This repository assumes that you plan to deploy an external registry, where you will sign all container images in the registry with your own GPG key. This may be used for an offline installation, where this registry holds all of the necessary containers images for installation. Alternatively, it may be simply used for custom images.
Additionally, this repo assumes that the registry server is used as the control node. This, of course, can easily be changed, but that is how the roles are currently written.
Verify vars are correct by overridding them or changing the default values. I.e. change the domain name for the registry. Registry must also be defined in the ansible hosts file.
Pull down the code.
git clone -b $BRANCH https://github.com/chopskxw/openshift-container-signing.git [$WORKING_DIR]
Then run the playbook as follows, or as appropriate for your environment.
ansible-playbook openshift-container-signing.yml
curl -X GET http://registry.example.com:5000/v2/_catalog
curl -X GET http://registry.example.com:5000/v2/rhscl/postgresql-96-rhel7/tags/list
Since we have configured generated and stored the private key in root's keyring, we will need to run this as root or use sudo
.
skopeo copy --sign-by testing@example.com --src-tls-verify=false --dest-tls-verify=false \
docker://registry.example.com:5000/rhscl/postgresql-96-rhel7:1-32 \
docker://registry.example.com:5000/rhscl/postgresql-96-rhel7:signed
Or, if pulling from Red Hat.
skopeo copy --remove-signatures --sign-by testing@example.com --dest-tls-verify=false \
docker://registry.redhat.io/rhel7/etcd \
docker://registry.example.com:5000/signed/etcd
skopeo inspect --tls-verify=false \
docker://registry.example.com:5000/rhscl/postgresql-96-rhel7:signed | grep Digest
ll /var/lib/atomic/sigstore/rhscl/
curl http://registry.example.com/sigstore/rhscl/
atomic pull registry.example.com:5000/rhscl/postgresql-96-rhel7:1-32 #should fail
atomic pull registry.example.com:5000/rhscl/postgresql-96-rhel7:signed #should successfully pull
oc new-project signed-images
oc new-app --insecure-registry=true \
--docker-image=registry.example.com:5000/rhscl/postgresql-96-rhel7:1-32 --name=signed-pgsql
Use this to clean up cached images on nodes. This will insure that all policies are adhered to.
docker rmi $(docker images --filter "dangling=true" -q --no-trunc)
If the cluster is online, the following commands will setup policies for online registries. The Red Hat registries can be configured for signature verification.
docker.io:
ansible nodes -m command -a "atomic --assumeyes trust add docker.io --type insecureAcceptAnything"
registry.access.redhat.com:
ansible nodes -m command -a "atomic --assumeyes trust add --sigstoretype web \
--sigstore https://access.redhat.com/webassets/docker/content/sigstore \
--pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com"
registry.redhat.io:
ansible nodes -m command -a "atomic --assumeyes trust add --sigstoretype web \
--sigstore https://access.redhat.com/webassets/docker/content/sigstore \
--pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.redhat.io"
This may be helpful if you are troubleshooting or need to pull in something that is not signed to do some local testing on a host.
ansible nodes -m command -a "atomic --assumeyes trust default accept"
The same command can be used, swapping accept
for reject
, to reaplly the default reject policy.
ansible nodes -m command -a "atomic --assumeyes trust default reject"
The contents of this repo were originally authored by Ryan Bontreger bontreger@redhat.com, then later modified by Roy Williams roywilliams@redhat.com.