server

Watch the rke2-server journal logs if you like

journalctl -u rke2-server -f

Wait for Ready status

watch kubectl get no

Install registry

# load registry image into containerd locally
ctr -a /run/k3s/containerd/containerd.sock -n k8s.io image import /var/lib/rancher/rke2/agent/images/registry.tar

# extract registry database
mkdir -p /var/lib/rancher/hostPaths/registry
tar xvzf registry_data.tar.gz -C /var/lib/rancher/hostPaths/registry

# make new registry certs
chmod +x registry_self_signed_certs.sh
bash -c "./registry_self_signed_certs.sh /var/lib/rancher/hostPaths/registry $REGISTRY_IP $REGISTRY_HOST"

# add to hosts file if hostname is not resolvable
echo "$REGISTRY_IP $REGISTRY_HOST" >> /etc/hosts

# create registry namespace
kubectl create ns registry

# make secret for certificates
kubectl create secret -n registry generic registry-certificates \
--from-file=cert=/var/lib/rancher/hostPaths/registry/certs/server.crt \
--from-file=key=/var/lib/rancher/hostPaths/registry/certs/server.key \
--from-file=ca=/var/lib/rancher/hostPaths/registry/certs/ca.pem

# launch registry
kubectl apply -f registry_manifest.yaml -n registry
kubectl wait --for=condition=available --timeout=600s deployment/registry -n registry

Test registry connection

ctr -a /run/k3s/containerd/containerd.sock -n k8s.io image tag docker.io/library/registry:2 $REGISTRY_HOST:$REGISTRY_PORT/library/registry:2
ctr -a /run/k3s/containerd/containerd.sock -n k8s.io image push --skip-verify $REGISTRY_HOST:$REGISTRY_PORT/library/registry:2
curl -k https://$REGISTRY_HOST:$REGISTRY_PORT/v2/_catalog

Install Rancher MCM

# create namespaces
kubectl create ns cert-manager
kubectl create ns cattle-system

# install cert-manager
kubectl apply -f cert-manager.crds.yaml
tar xvf helm-v3.5.0-linux-amd64.tar.gz
linux-amd64/helm upgrade --install cert-manager cert-manager-v1.0.4.tgz --namespace cert-manager --version v1.0.4 --set cainjector.image.repository="$REGISTRY_HOST:$REGISTRY_PORT/jetstack/cert-manager-cainjector" --set image.repository="$REGISTRY_HOST:$REGISTRY_PORT/jetstack/cert-manager-controller" --set webhook.image.repository="$REGISTRY_HOST:$REGISTRY_PORT/jetstack/cert-manager-webhook"
kubectl wait --for=condition=available --timeout=600s deployment/cert-manager -n cert-manager
kubectl wait --for=condition=available --timeout=600s deployment/cert-manager-cainjector -n cert-manager
kubectl wait --for=condition=available --timeout=600s deployment/cert-manager-webhook -n cert-manager

## install rancher
linux-amd64/helm upgrade \
--install rancher rancher-2.5.5.tgz \
--namespace cattle-system \
--set hostname=$RANCHER_INGRESS_HOSTNAME \
--set systemDefaultRegistry="$REGISTRY_HOST:$REGISTRY_PORT" \
--set useBundledSystemChart=true
kubectl wait --for=condition=available --timeout=600s deployment/rancher -n cattle-system

Collect configuration for additional nodes

Collect things that need to be sent to all additional nodes

# make directory for items to send to all additional nodes
mkdir add_node_reqs

# copy the current config and add a few extra parameters
cp /etc/rancher/rke2/config.yaml add_node_reqs/config.yaml
echo "server: https://$FIRST_SERVER_NODE_IP:9345" >> add_node_reqs/config.yaml
echo "system-default-registry: $REGISTRY_HOST:$REGISTRY_PORT" >> add_node_reqs/config.yaml
echo "token: $(cat /var/lib/rancher/rke2/server/node-token)" >> add_node_reqs/config.yaml

# make a hosts config file if needed
touch add_node_reqs/hosts_config
echo "$REGISTRY_IP $REGISTRY_HOST" >> add_node_reqs/hosts_config

# copy current registry config
cp /etc/rancher/rke2/registries.yaml add_node_reqs
mkdir -p add_node_reqs/reg_certs
cp /var/lib/rancher/hostPaths/registry/certs/server.crt add_node_reqs/reg_certs
cp /var/lib/rancher/hostPaths/registry/certs/server.key add_node_reqs/reg_certs
cp /var/lib/rancher/hostPaths/registry/certs/ca.pem add_node_reqs/reg_certs

# copy in some RPM deps
cp rke_rpm_deps.tar.gz add_node_reqs/
cp tar-1.30-5.el8.x86_64.rpm add_node_reqs/

copy files to additional nodes

scp -r add_node_reqs admin@centos-8-1.tomatodamato.com:/home/admin

configure all additional nodes

ssh to new node

cd add_node_reqs

if [ "$(id -u)" -ne 0 ] ; then sudo -s; fi
systemctl stop firewalld && systemctl disable firewalld

sed -i 's/=enforcing/=permissive/g' /etc/selinux/config
setenforce 0

cat hosts_config  >> /etc/hosts

rpm -i tar-1.30-5.el8.x86_64.rpm

mkdir -p /etc/rancher/rke2
cp config.yaml /etc/rancher/rke2/config.yaml
cp registries.yaml /etc/rancher/rke2/registries.yaml

mkdir -p /var/lib/rancher/hostPaths/registry/certs
cp reg_certs/server.crt /var/lib/rancher/hostPaths/registry/certs/server.crt
cp reg_certs/server.key /var/lib/rancher/hostPaths/registry/certs/server.key
cp reg_certs/ca.pem /var/lib/rancher/hostPaths/registry/certs/ca.pem

cp /var/lib/rancher/hostPaths/registry/certs/ca.pem /etc/pki/ca-trust/source/anchors/registryca.crt
update-ca-trust

mkdir -p /var/lib/rancher/yum_repos
tar xzf rke_rpm_deps.tar.gz -C /var/lib/rancher/yum_repos
cat > /etc/yum.repos.d/rke_rpm_deps.repo <<EOF
[rke_rpm_deps]
name=rke_rpm_deps
baseurl=file:///var/lib/rancher/yum_repos/rke_rpm_deps
enabled=0
gpgcheck=0
EOF

yum install -y --disablerepo=* --enablerepo="rke_rpm_deps" rke2-server

systemctl start rke2-server
systemctl enable rke2-server
journalctl -u rke2-server -f
Raw
registry_image_load.sh
#!/bin/bash
set -e
mkdir -p temp_dir
cd temp_dir
REGISTRY_HOSTNAME=${1:-"127.0.0.1:5443"}
CERT_MANAGER_VERSION="v1.0.4"
RKE2_VERSION=${2:-"v1.19.7+rke2r1"}
RANCHER_VERSION="v2.5.5"
yum update -y
yum install -y yum-utils
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce-cli
download_images_from_list() {
for LISTIMAGE in $(cat $1); do
echo "pulling $LISTIMAGE"
# try pulling 5 times with a sleep, set pull error code
for i in {1..5}; do
[ $i -gt 1 ] && sleep 20;
IMAGE_PULL_CMD=$(docker pull ${LISTIMAGE} 2>&1) && error=0 && break || error=$? && echo "error pulling ${LISTIMAGE} retrying $i";
done
# if all 3 pulls failed, exit, and show which image couldn't be pulled
if [ ! $error -eq 0 ]; then
echo "failed to pull image ${LISTIMAGE} with error: $IMAGE_PULL_CMD"
echo "error code $error"
exit $error;
fi
IMAGE=$(echo "$IMAGE_PULL_CMD" | tail -1)
echo "pulled $IMAGE"
IMAGE_REGEX='^([a-zA-Z0-9\.-]+)\/([\/0-9a-zA-Z-]+)\/([a-zA-Z0-9.-]+\:[a-zA-Z0-9\.-]+)$'
if [[ $IMAGE =~ $IMAGE_REGEX ]]; then
IMAGE_REGISTRY=${BASH_REMATCH[1]};
IMAGE_REPOSITORY=${BASH_REMATCH[2]};
IMAGE_NAME=${BASH_REMATCH[3]};
IMAGE_TAG=${IMAGE_NAME#*:}
IMAGE_REPO=${IMAGE_NAME%:*}
fi
docker tag ${IMAGE} $REGISTRY_HOSTNAME/$IMAGE_REPOSITORY/$IMAGE_NAME
docker push $REGISTRY_HOSTNAME/$IMAGE_REPOSITORY/$IMAGE_NAME
done
}
# Pull any extra images from this list
cat > additional-images.txt <<EOF
quay.io/jetstack/cert-manager-cainjector:$CERT_MANAGER_VERSION
quay.io/jetstack/cert-manager-controller:$CERT_MANAGER_VERSION
quay.io/jetstack/cert-manager-webhook:$CERT_MANAGER_VERSION
EOF
download_images_from_list additional-images.txt
# Download Rancher images
curl -LO https://github.com/rancher/rancher/releases/download/$RANCHER_VERSION/rancher-images.txt
download_images_from_list rancher-images.txt
# Download RKE Images
curl -LO https://github.com/rancher/rke2/releases/download/$RKE2_VERSION/rke2-images.linux-amd64.txt
download_images_from_list rke2-images.linux-amd64.txt
cd ../
rm -rf temp_dir
# directly pull and tar some images
docker pull docker.io/library/registry:2
docker save docker.io/library/registry:2 -o registry.tar
Raw
registry_manifest.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
labels:
app: registry
spec:
replicas: 1
selector:
matchLabels:
app: registry
template:
metadata:
labels:
app: registry
spec:
volumes:
- name: registry-data
hostPath:
path: /var/lib/rancher/hostPaths/registry/db
type: Directory
- name: registry-certificates
secret:
secretName: registry-certificates
containers:
- name: registry
env:
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: "/certs/cert"
- name: REGISTRY_HTTP_TLS_KEY
value: "/certs/key"
- name: REGISTRY_HTTP_ADDR
value: "0.0.0.0:443"
image: docker.io/library/registry:2
ports:
- containerPort: 443
volumeMounts:
- name: registry-data
mountPath: /var/lib/registry
- mountPath: /certs
name: registry-certificates
readOnly: true
- name: registry-insecure
env:
- name: REGISTRY_HTTP_ADDR
value: "0.0.0.0:5000"
image: docker.io/library/registry:2
ports:
- containerPort: 5000
volumeMounts:
- name: registry-data
mountPath: /var/lib/registry
readOnly: true
- mountPath: /certs
name: registry-certificates
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: registry-svc
spec:
type: NodePort
selector:
app: registry
ports:
- port: 443
targetPort: 443
nodePort: 30500
---
apiVersion: v1
kind: Service
metadata:
name: registry-svc-insecure
spec:
type: NodePort
selector:
app: registry
ports:
- port: 5000
targetPort: 5000
nodePort: 30501
Raw
registry_self_signed_certs.sh
#!/bin/bash
set -e
BASE_DIRECTORY=${1:-"registry_data"}
REGISTRY_IP=${2:-"127.0.0.1"}
REGISTRY_HOST=${3:-"localhost"}
CA_SUBJ_INPUT=${4:-"/C=US/ST=Virgina/L=Alexandria/O=MDD-RFed/OU=Engineering/CN=registry-ca"}
REGISTRY_SUBJ_INPUT=${5:-"/C=US/ST=Virgina/L=Alexandria/O=MDD-RFed/OU=Engineering/CN=registry-ca"}
mkdir -p $BASE_DIRECTORY/certs
mkdir -p $BASE_DIRECTORY/db
rm -f $BASE_DIRECTORY/certs/*
openssl genrsa -out $BASE_DIRECTORY/certs/ca.key 2048
openssl req -x509 -new -nodes \
-key $BASE_DIRECTORY/certs/ca.key \
-sha256 -days 1095 \
-out $BASE_DIRECTORY/certs/ca.pem \
-subj $CA_SUBJ_INPUT
openssl genrsa -out $BASE_DIRECTORY/certs/server.key 2048
openssl req -new \
-key $BASE_DIRECTORY/certs/server.key \
-out $BASE_DIRECTORY/certs/server.csr \
-subj $REGISTRY_SUBJ_INPUT
cat > $BASE_DIRECTORY/certs/server.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = $REGISTRY_IP
DNS.1 = $REGISTRY_HOST
EOF
openssl x509 -req \
-in $BASE_DIRECTORY/certs/server.csr \
-CA $BASE_DIRECTORY/certs/ca.pem \
-CAkey $BASE_DIRECTORY/certs/ca.key \
-CAcreateserial \
-out $BASE_DIRECTORY/certs/server.crt \
-days 1095 -sha256 \
-extfile $BASE_DIRECTORY/certs/server.ext
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment