Azure
/
AzureStack-QuickStart-Templates
зеркало из https://github.com/Azure/AzureStack-QuickStart-Templates.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

docker registry template TLS support (#441) 

* docker registry template initial commit

* fixed typo

* docker registry template TLS support
This commit is contained in:
Javier Darsie 2019-06-13 14:17:57 -07:00 коммит произвёл vikasnav
Родитель 1c37af337e
Коммит f79f9b561b
3 изменённых файлов: 78 добавлений и 19 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

43
101-vm-linux-docker-registry/README.md
Просмотреть файл

@ -1,23 +1,41 @@
# Docker Registry on Azure Stack
This template deploys an unsecure (no TLS encryption) docker registry that uses an existing Azure Stack storage account to persist your container images.
This template deploys a docker registry that uses an existing Azure Stack storage account to persist your container images.
This template is just for illustrative purposes only and it is **not** recommended for production environments.
## Prerequisites
1. Ubuntu Server 16.04 is syndicated from Azure Stack's Marketplace
2. Custom Script Extensions for Linux 2.0 is syndicated from Azure Stack's Marketplace
3. A storage account where persist container images
2. Custom Script Extensions for Linux 2.0 is syndicated from Azure Stack's Marketplace
3. A storage account to persist container images
4. A Key Vault instance [enabled for deployment](https://docs.microsoft.com/en-us/azure-stack/user/azure-stack-key-vault-push-secret-into-vm#create-a-key-vault-secret)
5. A X509 certificate and its private key stored as a Key Vault [secret](https://docs.microsoft.com/en-us/azure-stack/user/azure-stack-key-vault-manage-portal#create-a-secret)
## Setup
Like most web servers, your docker registry will need a X509 certificate to create a HTTPS channel. To automate the registry deployment process, this template assumes that your certificate and its corresponding private key are stored in a Key Vault instance as a PFX archive.
If your are planning to use `let's encrypt` as your CA, then the `certbot` client can generate the required files for you:
```bash
certbot certonly --standalone -d registry.example.com --email user@example.com
```
After that, you can create the `.pfx` archive with the following command
```bash
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
```
Remember to keep around the certificate fingerprint as the template requires it as an input parameter:
```bash
openssl x509 -in cert.crt -noout -fingerprint | cut -d= -f2 | sed 's/://g'
```
## Usage
### HTTP Registries
You have to explicitly allow your docker client access to unsecure registries before you can use interact with it.
That can be done by adding a new entry to `insecure-registries` in your `daemon.json` configuration file. More information [here](https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry).
### Populate your Registry
Your registry can store images you produce yourself or images from any public registry. The only requirement is to apply the appropriate [tag](https://docs.docker.com/engine/reference/commandline/tag/#tag-an-image-for-a-private-repository) to the images.
@ -27,13 +45,14 @@ Your registry can store images you produce yourself or images from any public re
docker pull hello-world:latest
# re-tag it using your registry information
# my-registry => Public IP DNS Label
docker tag hello-world:latest my-registry:80/hello-world:latest
docker tag hello-world:latest my-registry/hello-world:latest
# push to your private registry
docker push my-registry:80/hello-world:latest
docker push my-registry/hello-world:latest
```
## Future improvements
- Run multiple containers
- Add KeyVault deployment
- Reduce number of mandatory parameters
- Support/document self signed certs
