From 8ed4dec68a2243433b038038dcea8638bee241e2 Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Mon, 2 Apr 2018 13:21:18 -0400 Subject: [PATCH 1/3] Including info on adding CN to SAN list --- .../deploy_registry_existing_clusters.adoc | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/install_config/registry/deploy_registry_existing_clusters.adoc b/install_config/registry/deploy_registry_existing_clusters.adoc index 2786da7df2b7..82c589f27d4d 100644 --- a/install_config/registry/deploy_registry_existing_clusters.adoc +++ b/install_config/registry/deploy_registry_existing_clusters.adoc @@ -380,6 +380,34 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyOJ5garOYw0sm ... -----END PRIVATE KEY----- ---- + +- The secured registry should contain the following Subject Alternative Names (SAN) list: ++ +* Two service hostnames: ++ +---- +docker-registry.default.svc.cluster.local +docker-registry.default.svc +---- ++ +* service IP address. Use the following command to get the Docker registry service IP address: ++ +---- +oc get service docker-registry --template='{{.spec.clusterIP}}' +---- ++ +* public hostname. Use the following command to get the Docker registry public hostname: ++ +---- +oc get route docker-registry --template '{{.spec.host}}' +---- ++ +For example, the server certificate should contain SAN details similar to the following: ++ +---- +X509v3 Subject Alternative Name: + DNS:docker-registry-public.openshift.com, DNS:docker-registry.default.svc, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.2.98, IP Address:172.30.2.98 +---- + The registry console loads a certificate from the *_/etc/cockpit/ws-certs.d_* directory. It uses the last file with a *_.cert_* extension in alphabetical From fb9331740d70983d2cf0b85401a5a69b124bca64 Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Wed, 11 Apr 2018 12:24:42 -0400 Subject: [PATCH 2/3] edits per brice --- .../deploy_registry_existing_clusters.adoc | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/install_config/registry/deploy_registry_existing_clusters.adoc b/install_config/registry/deploy_registry_existing_clusters.adoc index 82c589f27d4d..be511592bbb3 100644 --- a/install_config/registry/deploy_registry_existing_clusters.adoc +++ b/install_config/registry/deploy_registry_existing_clusters.adoc @@ -385,18 +385,36 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyOJ5garOYw0sm + * Two service hostnames: + +For example: ++ ---- docker-registry.default.svc.cluster.local docker-registry.default.svc ---- + -* service IP address. Use the following command to get the Docker registry service IP address: +* Service IP address. ++ +For example: ++ +---- +172.30.124.220 +---- ++ +Use the following command to get the Docker registry service IP address: + ---- oc get service docker-registry --template='{{.spec.clusterIP}}' ---- + -* public hostname. Use the following command to get the Docker registry public hostname: +* Public hostname. ++ +For example: ++ +---- +mydocker-registry.example.com +---- ++ +Use the following command to get the Docker registry public hostname: + ---- oc get route docker-registry --template '{{.spec.host}}' From 5ee3ba83ab747d1a7e90aef1cd5d4c333752d5c2 Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Wed, 11 Apr 2018 13:39:51 -0400 Subject: [PATCH 3/3] edits per brice --- install_config/registry/deploy_registry_existing_clusters.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install_config/registry/deploy_registry_existing_clusters.adoc b/install_config/registry/deploy_registry_existing_clusters.adoc index be511592bbb3..ece16bcd0c2b 100644 --- a/install_config/registry/deploy_registry_existing_clusters.adoc +++ b/install_config/registry/deploy_registry_existing_clusters.adoc @@ -411,7 +411,7 @@ oc get service docker-registry --template='{{.spec.clusterIP}}' For example: + ---- -mydocker-registry.example.com +docker-registry-default.apps.example.com ---- + Use the following command to get the Docker registry public hostname: