Importing Registry CA Certificate Instead of Leaving Insecure

Mindwatering Incorporated

Author: Tripp W Black

Created: 07/04 at 03:17 PM

 

Category:
RH OpenShift
Reference

Task:


For production cluster, desired to import the root CA for matching of CA to use internal or external registry. This allows not using the registry insecure flag.

Notes:
- Registry URL: registry.mindwatering.net:5000
- Transfer folder: /users/myadminid/tmp/
- Downloading certificate via browser steps are generic since dialogs are different between the browsers

Steps:
1. Using a web browser, download the root CA as a .crt file and transfer to one of the OCP nodes:
a. Download:
- registry.mindwatering.net:5000 --> browser TLS lock icon --> Certificate details dialog --> Save root certificate as .crt file

b. Transfer to node via SCP or Filezilla, etc.
e.g. ~/tmp/registry-mw-net-ca.crt


2. Import into OCP via a ConfigMap:
a. SSH into an OCP node

b. Create the ConfigMap:
$ oc create configmap registry-mindwatering-net-ca --from-file=registry.mindwatering.net:5000=/users/myadminid/tmp/registry-mindwatering-net-ca.crt -n openshift-config
<view/confirm>

c. Patch the image cluster configuration to reference (add) the new registry-mindwatering-net-ca ConfigMap:
$ oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"additionalTrustedCA":{"name":"registry-mindwatering-net-ca"}}}'
<view/confirm>

d. Wait and Monitor the OCP Machine Control Operation (MCO):
$ oc get machineconfigpool -w
<watch/wait>


previous page

×