From 434aa34efa9916e8666c2ccb086f0f150390798e Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Thu, 12 Apr 2018 17:01:50 -0400 Subject: [PATCH] Lists what hostnames and IPs are needed for custom certificates followup --- .../deploy_registry_existing_clusters.adoc | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/install_config/registry/deploy_registry_existing_clusters.adoc b/install_config/registry/deploy_registry_existing_clusters.adoc index 2786da7df2b7..7a3924c44101 100644 --- a/install_config/registry/deploy_registry_existing_clusters.adoc +++ b/install_config/registry/deploy_registry_existing_clusters.adoc @@ -381,6 +381,52 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyOJ5garOYw0sm -----END PRIVATE KEY----- ---- + +- The secured registry should contain the following Subject Alternative Names (SAN) list: ++ +* Two service hostnames. ++ +For example: ++ +---- +docker-registry.default.svc.cluster.local +docker-registry.default.svc +---- ++ +* Service IP address. ++ +For example: ++ +---- +172.30.124.220 +---- ++ +Use the following command to get the Docker registry service IP address: ++ +---- +oc get service docker-registry --template='{{.spec.clusterIP}}' +---- ++ +* Public hostname. ++ +For example: ++ +---- +docker-registry-default.apps.example.com +---- ++ +Use the following command to get the Docker registry public hostname: ++ +---- +oc get route docker-registry --template '{{.spec.host}}' +---- ++ +For example, the server certificate should contain SAN details similar to the following: ++ +---- +X509v3 Subject Alternative Name: + DNS:docker-registry-public.openshift.com, DNS:docker-registry.default.svc, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.2.98, IP Address:172.30.2.98 +---- ++ The registry console loads a certificate from the *_/etc/cockpit/ws-certs.d_* directory. It uses the last file with a *_.cert_* extension in alphabetical order. Therefore, the *_.cert_* file should contain at least two PEM blocks formatted in the OpenSSL style.