st3v/tls-test.sh

## tls-test.sh
#!/bin/bash
set -e

function cleanup {
    if [ "$EUID" -ne 0 ]
        then echo "Must run as root to be able to update /etc/hosts"
        exit 1
    fi

    rm -f ca1.crt ca1.key ca1.srl registry1.key registry1.crt registry1.csr
    rm -f ca2.crt ca2.key ca2.srl registry2.key registry2.crt registry2.csr

    docker kill registry1 || true
    docker kill registry2 || true

    sed -i '' '/^127\.0\.0\.1 my-registry-.$/d' /etc/hosts || true
}

case "$1" in
    setup)
        cleanup

        # generate self-signed CA certs
        openssl req -newkey rsa:2048 -nodes -keyout ca1.key -x509 -days 365 -subj '/CN=ca1/O=ACME/C=XY' -out ca1.crt
        openssl req -newkey rsa:2048 -nodes -keyout ca2.key -x509 -days 365 -subj '/CN=ca2/O=ACME/C=XY' -out ca2.crt

        # generate registry CSRs
        openssl req -new -newkey rsa:2048 -nodes -keyout registry1.key -subj "/C=XY/O=ACME/CN=my-registry-1" -out registry1.csr
        openssl req -new -newkey rsa:2048 -nodes -keyout registry2.key -subj "/C=XY/O=ACME/CN=my-registry-2" -out registry2.csr

        # sign registry CSRs
        openssl x509 -req -in registry1.csr -CA ca1.crt -CAkey ca1.key -CAcreateserial -out registry1.crt -days 500 -sha256
        openssl x509 -req -in registry2.csr -CA ca2.crt -CAkey ca2.key -CAcreateserial -out registry2.crt -days 500 -sha256

        # run two private registries
        docker run --rm -d -p 5000:5000 --name registry1 -e REGISTRY_HTTP_HOST=https://my-registry-1:5000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry1.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry1.key -v $(pwd):/certs registry:2
        docker run --rm -d -p 5001:5000 --name registry2 -e REGISTRY_HTTP_HOST=https://my-registry-2:5001 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry2.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry2.key -v $(pwd):/certs registry:2

        # add registry aliases for loopback in /etc/hosts
        echo "127.0.0.1 my-registry-1" >> /etc/hosts
        echo "127.0.0.1 my-registry-2" >> /etc/hosts
        ;;

    cleanup)
        cleanup
        ;;

    test)
        printf "\ntry to copy to private registry without specifying path to CA cert, should fail"
        irel copy gcr.io/distroless/static my-registry-1:5000/distroless/static && false
        echo "PASSED"

        printf "\ntry to copy to private registry with specifying CA cert path, should succeed"
        irel --ca-cert-path ca1.crt copy gcr.io/distroless/static my-registry-1:5000/distroless/static
        echo "PASSED"

        printf "\ntry to copy to private registry without cert verification, should succeed"
        irel --skip-tls-verify copy gcr.io/distroless/static my-registry-1:5000/distroless/static
        echo "PASSED"

        printf "\ntry to copy from/to private registry without specifying path to CA cert for either the source nor the target registry, should fail"
        irel copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static && false
        echo "PASSED"

        printf "\ntry to copy from/to private registry with specifying path to CA cert for the source but not the target registry, should fail"
        irel --ca-cert-path ca1.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static && false
        echo "PASSED"

        printf "\ntry to copy from/to private registry with specifying path to CA certs for both the source and the target registry, should succeed"
        irel --ca-cert-path ca1.crt --ca-cert-path ca2.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static
        echo "PASSED"

        printf "\ntry to copy from/to private registry with specifying path to CA certs for both the source and the target registry, should succeed"
        irel --ca-cert-path ca1.crt,ca2.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static
        echo "PASSED"

        printf "\ntry to copy from/to private registry without cert verification, should succeed"
        irel --skip-tls-verify copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static
        echo "PASSED"
        ;;
    *)
        echo $"Usage: $0 {setup|test|cleanup}"
        exit 1
        ;;
esac
	#!/bin/bash
	set -e

