Setting up a Private Registry for Confidential Computing Secure Build

Edit online

  1. To create a CA / Signed Certificate, provide a container IP.

     openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -addext "subjectAltName = IP:150.240.76.1" -x509 -days 365 -out certs/domain.crt

    The following message appears:

    "You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN."

    "There are quite a few fields but you can leave some blank. For some fields, there will be a default value, however, if you enter '.', the field will be left blank."

  2. Enter the required details to incorporate in your certificate.

    "Country Name, State of Province Name, Locality Name, Organization Name, State or Province Name, Locality Name, Organization name, Organizational Unit name, Common Name (For example, server FQDN or Your name), and Email Address"

  3. Convert the certificate to base64.

    base64 -i certs/domain.crt | tr -d '\n'

  4. To create an Auth Token, use a docker http image.

    docker run  --entrypoint htpasswd httpd:2 -Bbn testuser testpassword > auth/htpasswd

  5. Create a registry using the token.

    docker run -d \
   -p 5000:5000 \
   --restart=always \
   --name registry \
   -v "$(pwd)"/auth:/auth \
   -e "REGISTRY_AUTH=htpasswd" \
   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
   -v "$(pwd)"/certs:/certs \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
   registry:2
    Note: Once the registry is up and running, you can push the image.
    docker ps

CONTAINER 
ID             IMAGE        COMMAND                  CREATED         STATUS         PORTS                    NAMES
8cdf3075bd9f   registry:2   "/entrypoint.sh /etc…"   7 seconds ago   Up 6 seconds   0.0.0.0:5000->5000/tcp   registry

  6. Push the SBS image into the registry.

    a. Log in to the registry using the username and password.

    docker login -u testuser http://localhost:5000

    b. Docker tag:

    docker tag hpsb-secure-docker-build:1.3.0.21 localhost/hpsb-secure-docker-build:1.3.0.21

    c. Docker push:

    docker push localhost:5000/hpsb-secure-docker-build:1.3.0.21

  8. View the pushed docker images.

    REPOSITORY                                            TAG        IMAGE ID       CREATED         SIZE
localhost:5000/hpsb-secure-docker-build               1.3.0.21   d0678be8e75c   7 days ago     2.63GB
de.icr.io/zaas-hpvsop-prod/hpsb-secure-docker-build   1.3.0.21   d0678be8e75c   7 days ago     2.63GB

    Here is a sample workload file:

    workload: hyper-protect-basic.Dkz/tPLen9ZF8/sLRUH19RdKC6Z9aT8XZh1xbClnbLOyZzu**************dVaeXiR0+OBa0IZg==
   env: |
   type: env
   logging:
      logRouter:
        hostname: <host name of the service instance> /
        iamApiKey: <iamApiKey of the service instance> / xxxx
        port: <port of the service instance(443)>
   cacerts:
      - certificate: “Provide the key generated from Step 7”
   volumes:
      hpsb:
         seed: "seed_value_with_minimum_15_characters"
     auths:
      "150.238.70.28:5000": “Either enter docker.io and the username and Password OR If you are providing container IP, enter the ip with the port value”
         password: testpassword
         username: tesuser
       env:
      CLIENT_CRT: "LS0tLS1C0FUR*********S0tLS0tCg=="
      CLIENT_CA: "LS0tLS1CRNFUlR***********JRklDQVRFLS0tLS0K"
      SERVER_CRT: "LS0tLS1Ca0Z5Ylh*************EREFLQmdOVkJBb0FURS0tLS0tCg=="
      SERVER_KEY: "LS0tLS1CRUdJTiBQR***********1AgR1AgTUVTU0FHRS0tLS0tCg=="
      registry: "150.238.70.28:5000/hpsb-secure-docker-build" “enter either docker.io/name/imagename Or ip of the container and the image name”