Created
October 18, 2019 17:27
-
-
Save st3v/f365fe83762f68f85a3a5729b89dfaa1 to your computer and use it in GitHub Desktop.
TLS config test for irel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
function cleanup { | |
if [ "$EUID" -ne 0 ] | |
then echo "Must run as root to be able to update /etc/hosts" | |
exit 1 | |
fi | |
rm -f ca1.crt ca1.key ca1.srl registry1.key registry1.crt registry1.csr | |
rm -f ca2.crt ca2.key ca2.srl registry2.key registry2.crt registry2.csr | |
docker kill registry1 || true | |
docker kill registry2 || true | |
sed -i '' '/^127\.0\.0\.1 my-registry-.$/d' /etc/hosts || true | |
} | |
case "$1" in | |
setup) | |
cleanup | |
# generate self-signed CA certs | |
openssl req -newkey rsa:2048 -nodes -keyout ca1.key -x509 -days 365 -subj '/CN=ca1/O=ACME/C=XY' -out ca1.crt | |
openssl req -newkey rsa:2048 -nodes -keyout ca2.key -x509 -days 365 -subj '/CN=ca2/O=ACME/C=XY' -out ca2.crt | |
# generate registry CSRs | |
openssl req -new -newkey rsa:2048 -nodes -keyout registry1.key -subj "/C=XY/O=ACME/CN=my-registry-1" -out registry1.csr | |
openssl req -new -newkey rsa:2048 -nodes -keyout registry2.key -subj "/C=XY/O=ACME/CN=my-registry-2" -out registry2.csr | |
# sign registry CSRs | |
openssl x509 -req -in registry1.csr -CA ca1.crt -CAkey ca1.key -CAcreateserial -out registry1.crt -days 500 -sha256 | |
openssl x509 -req -in registry2.csr -CA ca2.crt -CAkey ca2.key -CAcreateserial -out registry2.crt -days 500 -sha256 | |
# run two private registries | |
docker run --rm -d -p 5000:5000 --name registry1 -e REGISTRY_HTTP_HOST=https://my-registry-1:5000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry1.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry1.key -v $(pwd):/certs registry:2 | |
docker run --rm -d -p 5001:5000 --name registry2 -e REGISTRY_HTTP_HOST=https://my-registry-2:5001 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry2.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry2.key -v $(pwd):/certs registry:2 | |
# add registry aliases for loopback in /etc/hosts | |
echo "127.0.0.1 my-registry-1" >> /etc/hosts | |
echo "127.0.0.1 my-registry-2" >> /etc/hosts | |
;; | |
cleanup) | |
cleanup | |
;; | |
test) | |
printf "\ntry to copy to private registry without specifying path to CA cert, should fail" | |
irel copy gcr.io/distroless/static my-registry-1:5000/distroless/static && false | |
echo "PASSED" | |
printf "\ntry to copy to private registry with specifying CA cert path, should succeed" | |
irel --ca-cert-path ca1.crt copy gcr.io/distroless/static my-registry-1:5000/distroless/static | |
echo "PASSED" | |
printf "\ntry to copy to private registry without cert verification, should succeed" | |
irel --skip-tls-verify copy gcr.io/distroless/static my-registry-1:5000/distroless/static | |
echo "PASSED" | |
printf "\ntry to copy from/to private registry without specifying path to CA cert for either the source nor the target registry, should fail" | |
irel copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static && false | |
echo "PASSED" | |
printf "\ntry to copy from/to private registry with specifying path to CA cert for the source but not the target registry, should fail" | |
irel --ca-cert-path ca1.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static && false | |
echo "PASSED" | |
printf "\ntry to copy from/to private registry with specifying path to CA certs for both the source and the target registry, should succeed" | |
irel --ca-cert-path ca1.crt --ca-cert-path ca2.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static | |
echo "PASSED" | |
printf "\ntry to copy from/to private registry with specifying path to CA certs for both the source and the target registry, should succeed" | |
irel --ca-cert-path ca1.crt,ca2.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static | |
echo "PASSED" | |
printf "\ntry to copy from/to private registry without cert verification, should succeed" | |
irel --skip-tls-verify copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static | |
echo "PASSED" | |
;; | |
*) | |
echo $"Usage: $0 {setup|test|cleanup}" | |
exit 1 | |
;; | |
esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment