Este conteúdo não está disponível no idioma selecionado.
Chapter 4. Using SSL to protect connections to Red Hat Quay
4.1. Using SSL/TLS Copiar o linkLink copiado para a área de transferência!
To configure Red Hat Quay with a self-signed certificate, you must create a Certificate Authority (CA) and then generate the required key and certificate files.
The following examples assume you have configured the server hostname quay-server.example.com
using DNS or another naming mechanism, such as adding an entry in your /etc/hosts
file:
cat /etc/hosts ... 192.168.1.112 quay-server.example.com
$ cat /etc/hosts
...
192.168.1.112 quay-server.example.com
4.2. Creating a certificate authority and signing a certificate Copiar o linkLink copiado para a área de transferência!
Use the following procedures to create a certificate file and a primary key file named ssl.cert
and ssl.key
.
4.2.1. Creating a certificate authority Copiar o linkLink copiado para a área de transferência!
Use the following procedure to create a certificate authority (CA)
Procedure
Generate the root CA key by entering the following command:
openssl genrsa -out rootCA.key 2048
$ openssl genrsa -out rootCA.key 2048
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Generate the root CA certificate by entering the following command:
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Enter the information that will be incorporated into your certificate request, including the server hostname, for example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.2.2. Signing a certificate Copiar o linkLink copiado para a área de transferência!
Use the following procedure to sign a certificate.
Procedure
Generate the server key by entering the following command:
openssl genrsa -out ssl.key 2048
$ openssl genrsa -out ssl.key 2048
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Generate a signing request by entering the following command:
openssl req -new -key ssl.key -out ssl.csr
$ openssl req -new -key ssl.key -out ssl.csr
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Enter the information that will be incorporated into your certificate request, including the server hostname, for example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a configuration file
openssl.cnf
, specifying the server hostname, for example:openssl.cnf
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Use the configuration file to generate the certificate
ssl.cert
:openssl x509 -req -in ssl.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ssl.cert -days 356 -extensions v3_req -extfile openssl.cnf
$ openssl x509 -req -in ssl.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ssl.cert -days 356 -extensions v3_req -extfile openssl.cnf
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.3. Configuring SSL using the command line interface Copiar o linkLink copiado para a área de transferência!
Use the following procedure to configure SSL/TLS using the command line interface.
Prerequisites
- You have created a certificate authority and signed the certificate.
Procedure
Copy the certificate file and primary key file to your configuration directory, ensuring they are named
ssl.cert
andssl.key
respectively:cp ~/ssl.cert ~/ssl.key $QUAY/config
cp ~/ssl.cert ~/ssl.key $QUAY/config
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Change into the
$QUAY/config
directory by entering the following command:cd $QUAY/config
$ cd $QUAY/config
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Edit the
config.yaml
file and specify that you want Red Hat Quay to handle TLS/SSL:config.yaml
... SERVER_HOSTNAME: quay-server.example.com ... PREFERRED_URL_SCHEME: https ...
... SERVER_HOSTNAME: quay-server.example.com ... PREFERRED_URL_SCHEME: https ...
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: Append the contents of the rootCA.pem file to the end of the ssl.cert file by entering the following command:
cat rootCA.pem >> ssl.cert
$ cat rootCA.pem >> ssl.cert
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Stop the
Quay
container by entering the following command:sudo podman stop quay
$ sudo podman stop quay
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Restart the registry by entering the following command:
sudo podman run -d --rm -p 80:8080 -p 443:8443 \ --name=quay \ -v $QUAY/config:/conf/stack:Z \ -v $QUAY/storage:/datastorage:Z \ registry.redhat.io/quay/quay-rhel8:v3.9.10
$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \ --name=quay \ -v $QUAY/config:/conf/stack:Z \ -v $QUAY/storage:/datastorage:Z \ registry.redhat.io/quay/quay-rhel8:v3.9.10
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.4. Configuring SSL/TLS using the Red Hat Quay UI Copiar o linkLink copiado para a área de transferência!
Use the following procedure to configure SSL/TLS using the Red Hat Quay UI.
To configure SSL using the command line interface, see "Configuring SSL/TLS using the command line interface".
Prerequisites
- You have created a certificate authority and signed the certificate.