	function cleanup {
	if [ "$EUID" -ne 0 ]
	then echo "Must run as root to be able to update /etc/hosts"
	exit 1
	fi

	rm -f ca1.crt ca1.key ca1.srl registry1.key registry1.crt registry1.csr
	rm -f ca2.crt ca2.key ca2.srl registry2.key registry2.crt registry2.csr

	docker kill registry1 \|\| true
	docker kill registry2 \|\| true

	sed -i '' '/^127\.0\.0\.1 my-registry-.$/d' /etc/hosts \|\| true
	}

	case "$1" in
	setup)
	cleanup

	# generate self-signed CA certs
	openssl req -newkey rsa:2048 -nodes -keyout ca1.key -x509 -days 365 -subj '/CN=ca1/O=ACME/C=XY' -out ca1.crt
	openssl req -newkey rsa:2048 -nodes -keyout ca2.key -x509 -days 365 -subj '/CN=ca2/O=ACME/C=XY' -out ca2.crt

	# generate registry CSRs
	openssl req -new -newkey rsa:2048 -nodes -keyout registry1.key -subj "/C=XY/O=ACME/CN=my-registry-1" -out registry1.csr
	openssl req -new -newkey rsa:2048 -nodes -keyout registry2.key -subj "/C=XY/O=ACME/CN=my-registry-2" -out registry2.csr

	# sign registry CSRs
	openssl x509 -req -in registry1.csr -CA ca1.crt -CAkey ca1.key -CAcreateserial -out registry1.crt -days 500 -sha256
	openssl x509 -req -in registry2.csr -CA ca2.crt -CAkey ca2.key -CAcreateserial -out registry2.crt -days 500 -sha256

	# run two private registries
	docker run --rm -d -p 5000:5000 --name registry1 -e REGISTRY_HTTP_HOST=https://my-registry-1:5000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry1.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry1.key -v $(pwd):/certs registry:2
	docker run --rm -d -p 5001:5000 --name registry2 -e REGISTRY_HTTP_HOST=https://my-registry-2:5001 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry2.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry2.key -v $(pwd):/certs registry:2

	# add registry aliases for loopback in /etc/hosts
	echo "127.0.0.1 my-registry-1" >> /etc/hosts
	echo "127.0.0.1 my-registry-2" >> /etc/hosts
	;;

	cleanup)
	cleanup
	;;

	test)
	printf "\ntry to copy to private registry without specifying path to CA cert, should fail"
	irel copy gcr.io/distroless/static my-registry-1:5000/distroless/static && false
	echo "PASSED"

	printf "\ntry to copy to private registry with specifying CA cert path, should succeed"
	irel --ca-cert-path ca1.crt copy gcr.io/distroless/static my-registry-1:5000/distroless/static
	echo "PASSED"

	printf "\ntry to copy to private registry without cert verification, should succeed"
	irel --skip-tls-verify copy gcr.io/distroless/static my-registry-1:5000/distroless/static
	echo "PASSED"

	printf "\ntry to copy from/to private registry without specifying path to CA cert for either the source nor the target registry, should fail"
	irel copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static && false
	echo "PASSED"

	printf "\ntry to copy from/to private registry with specifying path to CA cert for the source but not the target registry, should fail"
	irel --ca-cert-path ca1.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static && false
	echo "PASSED"

	printf "\ntry to copy from/to private registry with specifying path to CA certs for both the source and the target registry, should succeed"
	irel --ca-cert-path ca1.crt --ca-cert-path ca2.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static
	echo "PASSED"

	printf "\ntry to copy from/to private registry with specifying path to CA certs for both the source and the target registry, should succeed"
	irel --ca-cert-path ca1.crt,ca2.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static
	echo "PASSED"

	printf "\ntry to copy from/to private registry without cert verification, should succeed"
	irel --skip-tls-verify copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static
	echo "PASSED"
	;;
	*)
	echo $"Usage: $0 {setup\|test\|cleanup}"
	exit 1
	;;
	esac