This repository has been archived by the owner on Sep 15, 2022. It is now read-only.
forked from docker-archive/docker-registry
-
Notifications
You must be signed in to change notification settings - Fork 14
generate certs if REGISTRY_TLS_VERIFY #31
Merged
Merged
Changes from 14 commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
119a91a
generate certs if SECURE=ssl
proppy ddab20d
better entrypoint and symbolic links for certs
proppy 32b9bb4
run: generate separate server certs
proppy c92dfe3
run: update GUNICORN_OPTS and REGISTRY_TLS_VERIFY to match upstream c…
proppy 7b2e645
run: update default registry certs prefix
proppy d9966eb
run: fix ssl configuration
proppy 6dfe3eb
README: update ssl section
proppy ffa4032
README: line split
proppy bdf500b
run: fix alt name
proppy 2b0b153
run: empty subject remove port constraint
proppy cbabe98
run: simplify cert generation logic
proppy dc6ed4a
run: better CN and perm for keys
proppy 891f941
README: add ssl gunicorn flag in usage
proppy cc7a66b
README: add documentation for non default port and cert
proppy 806ee20
run: remove gunicorn debug
proppy 018e262
run: add alt hostname for boot2docker
proppy 4b3b9b6
run: change b2d env var to ALT_NAMES_
proppy 81c260b
run: prefix ALT_NAMES_ env vars with REGISTRY_
proppy File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
docker-registry-core==2.0.2 | ||
docker-registry-core==2.0.3 | ||
gcs-oauth2-boto-plugin==1.8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
#!/bin/bash | ||
set -e | ||
|
||
USAGE="docker run -e GCS_BUCKET=<YOUR_GCS_BUCKET_NAME> \ | ||
[-e GCP_ACCOUNT='<YOUR_EMAIL>' ] \ | ||
|
@@ -53,5 +54,39 @@ else | |
fi | ||
fi | ||
|
||
export GCS_BUCKET BOTO_PATH | ||
exec docker-registry $* | ||
if [ -n "${REGISTRY_TLS_VERIFY}" ] && [ -z "${GUNICORN_OPTS}" ]; then | ||
: ${REGISTRY_ADDR:="localhost:5000"} | ||
: ${BOOT2DOCKER_HOST:="boot2docker.local"} | ||
: ${BOOT2DOCKER_IP:="192.168.59.103"} | ||
cat <<EOF > /ssl/ssl.conf | ||
[req] | ||
distinguished_name = req_distinguished_name | ||
[req_distinguished_name] | ||
[v3_ca] | ||
basicConstraints = critical, CA:true, pathlen:0 | ||
keyUsage = critical, keyCertSign | ||
subjectAltName = @alt_names | ||
[v3_req] | ||
basicConstraints = critical, CA:false | ||
keyUsage = critical, digitalSignature | ||
extendedKeyUsage = critical, serverAuth | ||
nsCertType = server | ||
subjectAltName = @alt_names | ||
[alt_names] | ||
DNS.1 = localhost | ||
DNS.2 = ${BOOT2DOCKER_HOST} | ||
IP.1 = 127.0.0.1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. same here |
||
IP.2 = ${BOOT2DOCKER_IP} | ||
EOF | ||
echo 01 > /ssl/ca.srl | ||
openssl req -subj "/CN=Local CA" -config /ssl/ssl.conf -extensions v3_ca -new -x509 -days 365 -newkey rsa:2048 -nodes -keyout /ssl/ca.key -out /ssl/ca.crt && chmod 600 /ssl/ca.key | ||
openssl req -subj "/CN=Local Docker registry" -config /ssl/ssl.conf -reqexts v3_req -new -newkey rsa:2048 -nodes -keyout /ssl/registry.key -out /ssl/registry.csr && chmod 600 /ssl/registry.key | ||
openssl x509 -req -extfile /ssl/ssl.conf -extensions v3_req -days 365 -in /ssl/registry.csr -CA /ssl/ca.crt -CAkey /ssl/ca.key -out /ssl/registry.cert | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. chmod 600 both of the .key files There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done |
||
mkdir -p /certs.d/${REGISTRY_ADDR} | ||
cp /ssl/ca.crt /certs.d/${REGISTRY_ADDR}/ | ||
SSL_VERSION=$(python -c 'import ssl; print ssl.PROTOCOL_TLSv1') | ||
: ${GUNICORN_OPTS:="['--certfile','/ssl/registry.cert','--keyfile','/ssl/registry.key','--ca-certs','/ssl/ca.crt','--ssl-version','$SSL_VERSION','--log-level','debug']"} | ||
fi | ||
|
||
export GCS_BUCKET BOTO_PATH GUNICORN_OPTS | ||
exec "$@" |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@proppy this is hardcoded isnt it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, because when we generate cert we really only care about localhost/boot2docker.
If you want to support arbitrary hostname you should bring your own cert for now.
See also #33 for later