Procedure
Start the
Quay
container in configuration mode:sudo podman run --rm -it --name quay_config -p 80:8080 -p 443:8443 registry.redhat.io/quay/quay-rhel8:v3.9.10 config secret
$ sudo podman run --rm -it --name quay_config -p 80:8080 -p 443:8443 registry.redhat.io/quay/quay-rhel8:v3.9.10 config secret
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - In the Server Configuration section, select Red Hat Quay handles TLS for SSL/TLS. Upload the certificate file and private key file created earlier, ensuring that the Server Hostname matches the value used when the certificates were created.
- Validate and download the updated configuration.
Stop the
Quay
container and then restart the registry by entering the following command:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.5. Testing SSL configuration using the command line Copiar o linkLink copiado para a área de transferência!
Use the
podman login
command to attempt to log in to the Quay registry with SSL enabled:sudo podman login quay-server.example.com
$ sudo podman login quay-server.example.com Username: quayadmin Password: Error: error authenticating creds for "quay-server.example.com": error pinging docker registry quay-server.example.com: Get "https://quay-server.example.com/v2/": x509: certificate signed by unknown authority
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Podman does not trust self-signed certificates. As a workaround, use the
--tls-verify
option:sudo podman login --tls-verify=false quay-server.example.com
$ sudo podman login --tls-verify=false quay-server.example.com Username: quayadmin Password: Login Succeeded!
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Configuring Podman to trust the root Certificate Authority (CA) is covered in a subsequent section.
4.6. Testing SSL configuration using the browser Copiar o linkLink copiado para a área de transferência!
When you attempt to access the Quay registry, in this case, https://quay-server.example.com
, the browser warns of the potential risk:
Proceed to the log in screen, and the browser will notify you that the connection is not secure:
Configuring the system to trust the root Certificate Authority (CA) is covered in the subsequent section.
4.7. Configuring podman to trust the Certificate Authority Copiar o linkLink copiado para a área de transferência!
Podman uses two paths to locate the CA file, namely, /etc/containers/certs.d/
and /etc/docker/certs.d/
.
Copy the root CA file to one of these locations, with the exact path determined by the server hostname, and naming the file
ca.crt
:sudo cp rootCA.pem /etc/containers/certs.d/quay-server.example.com/ca.crt
$ sudo cp rootCA.pem /etc/containers/certs.d/quay-server.example.com/ca.crt
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Alternatively, if you are using Docker, you can copy the root CA file to the equivalent Docker directory:
sudo cp rootCA.pem /etc/docker/certs.d/quay-server.example.com/ca.crt
$ sudo cp rootCA.pem /etc/docker/certs.d/quay-server.example.com/ca.crt
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
You should no longer need to use the --tls-verify=false
option when logging in to the registry:
sudo podman login quay-server.example.com
$ sudo podman login quay-server.example.com
Username: quayadmin
Password:
Login Succeeded!
4.8. Configuring the system to trust the certificate authority Copiar o linkLink copiado para a área de transferência!
Use the following procedure to configure your system to trust the certificate authority.
Procedure
Enter the following command to copy the
rootCA.pem
file to the consolidated system-wide trust store:sudo cp rootCA.pem /etc/pki/ca-trust/source/anchors/
$ sudo cp rootCA.pem /etc/pki/ca-trust/source/anchors/
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Enter the following command to update the system-wide trust store configuration:
sudo update-ca-trust extract
$ sudo update-ca-trust extract
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optional. You can use the
trust list
command to ensure that theQuay
server has been configured:trust list | grep quay
$ trust list | grep quay label: quay-server.example.com
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Now, when you browse to the registry at
https://quay-server.example.com
, the lock icon shows that the connection is secure:To remove the
rootCA.pem
file from system-wide trust, delete the file and update the configuration:sudo rm /etc/pki/ca-trust/source/anchors/rootCA.pem
$ sudo rm /etc/pki/ca-trust/source/anchors/rootCA.pem
Copy to Clipboard Copied! Toggle word wrap Toggle overflow sudo update-ca-trust extract
$ sudo update-ca-trust extract
Copy to Clipboard Copied! Toggle word wrap Toggle overflow trust list | grep quay
$ trust list | grep quay
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
More information can be found in the RHEL 9 documentation in the chapter Using shared system certificates.