- Support/document CA issued cert

34
101-vm-linux-docker-registry/azuredeploy.json
Просмотреть файл

@ -79,6 +79,24 @@
"metadata": {
"description": "The subnet address prefix."
}
},
"keyVaultResourceId": {
"type": "string",
"metadata": {
"description": "The Key Vault resource identifier."
}
},
"certificateUrl": {
"type": "string",
"metadata": {
"description": "Absolute URL to the Key Vault secret that stores the pfx certificate."
}
},
"certificateFingerprint": {
"type": "string",
"metadata": {
"description": "The fingerprint of the .crt file."
}
}
},
"variables": {
@ -88,7 +106,7 @@
"nicName": "[concat(parameters('virtualMachineName'),'-nic')]",
"nsgName": "[concat(parameters('virtualMachineName'),'-nsg')]",
"pipName": "[concat(parameters('virtualMachineName'),'-pip')]",
"provisionScriptParameters": "[concat('ADMIN_USER_NAME=', parameters('adminUsername'),' REGISTRY_STORAGE_AZURE_ACCOUNTNAME=', parameters('storageAccountName'),' REGISTRY_STORAGE_AZURE_ACCOUNTKEY=', parameters('storageAccountKey'),' REGISTRY_STORAGE_AZURE_CONTAINER=', parameters('storageAccountContainerName'),' REGISTRY_STORAGE_AZURE_REALM=', parameters('storageAccountRealm'))]"
"provisionScriptParameters": "[concat('ADMIN_USER_NAME=', parameters('adminUsername'),' REGISTRY_STORAGE_AZURE_ACCOUNTNAME=', parameters('storageAccountName'),' REGISTRY_STORAGE_AZURE_ACCOUNTKEY=', parameters('storageAccountKey'),' REGISTRY_STORAGE_AZURE_CONTAINER=', parameters('storageAccountContainerName'),' REGISTRY_STORAGE_AZURE_REALM=', parameters('storageAccountRealm'),' CERT_FINGERPRINT=', parameters('certificateFingerprint'))]"
},
"resources": [
{
@ -110,7 +128,19 @@
}
]
}
}
},
"secrets": [
{
"sourceVault": {
"id": "[parameters('keyVaultResourceId')]"
},
"vaultCertificates": [
{
"certificateUrl": "[parameters('certificateUrl')]"
}
]
}
]
},
"hardwareProfile": {
"vmSize": "[parameters('virtualMachineSize')]"

20
101-vm-linux-docker-registry/script.sh
Просмотреть файл

@ -5,6 +5,7 @@ echo REGISTRY_STORAGE_AZURE_ACCOUNTNAME: ${REGISTRY_STORAGE_AZURE_ACCOUNTNAME}
echo REGISTRY_STORAGE_AZURE_ACCOUNTKEY: ${REGISTRY_STORAGE_AZURE_ACCOUNTKEY}
echo REGISTRY_STORAGE_AZURE_CONTAINER: ${REGISTRY_STORAGE_AZURE_CONTAINER}
echo REGISTRY_STORAGE_AZURE_REALM: ${REGISTRY_STORAGE_AZURE_REALM}
echo CERT_FINGERPRINT: ${CERT_FINGERPRINT}
UBUNTU_RELEASE=$(lsb_release -r -s)
@ -20,21 +21,28 @@ cp /tmp/microsoft.gpg /etc/apt/trusted.gpg.d/
apt update && apt install moby-engine moby-cli --allow-downgrades -y
# docker post-install
groupadd docker
usermod -aG docker ${ADMIN_USER_NAME}
# add azure stack certs to ca store
CERT_SRC_PATH="/var/lib/waagent/Certificates.pem"
CERT_DST_PATH="/usr/local/share/ca-certificates/azsCertificate.crt"
cp $CERT_SRC_PATH $CERT_DST_PATH
AZS_CERT_SRC_PATH="/var/lib/waagent/Certificates.pem"
AZS_CERT_DST_PATH="/usr/local/share/ca-certificates/azsCertificate.crt"
cp $AZS_CERT_SRC_PATH $AZS_CERT_DST_PATH
update-ca-certificates
# move key vault certs
CRT_FILE="${CERT_FINGERPRINT}.crt"
KEY_FILE="${CERT_FINGERPRINT}.prv"
STORE="/etc/ssl/certs/registry"
mkdir -p $STORE
mv /var/lib/waagent/$CRT_FILE /var/lib/waagent/$KEY_FILE $STORE
# start registry container
# https://docs.docker.com/registry/storage-drivers/azure/
docker run -d \
--name registry \
--restart=always \
-p 80:5000 \
-p 443:5000 \
-v /etc/ssl/certs:/etc/ssl/certs:ro \
-e REGISTRY_STORAGE="azure" \
-e REGISTRY_STORAGE_AZURE_ACCOUNTNAME=${REGISTRY_STORAGE_AZURE_ACCOUNTNAME} \
@ -42,4 +50,6 @@ docker run -d \
-e REGISTRY_STORAGE_AZURE_CONTAINER=${REGISTRY_STORAGE_AZURE_CONTAINER} \
-e REGISTRY_STORAGE_AZURE_REALM=${REGISTRY_STORAGE_AZURE_REALM} \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-e REGISTRY_HTTP_TLS_KEY=/etc/ssl/certs/registry/${KEY_FILE} \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/ssl/certs/registry/${CRT_FILE} \
registry:2